how to block access to http get web-inf files
241 views
Skip to first unread message
Jim Boden
Jun 20, 2023, 1:22:35 PM6/20/23
to WildFly
We have wildfly 20 mostly default standalone config, deployed exploded. I can go to https://localhost/WEB-INF/web.xml and it shows me the file. It will show any file under the WEB-INF or entire root tree.
Thank you
But this of course should not be GET-able. Did we just miss some simple config to block access via GET?
Thank you
Paul Ferraro
Jul 4, 2023, 7:03:36 AM7/4/23
to WildFly
This is a regression that was fixed in WildFly 24.
You should be able to workaround it by adding a security constraint to your web.xml, e.g.
<security-constraint>
<web-resource-collection>
<web-resource-name>private</web-resource-name>
<url-pattern>/WEB-INF/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>forbidden</role-name>
</auth-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>private</web-resource-name>
<url-pattern>/WEB-INF/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>forbidden</role-name>
</auth-constraint>
</security-constraint>
Jim Boden
Jul 5, 2023, 11:52:57 AM7/5/23
to WildFly
Thank you Paul,
I see how this should have worked but it still does not. Not sure if I should, but I don't see any logs either. Could it be that this constraint only applies for URLs below the app name since it's in the app's web.xml? Like localhost/myapp/etc....
But here I'm getting:
localhost/WEB-INF/web.xml
with no app in the URL and it still displays. I removed all other security-constraints to be sure, and tried with and without a role name.
I'm not sure when I can move to a later release, so very much appeciate any other ideas.
Thank you!
Paul Ferraro
Jul 12, 2023, 11:06:23 AM7/12/23
to WildFly
Are you able to reproduce this problem on a more recent release?
Jim Boden
Jul 12, 2023, 2:38:58 PM7/12/23
to WildFly
Thanks for the follow-up. I wasn't able to update to a later version so could not test. It might be a while before we upgrade. I ended up adding a location handler to the undertow default-server like:
Then the handler is just something silly that redirects me back to the app login page:
<host name="default-host" alias="localhost">
<location name="/WEB-INF" handler="block"/>
<location name="/META-INF" handler="block"/>
<location name="/META-INF" handler="block"/>
</host>
Then the handler is just something silly that redirects me back to the app login page:
<handlers>
<file name="
block" path="${jboss.home.dir}/standalone/deployments/myapp.war/login.htm"/>
</handlers>
This did work. I don't know why the constraint did not work, unless maybe because the web-inf is not in my app path, perhaps it did not register the constraint since that's in my app web.xml. But this handler did the trick so we moved on. :-)
Thank you!
Bartosz Baranowski
Jul 19, 2023, 5:12:47 AM7/19/23
to WildFly
WDYM "web-inf is not in my app path" ?
Could you please detail app setup in case thats a real flaw?
Could you please detail app setup in case thats a real flaw?
Reply all
Reply to author
Forward
0 new messages