Informational Pages Access: Multiple Filters?

Dean Flinter shared this question 4 days ago
Answered

Hi,

We're looking to restrict access to the information pages.

We'd like to do a combination of IP access as mentioned here:

https://wiki.yellowfinbi.com/display/yfcurrent/Application+Server+Security#ApplicationServerSecurity-Informationalpages

And authenticated users as mentioned here:

https://community.yellowfinbi.com/knowledge-base/article/how-to-remove-access-to-infomation-pages-for-unauthenticated-users-list-of-yellowfin-information-pages


However when we try to add both, neither works. On their own, they do

Here is what we added (IP removed). Can you tell me what we may be doing wrong?

<filter>
    <filter-name>IPFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
    <init-param>
        <param-name>allow</param-name>
        <param-value>IP ADDRESS</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>IPFilter</filter-name>
      <url-pattern>/info.jsp</url-pattern>
      <url-pattern>/info_browser.jsp</url-pattern>
      <url-pattern>/info_cache.jsp</url-pattern>
      <url-pattern>/info_threads.jsp</url-pattern>
</filter-mapping>
 <filter>
    <filter-name>NotLoggedInFilter</filter-name>
    <filter-class>com.hof.adapter.NotLoggedInFilter</filter-class>
    <init-param>
        <param-name>restrictedEntryPoint</param-name>
        <param-value>/info.jsp,/info_threads.jsp,/info_cache.jsp,/info_browser.jsp</param-value>
    </init-param>
    <init-param>
          <param-name>redirectUrl</param-name>
          <param-value>/?</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>NotLoggedInFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Thanks

Dean

Comments (8)

photo
1

Have just noticed that info_threads_enhanced.jsp is missing from both those guides by the way!

photo
1

Hi Chris,

Just to update, we managed to get it working after a little more research.

Firstly we needed to rearrange the XML.

However we still had an issue and it was due to our load balancer presenting it's IP rather than the client's. We added another bit to get around that and it all works.

Below is our filter code (ip removed naturally), in case others have the same issue. We also added info_threads_enhanced.jsp as mentioned previously

<filter>
    <filter-name>RemoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
 </filter>
<filter>
    <filter-name>IPFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
    <init-param>
        <param-name>allow</param-name>
        <param-value>IP ADDRESS</param-value>
    </init-param>
</filter>
<filter>
    <filter-name>NotLoggedInFilter</filter-name>
    <filter-class>com.hof.adapter.NotLoggedInFilter</filter-class>
    <init-param>
        <param-name>restrictedEntryPoint</param-name>
        <param-value>/info.jsp,/info_threads.jsp,/info_cache.jsp,/info_browser.jsp,/info_threads_enhanced.jsp</param-value>
    </init-param>
    <init-param>
          <param-name>redirectUrl</param-name>
          <param-value>/?</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>RemoteIpFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
    <filter-name>IPFilter</filter-name>
      <url-pattern>/info.jsp</url-pattern>
      <url-pattern>/info_browser.jsp</url-pattern>
      <url-pattern>/info_cache.jsp</url-pattern>
      <url-pattern>/info_threads.jsp</url-pattern>
	  <url-pattern>/info_threads_enhanced.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>NotLoggedInFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Thanks

Dean

photo
1

Hi Dean,

After a bit of experimentation, I was able to get this to work. It might be the order of the filters that is preventing it on your end. Here's what I added to my web.xml:

<filter>

<filter-name>NotLoggedInFilter</filter-name>
<filter-class>com.hof.adapter.NotLoggedInFilter</filter-class>
<init-param>
<param-name>restrictedEntryPoint</param-name>
<param-value>/info.jsp,/info_threads.jsp,/info_cache.jsp,/info_browser.jsp</param-value>
</init-param>
<init-param>
<param-name>redirectUrl</param-name>
<param-value>/?</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NotLoggedInFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
<filter-name>IPFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>IPFilter</filter-name>
<url-pattern>/info.jsp</url-pattern>
<url-pattern>/info_browser.jsp</url-pattern>
<url-pattern>/info_cache.jsp</url-pattern>
<url-pattern>/info_threads.jsp</url-pattern>
</filter-mapping> 
For me, the IP filter wouldn't work unless I also included the IPv6 address as well.

Kind regards,

Chris

photo
1

Hi Dean,

I've just seen your follow up response, I'm glad you were able to get it working! And it seems you came to the same conclusion.

I might update our documentation to include this new information.

Kind regards,

Chris

photo
1

Thanks Chris

I think our actual issue was the load balancer IP but we thought it was how we did it

Just a quick follow up question if you don't mind

As mentioned, info_threads_enhanced.jsp is missing from those guides. Just wondering if there is a full list of *.jsp files? Wondering if there is anything else sensitive missing


Thanks

Dean

photo
1

Hi Dean,

I'm pretty sure the only ones that accessible by default are those listed here https://wiki.yellowfinbi.com/display/yfcurrent/Application+Server+Security#ApplicationServerSecurity-Informationalpages

I certainly haven't heard of any others.

Kind regards,

Chris

photo
1

Thanks Chris

I'll add them to our filters, just to be sure

You can close this off now


Thanks again

Dean

photo
1

No worries, Dean. Have a nice afternoon.

Kind regards,

Chris