Webhook is installed onto system XXXX, webhook configuration page can be accessed via URL https://host:port/mfwebhookserver/#!/webhooks with no authentication, webhooks can be amended or deleted by anyone.
How to secure webhook configuration and only allow webhook admins to access this page ?
Release : 19.0
None of the webhook rest endpoints are protected in the WEB-INF/web.xml for the webhook server.
<security-constraint>
<display-name>Allow methods for Tomcat CCS 9.X</display-name>
<web-resource-collection>
<web-resource-name>WH rest</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>HEAD</http-method>
<http-method>PATCH</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
</security-constraint>
Edit web.xml file, modify the "Secured" web resource security constraint to add an authentication constraint, security role, and login configuration. and comment out the "Allow methods for Tomcat CCS 9.X" security constraint.
<security-constraint>
<display-name>Secured</display-name>
<web-resource-collection>
<web-resource-name>Secured area</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WHAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WHAdmin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Basic Authentication Area</realm-name>
</login-config>
Add the role and connect users to that role to <tomcat dir>\conf\tomcat-users.xml
<role rolename="WHAdmin"/>
<user username="<username>" password="<password>" roles="WHAdmin"/>
For more information, check out Secure a Webhook Configuration