How to secure Webhook configuration page
search cancel

How to secure Webhook configuration page

book

Article ID: 261289

calendar_today

Updated On: 08-06-2024

Products

Endevor

Issue/Introduction

Webhook is installed onto system XXXX, webhook configuration page can be accessed via URL https://host:port/mfwebhookserver/#!/webhooks with no authentication, webhooks can be amended or deleted by anyone.

How to secure webhook configuration and only allow webhook admins to access this page ? 

 

 

Environment

Release : 19.0

Cause

None of the webhook rest endpoints are protected in the WEB-INF/web.xml for the webhook server.

  <security-constraint>
    <display-name>Allow methods for Tomcat CCS 9.X</display-name>
    <web-resource-collection>
      <web-resource-name>WH rest</web-resource-name>
      <url-pattern>/rest/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>HEAD</http-method>
      <http-method>PATCH</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
  </security-constraint>

Resolution

Edit web.xml file, modify the "Secured" web resource security constraint to add an authentication constraint, security role, and login configuration. and comment out the "Allow methods for Tomcat CCS 9.X" security constraint. 

  <security-constraint>
    <display-name>Secured</display-name>
    <web-resource-collection>
      <web-resource-name>Secured area</web-resource-name>
      <url-pattern>/rest/*</url-pattern>
    </web-resource-collection>

    <auth-constraint>
      <role-name>WHAdmin</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <role-name>WHAdmin</role-name>
  </security-role>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Basic Authentication Area</realm-name>
  </login-config>

 

Add the role and connect users to that role to <tomcat dir>\conf\tomcat-users.xml

  <role rolename="WHAdmin"/>
  <user username="<username>" password="<password>" roles="WHAdmin"/>

Additional Information

For more information, check out Secure a Webhook Configuration