WordPress generate 403
I have installed Tomcat in my machine and it is running fine. I am able to login to the administration manager. I have deployed a .war file which can be viewed on the Tomcat manager. The name of the file is shim (actually I am installing freeshim ).
When I try to access shim on the browser using 192.168.1.65:8080/shim I get a web administration interface of the shim . This is the message I get:
This is the web administration interface for FreeSHIM. Web services are located "here".
When I click "here" in order for me to configure the Freeshim I get an error:
HTTP Status 403 – Access to the requested resource has been denied.
Where am I going wrong? How can I change this permission?
migrated from stackoverflow.com Sep 12 ’12 at 18:47
This question came from our site for professional and enthusiast programmers.
HTTP Status 403 (Access to the requested resource has been denied) can indicate that either you typed 3+ incorrect credentials (try another web-browser) or you’ve some problem with configuration.
If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation ( locate tomcat-users.xml ). That file must contain the credentials to let you use Tomcat webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret , add the following to the config file listed above:
Then you can access your webapps manager from /manager/html (e.g. reloading after config changes).
If you’re trying to implement your own security constraint (in web.xml ), try the following example (before ending):
If you still having the problem, try:
- check if you’re editing the right XML file,
- validate your XML files, e.g. catalina.sh configtest or xmlstarlet val /etc/tomcat?/*.xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml ,
- your matches in your or set to /* ,
- check your Tomcat logs (e.g. /var/log/tomcat7 ),
- increase logging level ( INFO -> FINE / FINEST ) in logging.properties or log4j.properties (INFO, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL), restart Tomat and check the logs,
- if nothing in logs, check if you’re checking the right logs ( sudo lsof | grep -E "java.*(out|txt|log)$" , tail -f /var/log/tomcat7/*.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out ),
- when using log4j logging system, make sure you initialized it properly by placing libs and log4j.properties into the right folder and configuring it,
test BASIC authentication with cURL:
Normally request should return HTTP/1.1 401 Unauthorized and the "WWW-Authenticate" header should indicate Basic authentication is required.
The request should be sent with an "Authorization" header and it should authenticate. If your credentials are invalid, you should get: HTTP/1.1 401 Unauthorized. If the user is authenticated, but does not have access to view the resource you should get: HTTP/1.1 403 Forbidden.
maybe a user lock out mechanism has been activated for too many failed authentication attempts (LockOutRealm),
stop and run Tomcat manually (in the same way as in: ps wuax | grep ^tomcat ), e.g.:
Alternatively start using catalina.sh script like:
and check your catalina.out log.
last resort is to debug process by: sudo strace -fp PID .
About WordPress Nonces
The main objective of the WordPress nonces is to protect the website URLS from malicious or any other malpractices. This is actually a combination of numbers and letters which is not easy to understand. However, the WordPress nonces has a limited time of validity, after which it expires. As soon as the nonce expires it will generate for a given user in a given circumstance. Once the nonce are assigned for a particular user it won’t change until the life cycle of the nonce is completed. The WordPress nonces provides protection against various types of attacks such as Cross-site request forgery, also known as one-click attack or session riding. The nonces are not well known for the replay attacks because of the fact that it is not used for one-time use. The functions can be protected using current_user_can(). The nonces cannot be dependent upon authentication or authorization, access control.
Example of using WordPress nonce:
Any attempt to modify the URL will cause the nonce to be invalid and attempts to fail
In case of invalid nonce “403 Forbidden” response to the browser, with the error message: “Are you sure you want to do this?”
Creating a nonce
Adding a nonce to a URL
Nonce can be added to a URL by calling wp_nonce_url() where you should specify the bare URL also specifying the string indicating the action.
$complete_url = wp_nonce_url( $bare_url, ‘trash-post_’.$post->ID );
Protection level can be maximum when we specifically write down the string indicating the action. A default field name wpnonce is added by the wpnonce_url() function. Here we can specify any name in the function call. For example:
$complete_url = wp_nonce_url( $bare_url, ‘trash-post_’.$post->ID, ‘our_nonce’ );
Adding a nonce to a form
Adding a nonce to a form is done by calling wp_nonce_field() which specify the string which indicates action. There are two hidden fields generated by wp_nonce_field() and they are:
1) Generated hidden value will be the nonce.
2) Generated hidden value is the present URL (the referrer) and it will display the result. For example:
Which might display like:
It is to be noted that the string indicating the action must be specific. The user has the following privileges:
1) Can enter a different name for the nonce field.
2) Can set the option that you don’t want a referrer field.
3) Can set the options to return the results and not displayed.
Creating a nonce for use in some other way
Another method used to create a nonce is to call wp_create_nonce() providing a string indicating the action. For example:
$nonce = wp_create_nonce( ‘my-action_’.$post->ID );
Which will return the nonce, for example: 387b484257. It is to be noted that string indicating the action must be provided.
Verifying a nonce
There is a provision to check a nonce such as:
1) Which was passed in a URL or in a form in an admin screen or
2) In an AJAX request
3) In any other scenario.
Verifying a nonce passed from an admin screen
It is possible to check the nonce which was passed in a URL or in a form in an admin screen by calling check_admin_referer() which defines the string indicating the action. For example:
In this the nonce and referrer are checked and if it fails the normal actions will be proceeded, that is terminating script execution with a “403 Forbidden” response and an error message. You should specify the field name while creating the nonce, for example:
check_admin_referer( ‘add-comment_’.$comment_id, ‘my_nonce’ );
Verifying a nonce passed in an AJAX request
Nonce which was passed can be verified in an AJAX request by calling check_ajax_referer() which define the string indicating the action. For example:
This will check the nonce (not the referrer) and if any fail occurs then it will terminate execution of the script by default. It is to be noted that while creating the nonce either one of the default field names must be used (_wpnonce or _ajax_nonce) or additional parameters can be used to execute other actions instead of terminating the execution.
Verifying a nonce passed in some other scenario
It is possible to verify the nonce which was passed in any other context by calling wp_verify_nonce() defining the nonce and the string indicating the action. For example:
wp_verify_nonce( $_REQUEST[‘my_nonce’], ‘run-comment’.$comment_id );
If you need any further assistance please contact our support department.