Recently there has been an exploit on Apache Jserv Protocol (AJP) for webapps running in Tomcat.
The quickest way to mitigate that risk is to disable that protocol if not in use. I would like to know how to disable Apache Jserv Protocol (AJP) on Springboot web application through application.properties or any other configurable method. I've looked for it on Springboot documention and other sources but could not find how to do it.
Thanks!
Related
Was wondering the recommended way of starting a spring boot app if the Spring cloud config server is temporarily down or unavailable. What would be the approach? I know of the retry configurations, but I am wondering if there is a way to have a 'replica' config server and use that as a failover (or something along those lines).
Sure, why not?
After all, spring-cloud-config server exposes rest API and all the interaction with spring boot microservices is done over HTTP.
From this point of view, you can scale out the spring cloud config server by providing more than one instance of it all are up-and-running and mapping them to one virtual IP.
If you're running in some kind of orchestrated environment (like kubernetes) it is a very easy thing to do.
I am building a middle tier which will consume information from multiple downstream systems. The ask is to talk to them over 1 way SSL. I looked up samples but this concept is a bit if a mystery to me. Please help.
The question is too vague IMHO, I'll try to provide general insights
The answer may vary depending on the actual requirements in your organization security department and your actual spring boot configuration.
Spring Boot is a Java framework that usually allows the deployment architecture with an embedded tomcat, jetty or undertow servers that serve Http endpoints exposed by Spring MVC or without an embedded server at all (usually for legacy deployments)
If you in a "legacy" mode (build a WAR) - then HTTPs configuration should be done on the actual server and not in spring boot application.
If you use an embedded server, then the actual technical solution can actually depend on the server you use underneath, at least to some extent.
Indeed like Steffen Ullrich has stated in the comment section, there are many examples of doing this.
For example, take a look at This one
If you want to redirect HTTP requests to HTTPs you should configure your server to do so, and this solution is Tomcat specific.
Another thing to consider is whether you want to use SSL at the level of spring boot at all. Maybe you're running under the gateway / some kind of proxy. In this case, it can make sense to use https for accessing the proxy from outside, but from a proxy to java application you could use HTTP.
I know I'm just speculating about this solution, I've just decided to mention it because in my experience there are many organizations that work like this.
In addition, since spring boot is used for microservice development, the chances are that you have many spring boot artifacts that somehow "talk" to each other, so maybe running HTTPs between them is redundant.
Based on an answer from #andy-wilkinson to a past Spring Boot question, it appears that with the exception of a couple parameters (port for example), the management server leverages the same configuration as the regular servlet container.
I would like to configure the main Spring Boot server to use HTTPS (for the application/service it is serving) and to use just HTTP for the actuator endpoints. Has anyone done this? Is this even possible?
-Joshua
It's not possible at the moment. Please open an issue if it's an enhancement that you'd like to see.
I'm developing a webapplication with Spring-boot using embedded tomcat.
One of the requirements of this app is 2-way SSL (clientAuth).
Enabling ClientAuth is easy enough however we also like to use spring-boot Actuator for management of the app on a different port without clientAuth.
Is there is a clean way to do this?
(Disabling SSL on the actuator endpoints would also be enough)
According to latest spring docs, you can use
management.server.port=8080
management.server.ssl.enabled=false
in the properties to configure the management ports. see production-ready-management-specific-ssl in the spring boot doc for more options.
Is there a simple way to use (or reuse) external Jetty configuration files to configure an embedded Jetty web container with Spring Boot.
Programmatic configuration to change only the listening port for example is acceptable, but a full configuration including multiple connectors, thread pools, etc. seems to be better suited with usual Jetty files.
Thanks for your help.
Regards.
There's no support in Spring Boot for configuring Jetty via XML. You can use application.properties for simpler cases or programmatic configuration for things that are more complex.
Boot's Tomcat integration is a little bit ahead of its Jetty integration in terms of what you can configure via application.properties. For example, you can configure Tomcat's thread pool. If you'd like to see some improvements to the Jetty integration then please open an issue, or, even better, a pull request.