This is the most bizarre tomcat configuration problem I've ever seen. I have the following entry in web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<hstsEnabled>true</hstsEnabled>
<hstsMaxAgeSeconds>631</hstsMaxAgeSeconds>
<hstsIncludeSubDomains>true</hstsIncludeSubDomains>
<hstsPreload>true</hstsPreload>
</filter>
I intentionally put in a weird value for max-age so that it would be easy to see if the configuration is active or not.
And it's activated:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
But it doesn't do what it should do. The resulting headers are always:
strict-transport-security: max-age=0
which is almost exactly what I don't want.
Any ideas on this? I can't even understand how this could be happening and it certainly goes against all the documentation. This is all with Tomcat 9.0.29, JDK 13. It seems like it should "just work" and seems like a very simple configuration.
To be clear, this is in the Tomcat web.xml (in $CATALINA/conf/web.xml), not in an application-specific web.xml. HSTS preload is for the entire domain (including subdomains which might be on other servers), not for any set of URIs within the domain, so it only makes sense to set preload in the server-wide web.xml.
EDIT: This is with a Spring Boot application. It seems that Spring Boot might be controlling this header and overriding whatever is being set in web.xml. This is unfortunate because Spring Boot is for a specific application in a specific context, whereas this header really applies to the entire domain, or even to sub-domains, and so is beyond any specific web application in a specific context. I think I need to figure out how to get Spring Boot to do nothing to HSTS headers and let Tomcat handle it all.
Related
I'm working with ZK and spring.
I downloaded 2 different project that now I try to merge. My problem is in this part of code:
<html:form action="j_spring_security_check" method="POST" xmlns:html="native">
that is in the file login.zul. I found these lines in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I saw that if I change /* with /login.zul it happened that in my url becomes: localhost:8080/myProject/j_spring_security_check and I saw error 404.
If I didn't change my url is localhost:8080/myProject/ and the page index.zul works correctely.
But index.zul is in the same folder as login.zul.
I saw the same error also if I set /index.zul in state of "/*".
How can I decide another url in stead of /*?
Thanks!
The above URL pattern /* declares that you want to protect all your pages. It has nothing to with the fact, which page do you want to load after the successfull login.
The title is also missleading, j_spring_security_check is just the default URL for Spring Security login form submission: SpringSec will start his authentication module (that is username/password checking) when a request to this URL comes. You do not want to change it. You may change it if you for example do not want to tell the world that you uses Spring Security, or you do not want to change your existing login form that uses an other action attribute.
You may have a configuration XML for Spring Security like spring-security.xml or an equivalent Java based configuration) - with a tag in it. You need to set the default-target-url attribute of that tag as
<form-login login-page="/some_dir/login.zul" default-target-url="/some_other_dir/panel.zul"
You should use relative URLs inside your webapp.
You may have an authentication-success-handler-ref instead of default-target-urlin a more complicated situation, but you should not mix them .
I have a Grails application running that uses an external CAS login method and uses a local user list for authorization. I am using the spring-security and spring-security-cas plugins and everything is working great.
I am now implementing a RESTful API under a sub-domain of the application (/api) and want to provide security for that as well. I have read that setting up HTTP basic AuthN is easy with Grails, but have found nothing on using 2 security paradigms within one application. Aside from separating the API to a separate application, is there a way to implement a separate authentication method for just the /api sub-domain on my application?
Any feedback would be greatly appreciated. Thanks!
I found no simple way to accomplish this, so I ended up using IP-based access control for the API (since only a few people will be using it). I did this by editing the web.xml file in my grails app and adding a Remote Address Filter:
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>**IP ADDRESSES HERE**</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
I also had to disable CAS authentication for the api, which I accomplished by adding permissions in the interceptUrlMap in Config.groovy:
'/api/**': ['IS_AUTHENTICATED_REMEMBERED', 'IS_AUTHENTICATED_ANONYMOUSLY']
I have a WAR file that defines a filter to run on all URLs:
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
...
<filter>
<filter-name>OurRedirectServletFilter</filter-name>
<filter-class>com.mycompany.RedirectServletFilter</filter-class>
</filter>
...
<filter-mapping>
<filter-name>OurRedirectServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The filter is designed to perform some redirects from 'convenience' URLs to a corresponding 'actual' URL, but I don't think that's really relevant to the problem.
On WebSphere 7.0, this filter doesn't run for requests to the root URL, e.g. /ctxroot or /ctxroot/; instead I just get a 404 response. It does run for /ctxroot/blah, whether blah is a valid or invalid path.
I've tried adding additional filter mappings for URL patterns <url-pattern>/</url-pattern> and <url-pattern></url-pattern>, but I get the same behavior.
I've tested on base WAS 7.0.0.0, and with the latest fix pack applied, i.e. WAS 7.0.0.27.
The filter works as expected on WAS 8.5 and I'm pretty sure on WAS 8.0, as well as on every version of WebLogic, JBoss, and Tomcat that I've tried. This then seems to be a bug with WAS 7.0, but I'd still like to find a workaround. Anybody know of one?
I eventually looked at the body of the 404 error response and saw error code SRVE0190E, which led me to this helpful page. The issue is that filters aren't called by default for URLs that correspond to resources that don't exist (though I swear I tested that for a URL other than the context root, and my filter was called).
It's possible to configure WebSphere to call filters in this situation by setting a custom property as further described in the linked page:
com.ibm.ws.webcontainer.invokefilterscompatibility=true
I also found that for the case of the context root URL, setting a welcome-file entry in web.xml that maps to an existing resource causes the filter to be called:
<welcome-file-list>
<welcome-file>fakehome.html</welcome-file>
</welcome-file-list>
As described here: http://wikis.sun.com/display/Jersey/WADL
I'm using Jersey 1.4 in Tomcat 6.
I have tried every possible URI with a "/application.wadl" and all I get is a 404 (not available). I'm obviously not understanding something, but every blog I read makes it sound like this is "out of the box" functionality. I'm using Tomcat 6..should this matter?
I was able to use Pavel's example on using the WadlResource object here, but it seems I shouldn't need to do this: http://markmail.org/message/lbeaw5vyr4qergdd#query:+page:1+mid:fo4dt7tbd6rb3gvi+state:results
thanks.
I think that ChrisO most likely has the answer in that your wadl would be available at http://localhost:{port}/{warname}/application.wadl
I had the same problem, and found out that default application.wadl was only working when configured at the root of the app
My conf included several url patterns like the following
<filter-mapping>
<filter-name>jersey-spring</filter-name>
<url-pattern>/admin/rest/*</url-pattern>
</filter-mapping>
And I had to add this to make it work :
<filter-mapping>
<filter-name>jersey-spring</filter-name>
<url-pattern>/application.wadl</url-pattern>
</filter-mapping>
Hope it helps
If you are using Jersey, the WADL will be given automatically when you suffix the application.wadl to your url.
Here all the /rest/ is the <url-pattern> for the <servlet-mapping>
http: // yourmacine:8080 / RESTfulExample/rest/application.wadl
You need to specify the display-name and url-pattern of the sevlet mapping(if any) before application.wadl
I'm trying to setup Jetty to serve compressed html content. In web.xml I setup GzipFilter and mapped it to /* but this doesn't seem to work. Here's the filter configuration:
<filter>
<filter-name>GZipFilter</filter-name>
<display-name>Jetty's GZip Filter</display-name>
<description>Filter that zips all the content on-the-fly</description>
<filter-class>org.mortbay.servlet.GzipFilter</filter-class>
<init-param>
<param-name>mimeTypes</param-name>
<param-value>text/html</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>GZipFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I'm just starting to use Jetty, so the solution might be ridiculously simple. If you can link me to documentation that might help me, that would be great too.
GZIP Compression
GZIP Compression can be used to reduce the amount of data being sent "over the wire". Compression is applied as a transport encoding. This can greatly improve webapplication performance, however it can also consume more CPU and some content (eg images) cannot be well compressed.
Static Content
The Jetty Default Servlet can serve precompressed static content as a transport encoding and avoid the expense of on-the-fly compression. If the "gzip" init parameter is set to true, then Jetty will look for compressed static resources. So if a request for "foo.txt" is received and the file "foo.txt.gz" exists, then it will be served as "foo.txt" with a gzip transport encoding.
GzipFilter
The Jetty Gzip Filter is a compression filter that can be applied to almost any dynamic resource (servlet). It fixes many of the bugs in commonly available compression filters (eg handles all ways that content length may be set) and has been testing with Jetty continuations and suspending requests.
Some user-agents may be excluded from compression, so as to avoid some common browser bugs (yes this means IE!).
refer from jetty doc:
http://docs.codehaus.org/display/JETTY/GZIP+Compression
you can look Gzipfilter source code,here is a lot of useful comments :
http://download.eclipse.org/jetty/stable-7/xref/org/eclipse/jetty/servlets/GzipFilter.html
I'm gonna answer this too, since I've had a huge headake trying to make this work, and I finally did it. Also, I'm not a major expert in the fine details of HTTP so I'll give a non-professional answer.
First, here's how I checked if my GZipFilter was working or not. Started Firefox, made sure I had the Firebug addon, started the Firebug addon, went to the "Net" tab. Then I accessed the URL which should return a GZipped response. Here's what Firebug shows:
The "Size" column shows the size of the response. If you hover over the "Size" column label with your mouse, it will tell you that if the response is compressed, then it will display the compressed size of the response.
This all was done with the GZip filter enabled in Jetty. I then removed the GZip filter declaration from my web.xml, restarted Jetty and repeated the test. This time around the response had the exact same size as before, which clearly indicated that the GZip compression was not working.
After multiple trial and errors, what I did is look in Firebug at the "Request Headers" section to see the value for the "Accept" header. I've noticed that here this had values such as "application/xml" and "text/xml", but the way I had configured my GZIp filter's init param "mimeTypes" only contained "text/xml" (and was missing "application/xml"). It was configured like so:
<filter>
<filter-name>GzipFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class>
<init-param>
<param-name>mimeTypes</param-name>
<param-value>text/html,text/plain,text/xml,application/xhtml+xml,text/css,application/javascript,image/svg+xml,application/json,application/xml; charset=UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
After adding the "application/xml" value to the list like so:
<filter>
<filter-name>GzipFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class>
<init-param>
<param-name>mimeTypes</param-name>
<param-value>text/html,text/plain,text/xml,application/xhtml+xml,application/xml,text/css,application/javascript,image/svg+xml,application/json,application/xml; charset=UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I redid my previous test, and sure enough now the reported size of the response was much smaller:
Also notice that now, the reported Response Headers contain an extra field called "Content-Encoding" with a value of "gzip".
So basically the idea is to check what kind of values you send in your Request "Accept" header and make sure that all those values are configured in the GZip filter's "mimeTypes" init param.
Sometimes using Gzipfilter has some problems, depending on how you are handling buffers and flushing. As such, using org.eclipse.jetty.servlets.IncludableGzipFilter (which actually an extends GzipFilter) may solve your problems.
On jetty 9.3:
edit jetty.conf and include the xml file "jetty-gzip.xml"
edit start.ini and add "--module=servlets"
edit jetty-gzip.xml and configure the mime-types you want.
Restart jetty and test again.
What was the error? Are you getting classpath problems or something else? If classpath, you need to make sure the gzipfilter class is available to the jetty runtime or it will die.
Are you sending the request with the "Content-Encoding: gzip" request header?