i've got a doGet working but when i follow try to do de doPost, i get a 403, I think it's because the server allways send me the header "x-csrf-token: require", but the strange here is that I desactivated before these lines:
<!-- disabled to make REST work - AUTHN/AUTHZ MUST NOT USE COOKIES! -->
<!--
<filter>
<filter-name>RestCsrfPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestCsrfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
I read that the approuter take the security, this is my Override post method, I only want to try that it's working :
#Override
protected void doPost( final HttpServletRequest request , final HttpServletResponse response) throws IOException, ServletException {
response.getWriter().write("POST METHOD");
}
But I see in the response header this every time :
Response from app - HTTP 403
I discover that you need to active the authentication in the approuter , but it's still not working for me, this is my approuter code :
The approuter by default protects all non-GET routes with CSRF protection by default. If you just want to test this out, you can use the approuter's configuration to turn it off using the "csrf-protection":false in the xs-app.json (https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/c103fb414988447ead2023f768096dcc.html).
However, this is not recommended. The better option is to fetch the CSRF token and send it in every subsequent request
Related
I tried to rename JSESSIONID as below in web.xml, but seems like sometimes I do see the default name in the logs(I am logging in a filter in case default name is given), any idea?,
I am using spring 3.2.18 and servlet-api-3.1
<session-config>
<session-timeout>45</session-timeout>
<cookie-config>
<path>/</path>
<domain>.example.com</domain>
<name>XXX_JSESSIONID</name>
</cookie-config>
</session-config>
As you are using spring-3.2.18 you should try the following code to override DefaultCookieSerializer. You can find detail information in Spring Docs
#Bean
public DefaultCookieSerializer defaultCookieSerializer(){
DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();
defaultCookieSerializer.setCookieName("mySessionId");
return defaultCookieSerializer;
}
Without clear logs about what is happening, it could be the client browser that send back cookies stored with the default name 'JSESSIONID'.
In that you should first delete JSESSIONID cookie from the client browser (expire)
I have set up SSL on a Tomcat and made code and configuration changes on its client so that the client can access both http and https ports programatively. Now, how can I configure the application or Tomcat so that some application Rest APIs only are accessible through https while others are only accessible through http? The application is built with Spring. It doesn't use Spring Security. If a Spring Security is in place, some urls can be configured with a secure access and the rest with insecure access.
You can enforce any restrictions you'd like on any URLs by writing a Filter and binding it to whatever URL patterns you wish. For this case, you could use a Filter like this:
import javax.servlet.Filter;
public class SecureFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if(!request.isSecure()) {
// Do whatever you want
// a. throw an error - e.g. respond with 403
// b. redirect to HTTPS
// c. ??
} else {
// Allow the request to be processed as usual
chain.doFilter(request, response);
}
}
}
Then, in your WEB-INF/web.xml file, register the Filter and map it to some URL patterns:
<filter>
<filter-name>REST-security</filter-name>
<filter-class>com.whatever.SecureFilter</filter-class>
</filter>
....
<filter-mapping>
<filter-name>REST-security</filter-name>
<url-pattern>/rest/*</url-pattern>
<url-pattern>/api/*</url-pattern>
<url-pattern>/anything-else/*</url-pattern>
</filter-mapping>
You have to configure reverse proxy (NGINX server) to serve request as per your requirement.
NGINX server need to be place in-front of your tomcat server, then client will 1st call to NGINX server and then depends on request you can configure to pass request to http or https to your tomcat.
http://nginx.org/en/docs/http/configuring_https_servers.html
Here's my configuration:
A request is captured by my REST controller, I send data via SOAP to my webservice. Then I access some data sending SOAP request to another service and I return gathered data to the user sending the request.
Before sending SOAP request to external webservice I need to set some headers, so I have an interceptor that extends AbstractSoapInterceptor with Phase.PRE_PROTOCOL in constructor by webservice side.
Inside handleMessage() I create new headers and add to SoapMessage but... the data I need to set is inside REST request inside it's headers. So in order to get them I need to have access to HttpServletRequest and then I just get the header using HttpServletRequest#getHeader("header_name").
I've saw here I could just use #Context annotation but it's not available in my Spring (3.0.5) or maybe RESTEasy is something else and that question isn't connected with mine in anyway
I've tried this:
HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
and
ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
HttpServletRequest request = attributes.getRequest();
but it's been a shot in the dark and it failed.
Edit:
Thanks to Abel ANEIROS I've added:
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
and was able to get HttpServletRequest from RequestContextHolder.getRequestAttributes() but apperently it's origin is from my webservice and not REST
Edit2:
The structure is different than I thought.
It's: Rest Controller -> MyWebService (SOAP) -> ExternalService (SOAP)
I've created another interceptor in controller side, added headers to SOAP message and now I'm trying to get the headers again in MyWebService side.
We (my team) are currently developing a POC; to build a front-end with GWT but uses Spring for the back-end.
So far, we have not encountered any significant problems integrating the two.
However, when we decided to use Spring Security 3.2 (just recently released), we encountered some issues with the security headers.
After some research, we discovered that it has to do with click jacking prevention (the X-Frame-Options).
Our approach is as follows.
The login page is not part of GWT but simple page (e.g., login.jsp).
Once authentication is successful, it should change to the GWT start page.
However, with the default security headers, once an authentication succeeds, only a blank page is shown.
For now, we simply disabled the security headers as follows (using Spring Java Configuration).
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.headers().disable();
}
With the security headers disabled, the GWT page shows up correctly.
We would prefer keep the security headers enabled.
Any help would be greatly appreciated.
Updated: In the web.xml file, we use the following.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I have Spring web application. I would like to put some common piece of code which will be executed at the beginning of each HTTP request so that I can check for spams. I have configured DispatcherServlet in my web.xml which means DispatcherServlet is the first entry point for every HTTP request. My question is does DispatcherServlet provide any method which will be executed first and then the control passes onto the requested annotation controller?
I would agree to Dave. What you are looking for is a filter/interceptor for all the requests at mapped url. Traditionally this has been done using ServletFilter. This is where you put your custom code. For example.
public FooFilter implements ServletFilter {
#Override
void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException,
ServletException {
// My Custom check for spam.
}
}
Once you have implemented your custom code in ServletFilter all that you need is configure it in web.xml.
<filter>
<filter-name>FooFilter</filter-name>
<filter-class>com.foo.servlet.filters.FooFilter</filter-class>
<init-param>
<param-name>test-param</param-name>
<param-value>Test parameter.</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>FooFilter</filter-name>
<url-pattern>/*</url-pattern> <!-- The URL to be filtered. -->
</filter-mapping>
Its the easiest way to configure a filter and intercept your web requests.
When using Spring framework you would want to use the Sping's HandlerInterceptor. A very good post surrounding when to use what can be found here.
Hope this helps.
IMO this kind of functionality would belong in a HandlerInterceptor (ref docs).
Servlet Filters will work, because filters are always executed before than any servlet. Filters will be executed before Dispatcher servlet but interceptors will executed after Dispatcher servlet and Before actual handler !