How to hide DWR class index? - dwr

DWR publishes some index of classes under [context root]/dwr/. The index contains links to more details about the services. This seems like information leakage to me and I would like to hide/unpublish these pages so they are not accesible.
How can I configure DWR to hide this class index?

Found a great pentesting blog that talks about it here: http://gerionsecurity.com/2012/09/experiences-in-pentesting-dwr/
Essentially you disable debugging in in web.xml when you configure the servlet.
<servlet>
<servlet-name>dwr-invoker</servlet-name>
<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
</servlet>

Related

Difference between "dispatcherServlet" and "appServlet" in spring MVC

Difference between "dispatcherServlet" and "appServlet" in spring MVC. Can I get any samples or references?
Technically both are HttpServlet implementation to handle incoming requests. DispatcherServlet is Spring provided servlet implemenation having all essential features like exception handling ..
You have to just write your Request mappers ,it will handle all request.
AppServlet is nothing different, just your implementation for specific handling of requests.
Both will work in same way .If you dont have any specific handling than you can just go with Spring DispatcherServlet.
For example..
<servlet>
<servlet-name>DispatcherServlet</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
<!-- Custom Servlet -->
<servlet>
<servlet-name>CustomServlet</servlet-name>
<servlet-class>org.abc.CustomServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>any-other-Parameter</param-name>
<param-value>false</param-value>
</init-param>
<servlet-mapping>
<servlet-name>DispatcherServlet</servlet-name>
<url-pattern>*.do</url-pattern>
<url-pattern>/myapp/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>CustomServlet</servlet-name>
<url-pattern>/myapp2/*</url-pattern>
</servlet-mapping>
For reference of DispatcherServlet you can see http://www.mkyong.com/spring-mvc/spring-mvc-hello-world-example/
to understand this, you can have a look on below configuration :
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
In above configuration DispatcherServlet is the servlet class provided by spring framework.
The job of the DispatcherServlet is to take an incoming URI and find the
right combination of handlers (generally methods on Controller classes)
and views (generally JSPs) that combine to form the page or resource
that's supposed to be found at that location.
while appServlet is the custom name given by you in your web.xml file.

How to make Spring MVC and plain JSP live together in one application

Say I have a Spring MVC application with JPA as backend. Now here we want to provide simple UI to user to perform simple configuration to some properties file. It would make sense to make it separate from the main Spring application because some configuration is related to Spring MVC so it will fail when start the main application by the main UI through Spring MVC.
But how to register both servlet(Spring and plain JSP)in the same web application?
<!-- Handles Spring requests -->
<servlet>
<servlet-name>SpringApplication</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/mvc-config.xml</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SpringApplication</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>PlainJSPApplication</servlet-name> <!--Is it ok to separate request to different servlet like this?-->
<servlet-class>com.app.plainJSP</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>PlainJSPApplication</servlet-name>
<url-pattern>/config</url-pattern> <!--How to handle mapping so not conflict to Spring main application-->
</servlet-mapping>
I think it is common to register another servlet class to in the SAME web.xml, is it OK? and also how to handle that request URL pattern, as "/" has been assign to Spring servlet?
Any advice would be appreciated.
You can separate Spring managed controllers and your own servlet by mapping both with different url patterns.
The requests for Spring controllers are managed by DispatcherServlet. Basically, it is just a Servlet that, when you map urls to it, it will automatically be seen by Spring, thus mapping it to the right controller, views etc.
web.xml
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>PlainJSPApplication</servlet-name> <!--Is it ok to separate request to different servlet like this?-->
<servlet-class>com.app.plainJSP</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>PlainJSPApplication</servlet-name>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.bmk</url-pattern>
<!-- other url pattern ... -->
<!-- other url pattern ... -->
<!-- other url pattern ... -->
</servlet-mapping>
Here, all the requests end with .do will be seen by Spring. Others will then be seen by your servlets.
So, as long as you don't harm this mapping, Spring MVC & your normal servlets will integrate gracefully.

Spring MVC: favicon

I am using Spring MVC with such definition:
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
But the problem that spring always trying to find /favicon.ico by default and as a result I can't render any page. How can I disable such behaviour?
Thank you
If you are using Spring Security, then make sure you have omitted the favicon request (and any other static resources) from the security filter chain.
It has nothing to do with spring mvc but that is the default behaviour of the browser you are using. Also that should not break anything at all and your app should work as normal even if it does not have an ico. (Unless you specifically coded to make it fail in case of missing ico)

Spring-jersey how to expose services under more than one context

I use spring-jersey to expose rest services. My web.xml looks as follows:
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
Let say standard.
I have a lot of rest services in many packages and I need to goup them in two context, let say "base" and "advanced" services. Moreover I need to get rid of the "rest" prefix in url-pattern. So I thought about group them into two packages and then in web.xml define two jersey servlets with com.sun.jersey.config.property.packages init param:
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.example.app.rest.base</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/base/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Another Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.example.app.rest.advanced</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Another Jersey REST Service</servlet-name>
<url-pattern>/advanced/*</url-pattern>
</servlet-mapping>
Unfortunately due to component scan set in applicationContext.xml
<context:component-scan base-package="com.example.app" />
property com.sun.jersey.config.property.packages is ignored (all rest services can be accessed under each context) and it cannot be handle like that.
I am wondering how can I deal with that in other way. The only thing which I don't want to do is to set
<url-pattern>/*</url-pattern>
that catch everyting.
You can specify multiple packages. Just separate them by a comma.
<context:component-scan base-package="com.example.app,com.sun.jersey" />
You can also define two component-scan items and they should work just as well, too.
If the package differentiation won't help, use a filter.
<context:component-scan base-package="org.example">
<context:include-filter type="regex" expression=".*Repository"/>
</context:component-scan>
And then, just make a separate applicationContext for each service but use an init-param of contextConfigLocation and init-value of the location/name of that app context. So, if you make a specific app context to load for each service, the component scan filtering will load everything you need for one service and exclude the other one.
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/rest-service1.xml</param-value>
</init-paraam>
Actually, if you make a separate xml file for each, you can just go back to using the different package at that point, I believe.

Multiple config files for Spring Security

I'm quite new to all things Spring, and right now I'm developing an application that uses Spring, Spring MVC and Spring Security.
My problem is that I'm using two dispatcher Servlets, one for /csm/*.html and another one for *.html and I'd like to have one Spring Security configuration file per servlet.
Is this possible at all?, if so, could you point me to an example?.
This answer relates to springframework 2.5.6, it might have changed in later versions.
use the pattern /WEB-INF/[servlet-name]-servlet.xml or specify it in the web.xml like this:
<servlet>
<servlet-name>handler</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<!-- override default name {servlet-name}-servlet.xml -->
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-myconfig.xml</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
If you do not set the contextConfigLocation it defaults to handler-servlet.xml (at least in this example).
application wide stuff belongs into /WEB-INF/applicationContext.xml.
But you also can change the default and even add multiple files:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring-dao-hibernate.xml,
WEB-INF/spring-services.xml,
WEB-INF/spring-security.xml
</param-value>
</context-param>
you can find a more specific answer on the spring website, the documentation is quite good.

Resources