Spring HiddenHttpMethodFilter and blocking HTTP methods - spring

I am only allowing GET and POST methods in my Spring 3.2 application.
Though I use Spring's HiddenHttpMethodFilter which uses _method parameter to support various PUT, DELETE controller request mappings.
But security is saying that our servers allow various insecure methods like OPTIONS , TRACE and others since they can see the Allow header in response when they manipulate the _method value.
Is it really a security threat ?
And is it possible to use _method for only PUT and DELETE ?

In Spring MVC by default the OPTIONS and TRACE methods are not dispatched to controllers, even if you configure controllers to handle those methods. So by default Spring MVC protects prevents those methods from being used,even though the Accept header shows them as available.
These defaults can be changed in the following way if needed:
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/your-mvc-dispatcher-servlet.xml</param-value>
</init-param>
<init-param>
<param-name>dispatchOptionsRequest</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>dispatchTraceRequest</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
If needed the contents of the Accept header can be customized like this:
#RequestMapping(value = "/someurl", method = RequestMethod.GET)
public ResponseEntity tryOptions(HttpSession session) throws Exception {
... controller logic ...
HttpHeaders headers = new HttpHeaders();
headers.set("Allow","POST, GET");
return new ResponseEntity(headers, HttpStatus..SOME_STATUS_CODE);
}

Related

***Unable to Connect servlet methods in wicket through objectstream.***

I want to connect servlet using urlconnection in wicket-spring integration, but when i try to hit the url its redirecting to webapplication page, So can anyone tell me how to connect servlet methods by using filters or any other way, so that i can directly hit dopost or doget methods.
The question is not very clear, so I'll try to guess. I suppose that you have a Wicket filter that intercepts and handles all the requests. Also you have some servlet, and you want requests to that servlet to not be intercepted by Wicket filter.
If this is what you want, here is what you can do to achieve this.
Let's say you have Wicket filter mapped to / and the servlet mapped to /my-service. Then you could tell Wicket filter to ignore requests to /my-service url:
<filter>
<filter-name>wicket.filter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>... some application class name ...</param-value>
</init-param>
<init-param>
<param-name>ignorePaths</param-name>
<param-value>/my-service</param-value>
</init-param>
</filter>
If you want several paths to be ignored, you can separate them with commas like this:
<init-param>
<param-name>ignorePaths</param-name>
<param-value>/my-service,/my-other-service</param-value>
</init-param>
With this configuration, Wicket will ignore any requests under /my-service (that is, /my-service, /my-service/blabla and so on) and any request under /my-other-service.

How to Log HttpRequest and HttpResponse in a file?

Can anyone explain any techniques to log HttpRequest and HttpResponse in a file.
We are using Spring MVC/Spring Rest.
What we want is to intercept the request before it is processed and log it.
Same way intercept the response before it is sent and log it.
Thanks a lot in advance.
For logging the request Spring has the AbstractRequestLoggingFilter class (well actually one of the subclasses). This can be used to log the incoming request (before and after processing).
Depending on the configuration this can include the payload, client information and full URL (including erquest parameters). All these three are disabled by default but can be enabled through configuration (see the javadoc for more information).
<filter>
<filter-name>requestLoggingFilter</filter-name>
<filter-class>org.springframework.web.filter.CommonsRequestLoggingFilter</filter-class>
<init-param>
<param-name>includeClientInfo</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>includePayload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>includeQueryString</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>requestLoggingFilter</filter-name>
<servlet-name>dispatcherServlet</servlet-name>
</filter-mapping>
The filter will now log everything using a Commons Logging logger to a logfile.
Accepted answer is already correct, adding annotation based configuration. Add following bean to your config.
#Bean
public CommonsRequestLoggingFilter requestLoggingFilter() {
CommonsRequestLoggingFilter loggingFilter = new CommonsRequestLoggingFilter();
loggingFilter.setIncludeClientInfo(true);
loggingFilter.setIncludeQueryString(true);
loggingFilter.setIncludePayload(true);
return loggingFilter;
}

Using Jetty's proxy in standalone Jetty application

I'm investigating using Jetty 9 as a proxy, using standalone Jetty, not embedded Jetty. I've looked for help in many places:
Most of these are related to embedded Jetty:
How to create Proxy Server using jetty8?
Jetty ProxyServlet with SSL support
This question is along the same lines:
Can stand-alone Jetty be used as a reverse proxy (without Apache mod-proxy)
...but the only answer is a link to a page that covers some parameters for the proxy, but no examples or other helpful hints.
On to the question...
I've created an extension to Jetty's ProxyServlet, which overrides the rewriteURI() method to actually change the request to a different URL. This custom proxy works when running Jetty embedded, but when I use a web.xml file and the jetty-maven-plugin to create a war to deploy, it no longer works.
When I make a request, I can debug the application and see that it gets into the rewriteURI() method, it then calls Jetty's ProxyServlet's service() method, which runs to completion, but then nothing happens. The page remains blank, and eventually ProxyServlet's onResponseFailure() is called with a TimeoutException, "Total timeout elapsed". Dev tools shows the request receiving a 504 Gateway Timeout.
It seems as though something is missing in how things are connected, but I can't tell what it might be. Any help would be greatly appreciated. I've included web.xml and the custom proxy (ProxyServletExtension) below.
web.xml
<servlet>
<servlet-name>proxy</servlet-name>
<servlet-class>org.example.ProxyServletExtension</servlet-class>
<init-param>
<param-name>maxThreads</param-name>
<param-value>1</param-value>
</init-param>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>proxy</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
ProxyServletExtension.java
...
import org.eclipse.jetty.proxy.ProxyServlet;
...
public class ProxyServletExtension extends ProxyServlet {
#Override
protected URI rewriteURI(HttpServletRequest request) {
// Forward all requests to another port on this machine
String uri = "http://localhost:8060";
// Take the current path and append it to the new url
String path = request.getRequestURI();
uri += path;
// Add query params
String query = request.getQueryString();
if (query != null && query.length() > 0) {
uri += "?" + query;
}
return URI.create(uri).normalize();
}
}
I found the hints I needed to solve this with jetty transparent proxy always returns 403 forbidden. The question didn't exactly pertain to my question, but the code snippet provided showed me what I needed in the <servlet> in web.xml.
Updated web.xml
<servlet>
<servlet-name>proxy</servlet-name>
<servlet-class>org.example.ProxyServletExtension$Transparent</servlet-class>
<init-param>
<param-name>maxThreads</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>proxyTo</param-name>
<param-value>http://localhost:8060</param-value>
</init-param>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>proxy</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
Required changes
Set the <servlet-class> to ProxyServletExtension$Transparent, previously I wasn't using a trasparent proxy.
Use an <init-param> of proxyTo using the address you would like to proxy the requests to. This also means that the ProxyServletExtension.java class above (in the question) is completely unnecessary.
Also, it is worth mentioning that there is a prefix <init-param> as well, which can be used to remove part of the incoming request before proxying to the proxied request.

Spring WS : Start Endpoint at startup

I'm using Spring WS to create WebService following by the link here
http://briansjavablog.blogspot.com/2013/01/spring-web-services-tutorial.html
And dynamic wsdl following by the setting here in web.xml
<servlet>
<servlet-name>webservices</servlet-name>
<servlet-class>org.springframework.ws.transport.http.MessageDispatcherServlet</servlet-class>
<init-param>
<param-name>transformWsdlLocations</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
I would like to ask is that possible to create Endpoint bean on startup time rather than waiting client to call on the endpoint url ?
Even if I set annotation #Lazy(false), Endpoint bean will be initialised only when client call to the web service address which I believe it's the normal behaviour. I'll use workaround solution by putting "curl" script to call url on deployment to make sure that every beans are initialised before making any request

How to get a trivial case of Spring MVC view (JSP) resolving to work?

My app uses Spring MVC (latest; 3.2.2) to create a RESTful API returning JSON, and so far I haven't needed a view layer at all. But now, besides the API, I need a simple utility page (plain dynamic HTML) and wanted to use JSP for that.
I want requests to http://localhost:8080/foo/<id> to go through a controller (Java) and end up in a JSP. Should be simple, right? But I'm getting 404; something is not right in resolving the view.
HTTP ERROR 404
Problem accessing /jsp/foo.jsp. Reason:
Not Found
Controller:
#RequestMapping(value = "/foo/{id}")
public String testing(#PathVariable String id, ModelMap model) {
model.addAttribute("id", id);
return "foo";
}
Defining controllers and mapping requests works; this method gets called just fine.
Spring config:
<mvc:annotation-driven/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/jsp/" p:suffix=".jsp"/>
The problem is probably here. I've experimented with slightly different prefixes and putting the JSPs under WEB-INF, as well as stuff like <mvc:view-controller path="/*" /> but no luck yet.
(Do I even need to specify InternalResourceViewResolver, or should default view resolvers take care of this?)
JSP files. Under src/main/webapp/jsp (the project uses Maven conventions) I obviously have the JSPs.
Is there something wrong with this location?
web.xml:
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
I have browsed through Spring MVC documentation, but my problem is probably too trivial and obvious to easily find help there. :-P
Can anyone enlighten me on what I'm doing wrong?
I think what you need to do is changing
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
to
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
/* won't match if there is another folder in the path, like /jsp/foo.jsp. On the other hand / will match everything.

Resources