I am running a Java app with Jetty-Runner on Heroku (let's call it Website A)
Then I have a Web app running on Website B, connecting to A using Cometd.
Comet connection stays open for 30 seconds and then it returns if no data is received from the server.
I have setup CORS parameters on Jetty's web.xml so that B accesses A with no problem.
Now the problem: if the comet's 30 seconds finishes and the server does not return anything, then the browser throws this error:
XMLHttpRequest cannot load [Website A]/cometd.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin '[Website B]' is therefore not allowed access.
I am running the same Java Application using Embedded Jetty on another Website (Website C) with the same CORS settings and everything works fine. In particular, when comet connection returns after 30 seconds, the response has all the headers including the 'Access-Control-Allow-Origin'. But, on Website A, after comet returns, the response do not have the headers.
So, to me, the problem is caused by Jetty-Runner not returning a response after 30 seconds, versus embedded jetty returning the response with correct headers.
My web.xml content:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>[Website B]</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>origin, content-type, cache-control, accept</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>cometd</servlet-name>
<servlet-class>org.cometd.server.CometdServlet</servlet-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>timeout</param-name>
<param-value>30000</param-value>
</init-param>
<init-param>
<param-name>jsonDebug</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<!--
To use async-supported in a servlet 3.0 compliant container,
uncomment the following tag:
<async-supported>true</async-supported>
and change the web-app tag of this document to:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
-->
</servlet>
<servlet-mapping>
<servlet-name>cometd</servlet-name>
<url-pattern>/cometd/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>admin</servlet-name>
<servlet-class>org.coweb.servlet.AdminServlet</servlet-class>
<load-on-startup>2</load-on-startup>
<init-param>
<param-name>ConfigURI</param-name>
<param-value>/WEB-INF/cowebConfig.json</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>admin</servlet-name>
<url-pattern>/admin/*</url-pattern>
</servlet-mapping>
</web-app>
Any idea how to fix this probem?
If A does not send the Access-Control-Allow-Origin header for B but it does for C, perhaps your CORS configuration is wrong ?
You did not specify how you have configured CORS on A (are you using Jetty's CrossOriginFilter ?).
I see no reason why Jetty Runner (which is just a Jetty embedded that deploys your war) should mess with the CORS configuration of a web application ?
Related
In reference to the below questions asked on StackOverflow, I have included a class
annotated with #Configuration, #EnableResourceServer and #EnableWebSecurity.
The code is building fine but the control is not going in this class which have been annotated the aforementioned way.
Do I need resource server with Spring Security OAuth2?
I checked that Security filters were disabled in my web.xml. Now, I have enabled them. Even though I am not getting the intended result when I hit my request, I think the initial issue is fixed.
That issue got solved but now I am facing another issue:
HTTP Status 500 - Failed to evaluate expression 'ROLE_USER'
root cause: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public?
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>hk-pensions</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:META-INF/spring/*.xml</param-value>
</context-param>
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I am trying to experiment a bit with HTTP/2's push feature to get an idea of the benefits that it can bring. I have been trying to setup a Jetty server with a static page (standard html, images and css). The server works now and requests are handled over HTTP/2 as well. However, when I try to enable HTTP/2 push, I do not seem to get it working. I have verified this using both chrome dev-tools and through chrome://net-internals. Both confirm that no objects are being pushed. Below is a copy of how my web.xml file looks:
<?xml version="1.0" encoding="UTF-8"?>
<web-app
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
metadata-complete="true"
version="3.1">
<filter>
<filter-name>PushFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.PushCacheFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>ports</param-name>
<param-value>8443</param-value>
</init-param>
<init-param>
<param-name>associatePeriod</param-name>
<param-value>1500</param-value>
</init-param>
<init-param>
<param-name>maxAssociations</param-name>
<param-value>128</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PushFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
</web-app>
I am not sure what is wrong here. Someone please help me out.
Thanks.
You hit this bug.
Jetty 9.3.x series work fine, the bug will be fixed in 9.4.1, due in a couple of weeks.
I have a spring MVC rest application that is deployed as a war file to IBM WebSphere application server v 8.5, i want to secure some of the rest api in this application, hence, i used the application web.xml and declare the security role i want, then i enabled the application security from the WAS console, but for some reason my security roles are ignored and i can access all rest API that are supposed to be secured, any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>LBS_System</web-resource-name>
<url-pattern>/LBS/*</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name>
</login-config>
<security-role>
<role-name>Administrators</role-name>
</security-role>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<resource-ref>
<res-ref-name>jdbc/MoictDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
</resource-ref>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/MoICTAppUnit</persistence-unit-ref-name>
<persistence-unit-name>MoICTAppUnit</persistence-unit-name>
</persistence-unit-ref>
</web-app>
You should not include your context-root (LBS in your case) in the url-pattern. It is relative to your application context-root. The /* pattern protects all urls, but only in your application, not others. So if you just want to protect for example rest api, it is usually mapped to some sub path e.g. /LBS/rest/something, in that case you would put /rest/* in the pattern.
You should not include context-root in any mappings and url patterns in the web.xml, especially that application might be deployed under different context-root and in that case it would be broken.
I am integrating my Crystal Report code with Spring Framework.
Initially I had developed simple web application with only jsps (without spring feature) and CRystal Reports are rendering properly. I had tested it with parameters and DB connection Also.
Now I am trying to integrate it with Spring framework. I did all necessary set-up.
Reports are rendering properly, with parameters and DB connection. But when I click on subreport link I am getting error.
"The viewer is unable to connect with the CrystalReportViewerServlet
that handles asynchronous requests. Please ensure that the Servlet and
Servlet-Mapping have been properly declared in the application's
web.xml file."
Also, images on reports are not displaying (showing cross).I tried to search on different forums but no luck.
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>CRWeb1</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<context-param>
<param-name>crystal_image_uri</param-name>
<param-value>/reports/crystalreportviewers</param-value>
</context-param>
<context-param>
<param-name>crystal_image_use_relative</param-name>
<param-value>reports</param-value>
</context-param>
<servlet>
<description></description>
<display-name>reports</display-name>
<servlet-name>reports</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet- class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>reports</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<display-name>reports</display-name>
<servlet-name>CrystalReportViewerServlet</servlet-name>
<servlet-class>com.crystaldecisions.report.web.viewer.CrystalReportViewerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CrystalReportViewerServlet</servlet-name>
<url-pattern>/CrystalReportViewerHandler</url-pattern>
</servlet-mapping>
</web-app>
Thanks,
Sarika
I am building an application using Spring Framework 3.1
I am having my controllers mapped with url containing path variables that stands for some id.
But I don't want the user to tamper with the url and change the path variable value manually.
I want to restrict them from doing so.
I have already tried using the ShallowEtagHeaderFilter. But its not working the way it suppose to.
I don't know whether I missed any configuration for the filter or its not working at all.
here is my web.xml where I have configured the dispatcher servlet and filter.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>eTagFilter</filter-name>
<filter-class>com.abc.config.EtagFilter</filter-class>
</filter>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>eTagFilter</filter-name>
<servlet-name>dispatcher</servlet-name>
</filter-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
</web-app>
Please help me with this.
Thanks in advance.
I don't understand how ShallowEtagHeaderFilter fits into this picture, I think you misunderstood its functionality. It's supposed to reduce network traffic by taking pages from the browser cache. That's a totally different scenario from yours.
Basically: if you don't want users to tamper with URLs, you will need to have a way to verify that the URL was created by your application, usually a checksum parameter of some sort with an algorithm that's not easy to guess.
e.g. /site/12/user/12345/aB where aB is calculated based on /site/12/user/12345. Now if the user changes the URL to /site/13/user/12345/aB the checksum is wrong and you can send a 404 or a 400 or whatever error you want to send.
I'd probably implement the checksum check as a Filter and write a utility method that creates URLs with checksum based on plain URLs (possibly you'll need a JSP tag as well)