Google chrome and cache - spring

Merged with Google Chrome cache problem.
all,
I am building a service using Spring 3.0 and i am using spring security for authorization/authentication. I have correctly setup the Apache/Tomcat ajp setup to use SSL and send appropriate cache headers for all static resources (1 week) which Firefox seems to interpret correctly (i can tell from firebug that it doesn't fetch these resources each time). On the other hand, Google chrome will only fetch the static resources (.css, .js) from cache for the login page. For all the rest of the pages/requests it sends a GET to the server and then the server replys with a 304 Not Modified response. If i disable SSL caching works normally but only for the same jsessionid that Spring security uses. I have checked the browsers cache and i actually saw that for plain HTTP resources are getting cached but are bound to a specific jsessionid i.e.
http://localhost/myservice/resources/jquery/js/jquery-ui-1.8.9.custom.min.js;jsessionid=3B15E163E138CCE8839306FF5A924D87
I am confused...can anyone help?
Thanks

Related

Fastly CDN Heroku url redirecting

I recently added Fastly domain from addons in heroku application. And when fastly was provisioned I got a test url which is as follows:
https://felix-homes-herokuapp-com.global.ssl.fastly.net/
Whenever I click on this url it gets redirected to
https://felix-homes.herokuapp.com for some unknown reason.
Note my nodejs app uses Heroku-SSL-Redirect. Is it because of this?
I have already followed setup guide and asked multiple issues from the support
https://support.fastly.com/hc/en-us/requests/323620?page=1
And nearest question I find to SO is following
Adding Fastly to a Heroku app does not forward to proper url
Clearing browser cache or changing browser did not help me. Can you please try hitting fastly url on your computer and let me know if you are also face same redirect problem?
Yes, very likely the library (Heroku-SSL-Redirect) is the issue.
In the end, you have two separate requests. An encrypted HTTPS/SSL request from the browser. And then an unencrypted request from Fastly to Heroku.
Your node-application and the library only see the unencrypted request and return the redirect.
There are two ways to solve this:
You configure Fastly do do encrypted requests to Heroku as its backend.
Every routing / proxy layer (fastly, but also the Heroku routing layer) typically use the X-Forwarded-Proto HTTP header to tell the backend application that the initial request was already encrypted. So either heroku-ssl-redirect doesn't look at the header, or it did get lost somewhere on way.

Jmeter with Caching server

My Application is using CDN which is a caching server. Now when I use JMETER for recording the functional flow. Browser doesn't load any CSS,JS or image being cached at CDN server. Removing CDN is alo not good option because I need to judge performance with CDN in place. Please Guide
JMeter records only HTTP requests sent by browser, so if you have already visited this page your browser may already have these resources in its own cache therefore it doesn't send actual requests. If you want these requests to be recorded - you should clear your browsing history and especially delete cache. The procedure differs from browser to browser so check your browser documentation for details or check out How do I clear my web browser's cache, cookies, and history? article.
In general you should not be recording these calls as real browsers download these images, scripts and styles using concurrent thread pool, i.e. one main request followed by parallel requests to get the resources. The same behavior can be set up in JMeter using "Advanced" tab of the HTTP Request sampler (or even better HTTP Request Defaults, this way the setting will be applied to all HTTP Request samplers in scope)
I accepted the Security certificate for CDN server through browser only. And problem was solved.

Making requests to ws:// from a website loaded on https

I'm using sipml5 to connect to a sip phone service and one of the setting is the service websocket server URL. the problem is that the server url is not secured (ex. ws://123.123.123.123:9999/ws) and it cannot be accessed on wss://. Because of that, when loading my site on a HTTPS connection, the browser blocks the request automatically, it doesn't behave like it does when loading let's say, an image over http, and then shows a warning.
Error is: [blocked] The page at 'X' was loaded over HTTPS, but ran insecure content from 'ws://....': this content should also be loaded over HTTPS.
I need to know if there is a way to make the browser connect to ws:// even though the page initializing the request is loaded over https.
Please help.
EDIT:
What I'm looking for is a flag or something like that, in Chrome or Firefox for example, which lets the user access insecure resources even though the page is loaded on https.
Why you are using http? You can get an ssl certificate from https://letsencrypt.readthedocs.org/en/latest/intro.html
then add the following details to http.conf
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/path-to/cert.pem
tlsprivatekey=/path-to/privkey.pem

too many sessions created by Spring MVC

I'm using Spring MVC, MySql and Tomcat 7.
Currently the application I'm developing can be accessed by 2 URLs namely IP:PORT/APP and www.app.com.
When accessing via www.app.com I see a session being created for every page/link that I open but it doesn't happen when I access via IP:PORT/APP.
I have a check for logged-in user in every page and due to too many sessions that check is failing and I'm being re-directed to my login page even after logging in.
Also when opening the www.app.com index page I see a jsessionid on the address bar and not when i open it via IP.
Any help/guidance is appreciated.
It seems that when you are accessing the page via domain name (www.app.com), cookie support is not found and hence the url rewriting is being done (i.e. appending jsessionid at the end of the url). But this is not observed while accessing the same page via IP Address (IP:PORT/APP), meaning cookie support is enabled at this time.
You can check if you have enabled some security settings that is not allowing cookies.
Further to this, it seems that even url rewriting is not helping as sessions are being created for every request.
You can use some HTTP Interceptors to analyze the request being sent and response being received in each case. You can use Developer Tool in Chrome to inspect this. Load you page in Google Chrome, Right Click on Page and Click 'Inspect Element'. Open the 'Network' tab. Reload the page. You can now inspect the HTTP Request Headers sent and Response Headers received for each request. Analyze the difference between the request using IP Address and requests using Domain Name.
Also, share the architecture of the application and the environment where you are testing the application.

Deploying web app on HTTPS automatically makes my AJAX calls HTTPS too?

My application will be deployed on HTTPS (currently it is in development and running on HTTP).
Will deploying the web app on HTTPS automatically make my AJAX calls HTTPS as well? I am using relative URLs in the AJAX calls, so i am thinking that when the absolute URL is constructed, HTTPS will be appended automatically.
please let me know. thanks for your response
If you are using relative URLs, then yes.
However, it is really important to test this before running live, as certain browsers(at least IE6) will display a really alarming warning if you try to load resources like images using a non-https connection.

Resources