Forcing HttpOnly JSESSIONID in deployed OC4J/Oracle Application Server - httponly

We have a legacy application running on Oracle Application Server J2EE 10g 10.1.3.5.0 using OC4J containers. To clear a Veracode dynamic scan flaw CWE ID-402 (and for best practice) we need to set the HttpOnly flag on our JSESSIONID cookies. We found, albeit scant, documentation for a system property:
-Dhttp.response.httponly=true
That supposedly supports this. (Some details on all supported properties here, although you may want to run it through a translator: https://volbers.wordpress.com/2011/06/24/secrets-of-the-oc4j/)
What we found, however, is that while this property works in a stand-alone OC4J instance (e.g., running in Eclipse), it does not work when deployed under OAS/OPMN. We even tried using reflection to lookup the Evermind OC4JProperty for HTTP_RESPONSE_HTTPONLY and were able to set it to true programmatically. However, the same behaviors ensued: Something is ignoring that property when running in the deployed container.
Does anyone know how to make this work in a deployed environment?
Just for context, here is OC4J's own description of this property:
% java -jar /oas/j2ee/home/oc4j.jar -describeProperty http.response.httponly
Property name: http.response.httponly
Description: Used to prevent cross-site scripting attack
Default value: false
Primitive type: Boolean
Deprecated: false
Log value change: false
Is static: false

Try adding the following to your orion-web.xml
<session-tracking cookie-path="/pathtoyourapp; HttpOnly"/>

Related

Electron: difference between process.defaultApp and app.isPackaged

What is a the difference between Electron flags process.defaultApp and app.isPackaged? Both are used to distinguish dev and production environment. My observation is that Boolean(process.defaultApp) == !app.isPackaged always. Are there any cases, when both are true or both are false?
From doc and code:
process.defaultApp
A Boolean. When app is started by being passed as parameter to the default app, this property is true in the main process, otherwise it is undefined.
app.isPackaged
A Boolean property that returns true if the app is packaged, false otherwise. For many apps, this property can be used to distinguish development and production environments.
From the code - app.isPackaged is set when exec file is not electron or electron.exe.
Note: I know a minor difference is that process.defaultApp may be used in the main process only.
Both can yield the same result, but some extra care has to be taken for the process.defaultApp property:
handle the case where it is undefined (by using the ! operator for instance)
make use of remote.process instead of process in a renderer process
Main process
var isPackaged = !process.defaultApp;
is equivalent to:
var isPackaged = require('electron').app.isPackaged;
Renderer process
var isPackaged = !require('electron').remote.process.defaultApp;
is equivalent to:
var isPackaged = require('electron').remote.app.isPackaged;
Edit:
Some extra information, although not 100% crystal clear, about why the app.isPackaged property had to be added can be found in the related pull request's conversation: add app.isPackaged #12656

Vaadin 11 - how to set productionMode in application.yml

I have been trying many solutions:
app.vaadin.productionMode: "true"
app.vaadin.productionMode: true
vaadin.servlet.productionMode: true
But nothing is working, I always get this msg in console:
===========================================================
Vaadin is running in DEBUG MODE.
Add productionMode=true to web.xml to disable debug features.
===========================================================
What is the good way of going production mode with spring boot (in a yml file)?
This is the correct property name, which enables production mode on Vaadin 10 (and 11):
vaadin.productionMode: true

configuration maxSemaphores for zuul server

I am trying to do load test for zuul version 1.1.2.
However I am keep getting following issue after few a minute for running load test.
Caused by: com.netflix.hystrix.exception.HystrixRuntimeException: book could not acquire a semaphore for execution and no fallback available.
at com.netflix.hystrix.AbstractCommand$21.call(AbstractCommand.java:783) ~[hystrix-core-1.5.3.jar:1.5.3]
My question is how can I increase maxSemaphores via confiugration.
hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds= 20000000
zuul.hystrix.command.default.execution.isolation.strategy= SEMAPHORE
zuul.hystrix.command.default.execution.isolation.semaphore.maxConcurrentRequests= 10
zuul.hystrix.command.default.fallback.isolation.semaphore.maxConcurrentRequests= 10
zuul.semaphore.maxSemaphores=3000
zuul.eureka.book.semaphore.maxSemaphore=30000
I have tried search many option on Intenet but one of those works for me
Please advise
it turns out I am using old version. For later version we could set semaphores at Zuul level. below is an example to set the maxSemaphores 3000 as default for routing to every proxied service
zuul.semaphore.maxSemaphores=3000
The actual property is max-semaphores (this would be with yaml config):
zuul:
semaphore:
#com.netflix.hystrix.exception.HystrixRuntimeException: "microservice" could not acquire a semaphore for execution and no fallback available.
max-semaphores: 2000

Closing a "local" OrientDB when using connection pools

So I basically do this.
OObjectDatabaseTx result = OObjectDatabasePool.global().acquire( "local:orientdb", "admin", "admin");
//dostuff
result.close;
The problem is that when I redeploy my webapp (without restarting the Java EE container) I get the folling error:
com.orientechnologies.orient.core.exception.OStorageException: Cannot open local storage 'orientdb' with mode=rw
which I interpret to mean "Tomcat still has a filelock from the last app".
So my question is how do I cleanly exit in this scenario? I've tried:
OObjectDatabasePool.global().close()
and
new OObjectDatabaseTx("local:orientdb").close()
but neither seem to work. Any ideas? The documentation isn't exactly clear on this issue.
Set the property "storage.keepOpen" to false:
java ... -Dstorage.keepOpen=false ...
or via Java code:
OGlobalConfiguration.STORAGE_KEEP_OPEN.setValue( false );

Altering the timeout setting of an Axis 1.4 generated SOAP Java client

I have a problem with changing the standard options used by an Axis 1.4 generated web service client code.
We consume a certain web service of a partner who is using the old RPC/Encoded style, which basically means we're not able to go for Axis 2 but are limited to Axis 1.4.
The service client is retrieving data from the remote server through our proxy which actually runs quite nicely.
Our application is deployed as a servlet. The retrieved response of the foreign web service is inserted into a (XML) document we provide to our internal systems/CMS.
But if the external service is not responding - which didn't happen yet but might happen at anytime - we want to degrade nicely and return our produced XML document without the calculated web service information within a resonable time.
The data retrieved is optional (if this specific calculation is missing it isn't a big issue at all).
So I tried to change the timeout settings. I did apply/use all methods and keys I could find in the documentation of axis to alter the connection and socket timeouts by searching the web.
None of these seems to influence the connection timeouts.
Can anyone give me advice how to alter the settings for an axis stub/service/port based on version 1.4?
Here's an example for the several configurations I tried:
MyService service = new MyServiceLocator();
MyServicePort port = null;
try {
port = service.getMyServicePort();
javax.xml.rpc.Stub stub = (javax.xml.rpc.Stub) port;
stub._setProperty("axis.connection.timeout", 10);
stub._setProperty(org.apache.axis.client.Call.CONNECTION_TIMEOUT_PROPERTY, 10);
stub._setProperty(org.apache.axis.components.net.DefaultCommonsHTTPClientProperties.CONNECTION_DEFAULT_CONNECTION_TIMEOUT_KEY, 10);
stub._setProperty(org.apache.axis.components.net.DefaultCommonsHTTPClientProperties.CONNECTION_DEFAULT_SO_TIMEOUT_KEY, 10);
AxisProperties.setProperty("axis.connection.timeout", "10");
AxisProperties.setProperty(org.apache.axis.client.Call.CONNECTION_TIMEOUT_PROPERTY, "10");
AxisProperties.setProperty(org.apache.axis.components.net.DefaultCommonsHTTPClientProperties.CONNECTION_DEFAULT_CONNECTION_TIMEOUT_KEY, "10");
AxisProperties.setProperty(org.apache.axis.components.net.DefaultCommonsHTTPClientProperties.CONNECTION_DEFAULT_SO_TIMEOUT_KEY, "10");
logger.error(AxisProperties.getProperties());
service = new MyClimateServiceLocator();
port = service.getMyServicePort();
}
I assigned the property changes before the generation of the service and after, I set the properties during initialisation, I tried several other timeout keys I found, ...
I think I'm getting mad about that and start to forget what I tried already!
What am I doing wrong? I mean there must be an option, mustn't it?
If I don't find a proper solution I thought about setting up a synchronized thread with a timeout within our code which actually feels quite awkward and somehow silly.
Can you imagine anything else?
Thanks in advance
Jens
axis1.4 java client soap wsdl2java rpc/encoded xml servlet generated alter change setup stub timeout connection socket keys methods
I think it may be a bug, as indicated here:
https://issues.apache.org/jira/browse/AXIS-2493?jql=text%20~%20%22CONNECTION_DEFAULT_CONNECTION_TIMEOUT_KEY%22
Typecast service port object to org.apache.axis.client.Stub.
(i.e)
org.apache.axis.client.Stub stub = (org.apache.axis.client.Stub) port;
Then set all the properties:
stub._setProperty(org.apache.axis.client.Call.CONNECTION_TIMEOUT_PROPERTY, 10);
stub._setProperty(org.apache.axis.components.net.DefaultCommonsHTTPClientProperties.CONNECTION_DEFAULT_CONNECTION_TIMEOUT_KEY, 10);
stub._setProperty(org.apache.axis.components.net.DefaultCommonsHTTPClientProperties.CONNECTION_DEFAULT_SO_TIMEOUT_KEY, 10);

Resources