Is there any way to restrict access by configuring in WildFly? - wildfly-8

Is there any way to restrict access by configuring in WildFly. I would like to know whether we can add a list of IPs that can only access the server? Is there any way to blacklist IPs in server level?
I am checking a feature like this: http://boseca.blogspot.in/2010/12/programmatically-addremove-ip-security.html

You can also implement the IP filter on JBOSS level by adding a filter-ref and expression filter as shown below
<subsystem xmlns="urn:jboss:domain:undertow:3.0" statistics-enabled="true" instance-id="instanceid">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" max-connections="1200" write-timeout="600000" read-timeout="30000" allow-equals-in-cookie-value="true" record-request-start-time="true" socket-binding="ajp"/>
<http-listener name="default" allow-equals-in-cookie-value="true" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log suffix=".log" prefix="access" pattern="%a %h %{i,sm_user} %u %t %r %s %b %T"/>
<filter-ref name="limit-connections"/>
<filter-ref name="ipaccess"/>
<single-sign-on/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<request-limit name="limit-connections" queue-size="100" max-concurrent-requests="1200"/>
<expression-filter module="io.undertow.core" name="ipaccess" expression="ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]"/>
</filters>
</subsystem>

If you're using Wildfly 8.2 (which contains Undertow 1.1.0), then you can configure IP access control via the undertow-handlers.conf file, which you put in a war's WEB-INF or a jar's META-INF folder.
You can do something like:
ip-access-control[default-allow=false, acl={'10.0.0.1 deny', '10.0.0.0/24 allow'}]
this can also be combined with predicates:
path-prefix[/internal] -> ip-access-control[acl={ '10.0.0.0/24 allow'}]
Source.
Alternatively (or if you use an earlier Wildfly version than 8.2) you can create a ServletExtension. Create a file META-INF\services\io.undertow.servlet.ServletExtension, in it there should be a fully qualified name of your extension. The extension must implement the io.undertow.servlet.ServletExtension interface. This extension then may create a io.undertow.server.handlers.IPAddressAccessControlHandler programmatically, configure it, and add it to the deployment's initial handler chain.
The above talked about adding a handler at the deployment level. To add a custom handler at the server level you need at least Wildfly 8.2. In the undertow subsystem in standalone.xml (or whatever config you use) you can add a handler (filter) like this (irrelevant configuration omitted):
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="default-server">
<host name="default-host" alias="localhost">
<filter-ref name="custom-filter" />
</host>
</server>
<filters>
<filter name="custom-filter" module="io.undertow.core" />
class-name="io.undertow.server.handlers.HttpTraceHandler"
</filters>
</subsystem>
Source. The handler must be in your static server module, not in a deployment. Inherit the IPAddressAccessControlHandler, configure it in your constructor or override its methods as you need, and point the config to your custom handler.
According to WFLY-4048 text based handler configuration at the server level will be in Wildfly 10.

Related

Hazelcast IMap not available in JMX on startup

I am trying to add monitoring for a hazelcast map to Nagios. Now I face the issue that the IMap entry in JMX is not available before the first usage of this map (get/set values)
Is there any option to initialize this during hazelcast startup.
The map is configured as follows
<map name="myMap">
<backup-count>1</backup-count>
<time-to-live-seconds>0</time-to-live-seconds>
<max-idle-seconds>0</max-idle-seconds>
<eviction-policy>LRU</eviction-policy>
<max-size policy="USED_HEAP_SIZE">256</max-size>
<eviction-percentage>25</eviction-percentage>
<merge-policy>com.hazelcast.map.merge.PutIfAbsentMapMergePolicy</merge-policy>
<map-store enabled="true" initial-mode="EAGER" />
</map>
I already tried to add map-store eager loading but this also did not fixed the issue:
<map name="myMap">
...
<map-store enabled="true" initial-mode="EAGER" />
</map>
The JMX path which I try to access is
com.hazelcast:instance=_hzInstance_1_dev,type=IMap,name=myMap
How can I configure the map in such a way that the JMX values are always available.

JBoss 6.3 EAP - define other simple namaing bindings in domain for evey server

we need to define a different file url via simple naming bindings for every server in a JBoss domain.
e.g. we need for every server in the cluster an entry like
<subsystem xmlns="urn:jboss:domain:naming:1.4">
<bindings>
<simple name="java:/url/ServerConfigurationUrl" value="file:///c:/JBoss//server3.properties" type="java.net.URL"/>
</bindings>
</subsystem>
Can this be achieved using some variables? Expressions seem not to be valid here.
If we could just use something like value=${path to file} that would be great.
Thanks,
ralf
Using something like
<system-properties>
<property name="FILEURL" value=value="file:///c:/JBoss//server3.properties" />
</system-properties>
and then
<bindings>
<simple name="java:/url/ServerConfigurationUrl" value="${FILEURL}" type="java.net.URL"/>
</bindings>
worked for me.
Greetings,
ralf

Disable freemarker logs from logs4j

Similar question but i'm using log4j2.
I need a way to disable All logs from freemarker, in their documentation they say we can do it by calling Logger.selectLoggerLibrary(Logger.LIBRARY_NONE) but they say
selectLoggerLibrary must be called early, before FreeMarker could log anything, or else it will not have (consistent) effect.
Where do I call this in a struts2 application? (I tried calling it in prepare() method in my action class but its not working.) or is there any other way to disable the logs?
Question is, why do you need to disable it like that?
You shouldn't need that, so I guess that's where the real problem lies. Is there some kind of malfunction? Because if there isn't, why not just set the freemarker logger category to be ignored in your logger configuration? That's the normal way of doing this, FreeMarker or not.
Anyway, in 2.3.22 (release expected in early 2015) you can use the -Dorg.freemarker.loggerLibrary=none where you start the JVM (that is, you set the org.freemarker.loggerLibrary system property). Otherwise, if you could call that method in a ServletContextListener that's certainly early enough.
Update:
Reacting to the comments... in most applications you will have 3rd party libraries that use various logging "frameworks", like SLF4J, commons-logging, JUL, Log4j, Log4j2. Thus you have to ensure that all these get redirected into the same logger library, which is certainly Log4j2 in your case. I suspect that wasn't properly done in your case, so now multiple logger libraries log to the console, each with its own configuration settings.
FreeMarker 2.3.x uses Log4j 1.x if it detects that org.apache.log4j.Logger is present. Other logger libraries that it also can detect and use (Log4j2 is not amongst them) have lower priority. (FreeMarker 2.4.x will always use SLF4J if it's present.) Thus, if you add org.apache.logging.log4j:log4j-1.2-api to your dependencies, then FM will use org.apache.log4j.Logger, and so log4j-1.2.-api will redirect the FM log messages to Log4j2. That worked for me, with this Log4j2 configuration:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{36} - %msg%n" />
</Console>
</Appenders>
<Loggers>
<Root level="debug">
<AppenderRef ref="Console" />
</Root>
<Logger name="freemarker" level="off">
<AppenderRef ref="Console" />
</Logger>
</Loggers>
</Configuration>
This came up as the first search result for "disable freemarker logging" which I searched for because I got double error logs for template errors, one from within the Freemarker library and one from my own code catching the same exception and logging it. The solution to this is simple and different from the answers already given: call setLogTemplateExceptions(false) on the Freemarker Configuration. In full:
Configuration configuration = new Configuration(Configuration.VERSION_2_3_31);
configuration.setLogTemplateExceptions(false);
The default behavior of logging the exception even though it propagates out of the Freemarker library is mentioned as a quirk on the Freemarker Logging documentation.
Use this statement:
freemarker.log.Logger.selectLoggerLibrary(freemarker.log.Logger.LIBRARY_NONE);

Cannot Import from a UNC path in Spring.NET?

I have a simple Spring.NET demo, and I'm trying to have a shared object file that would reside on a shared drive. This works if I pass in the UNC path as a resource file to the constructor, but if use an <import resource construct it interprets it as relative, which is not supported. Is there a way I can use the import statement with a UNC path?
Works:
<context>
<resource uri="config://spring/objects"/>
<resource uri="\\server\share\folder\SpringConfig.xml"/>
</context>
Doesn't work:
<import resource="\\server\share\folder\SpringConfig.xml"></import>
Error message:
System.Configuration.ConfigurationErrorsException: Error creating context 'spring.root': ConfigSectionResource does not support relative resources. Please use fully qualified resource name. ---> Spring.Objects.Factory.ObjectDefinitionStoreException: Error registering object defined in 'config [C:\Users\user\documents\visual studio 2010\Projects\SpringExample\SpringExample\bin\Debug\SpringExample.vshost.exe.Config#spring/objects] at line 1' : Failed parsing element
---> System.NotSupportedException: ConfigSectionResource does not support relative resources. Please use fully qualified resource name.
Use the fully qualified resource string and use forward slashes throughout:
<objects xmlns="http://www.springframework.net">
<import resource="file:////server/share/folder/SpringConfig.xml" />
</objects>
Note that file: protocol identifier is followed by four slashes, two belong to the protocol and two to the server location.
Worked on my machine :). This also works:
<objects xmlns="http://www.springframework.net">
<import resource="file://\\server\share\folder\SpringConfig.xml" />
</objects>
Hmmm..
This should work. What I don't understand is why ConfigSectionResource throw the exception.
FileSystemResource should be used by default in a non Web application.
What version of Spring.NET are you using ? Are you using CodeCondig extension ?
Anyway, this should work:
<resource uri="file://\\server\share\folder\SpringConfig.xml"/>
I'm honestly not certain whether UNC paths are supported or not, but if you want a fully-qualified file path, you need to use <resource uri="file://c:/folder1/folder2/MyConfig.xml" /> IIRC.

NLog internal log not working with ASP.Net MVC

I have a problem with NLog for logging its internal logs with this configuration
<?xml version="1.0" encoding="utf-8" ?>
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
throwExceptions="true"
internalLogFile="${basedir}/App_Data/NLog.log"
internalLogLevel="Trace">
<targets>
<target name="debug"
xsi:type="File"
fileName="${basedir}/App_Data/Site.log" />
</targets>
<rules>
<logger name="*"
writeTo="debug" />
</rules>
</nlog>
The target "debug" is working well, but the internalLogFile is only working if I set it for exemple to "D:/NLog.log".
Any idea why this happening?
You can't use layout renderers ${...} in the internalLogFile property. They are for a target's layout only:
<target layout="${...}" />
Try to use relative path like "..\App_Data\NLog.log"
Update NLog 4.6 enables some simple layouts.
The internalLogFile attribute needs to be set to an absolute path and the executing assembly needs to have permission to write to that absolute path.
The following worked for me.
Create a folder somewhere - e.g. the route of your c: drive, e.g. c:\logs
Edit the permissions of this folder and give full control to everyone
Set your nlog config: internalLogFile="C:\logs\nlog.txt"
Remember to clean up after yourself and not leave a directory with those sorts of permissions on
NLog ver. 4.6 add support for environment-variables like %appdata% or %HOME%, and using these basic layouts in internalLogFile=:
${currentdir}
${basedir}
${tempdir}
NLog ver. 4.7 also adds this:
${processdir}
See also: https://github.com/NLog/NLog/wiki/Internal-Logging
from this link I think the path is absolute

Resources