We're running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly.
All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat.
Can anyone provide me with a clear way of setting the JSESSIONID cookie be httpOnly for jetty 7.x?
I have tried adding jetty-web.xml file with the following contents, but it still didn't work (i.e. the JSESSIONID wasn't marked as httpOnly):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="httpOnly" type="boolean">true</Set>
</Get>
</Get>
</Configure>
All I had to do is to put the jetty-web.xml in the right folder. Initially I was putting into jetty/etc folder, but instead it should have been in the WEB-INF directory.
Related
Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?
You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)
NOTE: Cross post from developer.jboss.org
We have Wildfly 10 configured behind NGINX as a reverse proxy for handling the SSL requirements of the web service. Wildfly serves everything as plain HTTP and NGINX handles the HTTPS side of the request.
We have enabled the uri rewriting inside JBossWS with the following settings in standalone.xml
<subsystem xmlns="urn:jboss:domain:webservices:2.0">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>jbossws.undefined.host</wsdl-host>
<wsdl-secure-port>8081</wsdl-secure-port>
<wsdl-uri-scheme>https</wsdl-uri-scheme>
The endpoint also uses a custom deployment descriptor: jboss-webservices.xml
<jboss:port-component>
<jboss:ejb-name>ClaimWebServiceBean</jboss:ejb-name>
<jboss:port-component-name>ClaimWSPort</jboss:port-component-name>
<jboss:port-component-uri>Claim</jboss:port-component-uri>
<jboss:transport-guarantee>CONFIDENTIAL</jboss:transport-guarantee>
</jboss:port-component>
The URI rewriting for the SOAP address and the schema location of the XSD included in the WSDL works correctly
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://example.systems/webservices/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:ns1="http://example.co.za/claim/zmf" attributeFormDefault="unqualified" elementFormDefault="unqualified"
targetNamespace="http://example.systems/webservices/">
<xs:import namespace="http://example.co.za/claim/zmf" schemaLocation="https://dev.example.ws:8081/webservices/Claim?xsd=ZietoClaim_2_1.xsd"/>
<!-- xml omitted -->
<wsdl:service name="ClaimService">
<wsdl:port binding="tns:ClaimServiceSoapBinding" name="ClaimWSPort">
<soap12:address location="https://dev.example.ws:8081/webservices/Claim"/>
</wsdl:port>
</wsdl:service>
The XSD referenced inside the WSDL contains 2 more import statements to import 2 more XSD's. This is however where the problem starts. In the extract below you will notice that the schema location uses http and not https for the other 2 XSD's.
Using curl to download the XSD referenced above give this content, which shows the problem:
<?xml version='1.0' encoding='UTF-8'?>
<xsd:schema xmlns:zdt="http://example.co.za/claim/zmf/datatypes" xmlns:zcdt="http://example.co.za/common/datatypes"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://example.co.za/claim/zmf" elementFormDefault="qualified"
targetNamespace="http://example.co.za/claim/zmf">
<xsd:import namespace="http://example.co.za/claim/zmf/datatypes" schemaLocation="http://dev.example.ws:8081/webservices/Claim?xsd=zmf_dt_2_1.xsd"/>
<xsd:import namespace="http://example.co.za/common/datatypes" schemaLocation="http://dev.example.ws:8081/webservices/Claim?xsd=zdt_1_2.xsd"/>
Is there a way to configure JBossWS to rewrite the shema locations inside the first XSD as well to use https?
I have this configuration in my application.yml
server:
contextPath: /appname
session:
timeout: 7200 # 2 hours in seconds
This works fine when i run in Intellij IDEA, but when i deploy the build .war file to a tomcat instance this is ignored. Is this a bug or is it not expected to work like this?
Also i seem to be unable to locate a specification of what can be written in application.yml. Anyone know where this can be found?
How about the application.groovy config file? Cant seem to locate a specification for this?
My environment:
Grails version: 3.2.8
Gradle version: 3.4.1
Intellij IDEA version: 2017.1.2
Tomcat version: 8.0.26
JDK Version: 1.8.0_45
When you deploy a Grails 3 app to a standalone tomcat application you should not use springboot server.session.timeout configuration property. That it is only for an embeedded server.
To configure a session timeout in a SpringBoot app (Grails 3 app is built on top of SpringBoot app) deployed into a standalone tomcat you have two choices:
A) Timeout for every app deployed in that tomcat instance.
You could edit the session timeout directly in tomcat configuration files:
$TOMCAT_HOME/conf/web.xml
Look out for the block:
<!-- ==================== Default Session Configuration ================= -->
<!-- You can set the default session timeout (in minutes) for all newly -->
<!-- created sessions by modifying the value below. -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
B) You can add a web.xml file in your Grails 3 app, with the timeout you need per app.
Create a file in the path 'src/main/webapp/WEB-INF/web.xml' with the content:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<session-config>
<session-timeout>30</session-timeout>
</session-config>
</web-app>
C) You can also use tomcat's HttpSession setMaxInactiveInterval(seconds) method to set in your Groovy code.
if (grailsApplication.config.getProperty("session.timeout")?.isInteger())
// session timeout in seconds
session.setMaxInactiveInterval(grailsApplication.config.session.timeout as int)
Note that with the (current latest) Grails 5.x and spring boot 2.5 the correct property name is server.servlet.session.timeout and hence the application.yml config would go like this:
server:
servlet:
session:
timeout: 3600 #seconds
Spring boot docs:
https://docs.spring.io/spring-boot/docs/2.5.5/reference/html/application-properties.html#application-properties.server.server.servlet.session.timeout
We are trying to consume web service from orbeon client code. Everything works fine with one way SSL however we now wish to call the web service using 2 way SSL. We are able to call the web service using 2 way SSL successfully using the Apache CXF framework using Java code.
I followed the steps outlined in the Orbeon Wiki.
Changes made in properties-local.xml
<property as="xs:anyURI"
name="oxf.http.ssl.keystore.uri"
value="/apps/property/ClientStore.jks"/>
<property as="xs:string"
name="oxf.http.ssl.keystore.password"
value="password"/>
<property as="xs:anyURI"
name="oxf.url-rewriting.service.base-uri"
value="http://localhost:8085/Orbeon"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.uri"
value="http://localhost:8085/fr/service/exist"/>
<property as="xs:anyURI"
name="oxf.fr.persistence.exist.exist-uri"
value="http://localhost:8085/exist/rest/db/orbeon/fr"/>
After implementing the changes outlined above we are getting the exception below:
ERROR XFormsServer - xforms-submit-error - setting throwable {throwable:
"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:488)
at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148
Java start up options are:
-Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.keyStore=/apps/property/DMClientStore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/apps/property/trustkeystore.jks
Questions:
Are these properties sufficient for enabling 2 way SSL?
For Apache CXF we need to provide two keystores, one with the client certificate and a truststore. Where do we configure both of these keystores for Orbeon?
I am using the new Servlet 3.0 approach of packaging web resources (such as Javascript, CSS, and JSPs) in JAR files. The approach says that everything under JARROOT/src/META-INF/resources will get mounted to the WAR root when the application starts. All works file for CSS and Javascript but not so much for Struts tiles.
This is the structure I have in the JAR:
base.jar
|--src/
|----META-INF/
|------base.tld
|------resources/
|--------base/
|----------css/
|----------js/
|----------baseTiles.xml
In my application (WAR) web.xml I got this for the tiles:
<context-param>
<param-name>org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG</param-name>
<param-value>/WEB-INF/tiles.xml,/base/baseTiles.xml</param-value>
</context-param>
When I start my application I do not get any errors about the baseTiles.xml so I assume it would the tiles files. However, trying to reference a tile from a JSP (using the <tiles:insertAttribute> tag) fails with
org.apache.tiles.jsp.taglib.NoSuchAttributeException: Attribute 'base.nav' not found.
What do you think the is?
Summary and other info:
Using JBoss eap 6.1 Alpha
Using Struts 2.1.4
The base JAR is included with the WAR in the lib directory
The base JAR contain all the files mentioned above (including baseTiles.xml)
Thank you for your help!!
Problem solved! Must point to the right Schema in your web.xml...
<web-app version="3.1" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-app_3_1.xsd">
Now everything works automagically !!
It is the right schema definition for 3.1 servlet specification:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">