I have created a java servlet web application. It's working properly with "http". Now I want to set "https" secured connection to the server. For that, I have configured the things properly in the tomcatserver/conf/server.xml as follows.
Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="conf\localhost.jks" keystorePass="xxxx"
clientAuth="false" sslProtocol="TLS" />
then I have configured the things on web.xml file also as follows.
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
when I send a request through postman, I am given following error.
here I have attached the request header also.
how can I solve this?
Related
I am running two different applications(war files) in single tomcat. those two may contact each other.
Now I want to block some of the HTTP methods for application2. So I have added the following into my web.xml in tomcat config folder,
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/app2/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
After adding this also I am not getting 403 response for OPTIONS request. it's giving response as 200. but
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
without mentioning app2 in URL pattern it's giving 403 response for OPTIONS request.
Now my question is how can I block some HTTP methods for my application2 alone?
Ihanks in advance.
I am running two war files in single tomcat. example app1 and app2. Now I want to block some of the HTTP methods for app2 alone without touching the tomcat own web.xml. So I have created a web.xml for app2 and place it under WEB_INF.
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
when I hit URL as host:port/app2/ it will give response as 403.
but when I hit host:port/app2 getting response as 200.
Now I have to block host:port/app2 this URL also. How can I change the url-pattern to achieve this.
I am getting this error when I start Tomcat:
SEVERE - For security constraints with URL pattern [/*] the HTTP
methods [POST GET] are uncovered.
What is the reason of this?
I think this is a different problem from this.
My web.xml looks like:
<security-constraint>
<display-name>Restrict resources</display-name>
<web-resource-collection>
<web-resource-name>/resources dir</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
So I try to forbid all methods except GET and POST (see ). However, some methods (PUT, DELETE, OPTIONS...) seem to return a "302 Found" instead of an automatic 403, not sure why (missing request parameters?).
To me it looks like you actually also forbid GET and POST. Instead of an empty <auth-constraint /> in the second <security-constraint> section, try the following:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Furthermore, you may need to add another "deny" section for the uncovered methods for <url-pattern>/*</url-pattern>. However, if you are using Servlet 3.1+ (e.g. Tomcat 8.5.x), you can simply use this tag instead of another <security-constraint> section:
<deny-uncovered-http-methods />
Make sure then, that your web.xml actually does define Servlet 3.1, e.g.:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1"
metadata-complete="true">
I have an issue working in IBM Mobile First v7.0 Analytics console.
In analytics console the data was not loaded from mobile first server.but all data are stored in Worklight database...
The following configuration i did for my application and deployed in production server...
Worklight.proerties file enable JNDI proerties
wl.analytics.url=http://192.168.1.3:9080/analytics-service/data
wl.analytics.console.url=http://192.168.1.3:9080/analytics/console
Keep the analytics.ear file in my application foler...
C:\IBM\WebSphere\Liberty\usr\servers\testserver\apps
Server.xml
<feature>jndi-1.0</feature>
</featureManager>
<application location="analytics.ear"
name="analytics-ear"
type="ear">
<application-bnd>
<security-role name="worklightadmin">
<user name="admin"/>
</security-role>
<security-role name="worklightdeployer">
<user name="deployer"/>
</security-role>
<security-role name="worklightmonitor">
<user name="monitor"/>
</security-role>
<security-role name="worklightoperator">
<user name="operator"/>
</security-role>
</application-bnd>
</application>
If I did any mistake, kindly anyone help me
Since you are using security roles on your analytics console you need to send data with a username and password. Inside your server.xml for your Operations Console, you can set these username and password with the following JNDI properties:
<jndiEntry jndiName="AppName/wl.analytics.username" value="admin"/>
<jndiEntry jndiName="AppName/wl.analytics.password" value="admin"/>
Also, make sure that your security roles an constraints match your server.xml to the WEB.xml in your analytics-service.war. Default is the security configuration below:
<security-constraint>
<security-role>
<role-name>worklightadmin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>allAccess</web-resource-name>
<url-pattern>/data/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>worklightadmin</role-name>
<role-name>worklightdeployer</role-name>
<role-name>worklightmonitor</role-name>
<role-name>worklightoperator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-names will need to match the names that you use in your basic registry.
My need is to publish two services with same path on mule, but different URL's. Like this
https://localhost:8443/etc/app/version1/Service
https://localhost:8443/etc/app/version2/Service
Im using servlet mapping on web.xml
<servlet-mapping>
<servlet-name>muleServlet</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
And tried to use two different connectors since the path attribute doesn't allow me to use "version1/Service" or "version2/Service"
<servlet:connector
name="conectorVersion1"
servletUrl="https://localhost:8443/etc/app/version1/">
</servlet:connector>
<servlet:connector
name="conectorVersion2"
servletUrl="https://localhost:8443/etc/app/version2/">
</servlet:connector>
And finally, the endpoints
<flow
name="FlowVersion1"
processingStrategy="synchronous">
<servlet:inbound-endpoint
connector-ref="conectorVersion1"
path="Service">
<-- processors, jaxws-service, interceptors etc.. -->
</servlet:inbound-endpoint>
</flow>
<flow
name="FlowVersion2"
processingStrategy="synchronous">
<servlet:inbound-endpoint
connector-ref="conectorVersion2"
path="Service">
<-- processors, jaxws-service, interceptors etc.. -->
</servlet:inbound-endpoint>
</flow>
But i got this exception:
[[/etc]] StandardWrapper.Throwable: java.lang.IllegalStateException:
There are at least 2 connectors matching protocol "servlet", so the connector to use must be
specified on the endpoint using the 'connector' property/attribute.
Connectors in your configuration that support "servlet" are: conectorVersion1, conectorVersion2,
Thanks in advance.
I don't think it's valid to declare two servlet connectors: there's only one servlet context so a single connector is enough. Actually, I never declare the Servlet connector, as the default configuration works just fine.
So with only the following configuration:
<flow name="FlowVersion1" processingStrategy="synchronous">
<servlet:inbound-endpoint
path="version1/Service" />
<set-payload value="version 1" />
</flow>
<flow name="FlowVersion2" processingStrategy="synchronous">
<servlet:inbound-endpoint
path="version2/Service" />
<set-payload value="version 2" />
</flow>
I'm able to deploy in a servlet container (Jetty) and I can hit /{context}/app/version1/Service and /{context}/app/version2/Service without problem.