I am looking to disable the HTTP Methods that are not in use like OPTIONS, HEAD in a GlassFish 3.1 Server.
Thank you.
Update:
Currently, I have implemented a filter that checks for the HTTP method of the request, and reject the non supported ones. When I say,
response.sendError(HttpServletResponse.SC_NOT_FOUND);
The response contains header
Allow: TRACE, OPTIONS
Which are not supported by my application.
Add below configurations to your application web.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<security-constraint>
<web-resource-collection>
<web-resource-name>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
</<web-app>
Related
Good morning people!
I am having CORS problem my application runs in apache but the service comes straight WS,
I already made the apache settings in the .xml file, but without success, there are some
way to solve! thank you
msg error
Access to fetch at ':9084/ApiSise/api/v1/projeto/form-result' from
origin ':8080' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. If an opaque response serves your needs, set the request's
mode to 'no-cors' to fetch the resource with CORS disabled.
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, POST, HEAD, OPTIONS</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
/*index.html*/
<head>
<meta http-equiv="Access-Control-Allow-Origin" content="*">
<header name = "Access-Control-Allow-Origin" value = "*" />
So I have an Azure Web Service and an Azure CDN. My web service is running on ASP.Net Core
I make a request for my Website's index.html, which starts downloading assets from the CDN. All the assets get loaded, except for the font files.
Here's the error:
Access to Font at 'https://CDN.azureedge.net/68.0.3/styles/ui-grid.woff' from origin 'https://WebApp.azurewebsites.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://WebApp.azurewebsites.net' is therefore not allowed access.
Here's what one of the requests looks like:
So what I understand is:
Download index.html from Web Server
index.html -> download .css from CDN
.css -> download font from CDN
Blocked?? It seems like the browser is blocking the request, not the CDN, is that correct? If so why? Just because it's a font file request?
If using Azure Blob Storage as Origin for your CDN endpoint, the problem could be the CORS configuration in the Storage Account.
I initially had all my domains in a separate row under Allowed Origins and received the same errors as the OP.
Turns out you can/must place all domains (that should have the same CORS configuration) on the same row, separated by , like this:
In my case, IIS blocks .woff since mimeType is not set, hence you can set that in web.config (and optionally CORS if required) as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
<staticContent>
<remove fileExtension=".woff" /> <!-- In case IIS already has this mime type -->
<mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
<remove fileExtension=".woff2" />
<!-- In case IIS already has this mime type -->
<mimeMap fileExtension=".woff2" mimeType="application/x-font-woff2" />
</staticContent>
</system.webServer>
</configuration>
You can't pull fonts from CDN without proper config - it's a different domain, so browser can't trust this files without proper headers.
You have only one option - set properly header in CDN. If you have access to Apache or NGINX you can set:
Apache
<FilesMatch ".(eot|ttf|otf|woff)">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
NGINX
if ($filename ~* ^.*?\.(eot)|(ttf)|(woff)$){
add_header Access-Control-Allow-Origin *;
}
If you don't have access to server settings you can't use fonts from CDN.
If you are using the Verizon Premium SKU of Azure CDN, you can also set the CORS headers via the CDN instead of the origin server.
https://learn.microsoft.com/en-us/azure/cdn/cdn-cors
I have configured SSL into my application running on Tomcat using the standard procedures. I have modified the server.xml file and web.xml to enforce the use of https in every request. I am supposed to do one of the 2 things.
1) The redirection that is taking place is a 302 redirect. How can I make this as a 301 redirect? This 302 redirect is not allowing Google robots to crawl my site
OR
2) Use a mechanism wherein the urls that I require to be http, are redirected from https to http.
I know Tomcat cannot automatically redirect from https to http once it is re-directed to http. I have added the following entry in web.xml to enable http access for the url that I require
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UnsecureConnection</web-resource-name>
<url-pattern>/Market/browseMarket.htm</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
However once Tomcat is redirected to https using the first block, it is unable to redirect back to http even though the second block exists.
I read in some articles to use URLRedirectFilter in the application to achieve. To achieve that, I added the following in web.xml
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I have placed the urlrewrite.xml under WEB-INF, the contents of which are:
<urlrewrite>
<rule>
<from>Market/browseMarket.htm</from>
<to>http://%{server-name}%{request-uri}</to>
</rule>
</urlrewrite>
However, this doesn't seem to work and I still end up with https on that page.
Can someone help me with one of the above issues with a solution?
When I generate code coverage for my PHP project, I always get the Symfony autoloader.
I tried adding this to my PHPUnit config with no luck:
<filter>
<blacklist>
<directory>/Symfony/Component</directory>
</blacklist>
</filter>
First of all you didn't specified suffix attribute to search for specific type of file in blacklist
so it should be
<filter>
<blacklist>
<directory suffix=".php">/Symfony/Component</directory>
</blacklist>
</filter>
if this is not working for you then you can use exclude tag in whitelist block
<filter>
<whitelist>
<directory suffix=".php">../src/library/</directory>
<!-- add more directories -->
<exclude>
<directory suffix=".php">./Zend/</directory>
<!-- add more directories with relative or absolute path -->
</exclude>
</whitelist>
</filter>
Reference: How can PHPUnit code coverage ignore my autoloader?
I'm using composer and tried several variations including the exclusion within a whitelist:
My directory structure is thus:
...
/project/tests
/project/vendor
/project/vendor/composer
...
I tried to get whitelist working:
<whitelist>
<exclude>
<directory suffix=".php">..\vendor\composer\</directory>
<directory suffix=".php">../vendor/composer/</directory>
<directory suffix=".php">..\composer\</directory>
<directory suffix=".php">../composer/</directory>
</exclude>
</whitelist>
That did not work. But this did:
<filter>
<blacklist>
<directory suffix=".php">../vendor/composer</directory>
</blacklist>
</filter>
My configuration xml file is within the tests folder along with a bootstrap file that loads in composer's autoloader.
<?php
require_once(__DIR__. str_repeat(DIRECTORY_SEPARATOR. '..', 1) . DIRECTORY_SEPARATOR . 'vendor'. DIRECTORY_SEPARATOR . 'autoload.php');
I have a controller with #RequestMapping for root path "/". There are other controllers with say a #RequestMapping of "/test" etc. My application seems to be mapping correctly for paths like /appname/test, but if I add a trailing slash to the path, like so "/appname/test/ then it maps to the controller that has the #RequestMapping for root path "/". Any idea why?
Update:
I also tried removing <mvc:annotation-driven /> and replacing with
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping"
p:order="0" p:alwaysUseFullPath="true" />
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"
p:alwaysUseFullPath="true"/>
That fixed the trailing slash problem, but my validations stopped working
Looks like a bug (SPR-7064), fixed in 3.0.3, should be out soon.