on my JSF page I have a primefaces poll (<p:poll>) which checks if a backend is still running every second. The problem now is that the HTTP POST method, which checks the backend, is writting a logging entry into the Tomcat log every second. This will likely produce a lot of logging data which may lead to some problems with the server.
My question is now how I can prevent this POST method from writting into the tomcat log file?
Related
I want to automate requests to Apache tomcat's manager GUI for the purposes of developing a pentest related application. I captured the packet to upload a .war file to the server and this was the first part of the response:
POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=0DCEAA88E8C558E6F3352C52B4BBCD4B HTTP/1.1
From this I can see that there's some kind of nonce preventing cross site request forgery. The problem is that I want to automate sending these packets to the server, so I'm going to need to generate a valid nonce whenever I do that. Is there a way I can grab the current nonce so I can use it in my script?
I have an ASP MVC3 website with a rest API service.
When a user passes in an invalid API or they have been blacklisted i wish to ignore the response.
I know I could send back a 404 or pass back an 503 but if someone keeps polling me then I would ideally like to ignore the response causing a time-out their end. Thus delaying the hammering my server gets.
Is this possible within ASP.net MVC3? If so any help would be most appreciated.
Thank you
For what you want, you still need to parse the request, so it will always consume server resources, specially if you have an annoying user sending a query every 500ms...
In this situations you would block the IP / Header of the request for a period of, for example 10 minutes, but it would be a very good idea to block it on your load balancer and prevent that request that even reach your application, this is easily accomplish if you're using Amazon Services to run your Service, but all other cloud provider do support this as well, if by any means you are using a cloud hosting.
if you can only use your web application, and this is a solution that is not tested, you could add an ignored route to your routing mechanism like:
routes.IgnoreRoute("{*allignore}", new {allignore=#".*\.ignore(/.*)?"});
and upon check that the IP is banned, simple redirect using for example Response.Redirect() to your site, to a .ignore path... or, why not redirecting that request to google.com just for the fun of it?
Following is our environment setup:
IIS 7 receives Http (.jsp) request from client (browser).
It blindly redirects it to JBoss using ISAPI_Redirect.dll.
Now we are trying to modify this setup in such a way that before IIS7/ISAPI_redirect sends it to JBoss, we need to modify posted form data using Http module. This http module is normal .net http module.
We are able to intercept the request # BeginRequest event of http module and when we send it to JBoss, it gives us "Read client failed (400)" error.
Any idea how to achieve this task or fix the problem at hand?
We were not able to fix our problem in its original form. What we did is we removed ISAPI_REDIRECT/JBoss from our original pipeline.
We now take the request directly to our http module by setting up another virtual directory where ISAPI_Redirect is not configured, we do our modification (earlier we intended to do this after JBoss has received the request) and then send it to another virtual directory (URL) where ISAPI_REDIRECT is configured. Now ISAPI_Redirect captures the request, maps it to JBoss format and sends it to JBoss.
Basically we switched the place of our customer processing and things seem to falling in place.
I have an HTTP Module to handle authentication from Facebook, which works fine in classic pipeline mode.
In integrated pipeline mode, however, I'm seeing an additional request pass through for the default document, which is causing the module to fail. We look at the request (from Facebook) to retrieve and validate the user accessing our app. The initial request authenticates fine, but then I see a second request, which lacks the posted form variables, and thus causes authentication to fail.
In integrated pipeline mode, an http request for "/" yields 2 AuthenticateRequests in a row:
A request where AppRelativeCurrentExecutionFilePath = "~/"
A request where AppRelativeCurrentExecutionFilePath = "~/default.aspx"
That second request loses all of the form values, so it fails to authenticate. In classic mode, that second request is the only one that happens, and it preserves the form values.
Any ideas what's going on here?
UPDATE: Here is an image of the trace from module notifications in IIS. Note that my module, FBAuth, is seeing AUTHENTICATE_REQUEST multiple times (I'd expect 2 - one for authenticate and one for postauthenticate, but I get 4).
I'm starting to believe this has something to do with module/filter configuration because I've found a (Vista) box running the same code that doesn't fire these events repeatedly - it behaves as expected. I'm working through trying to figure out what the difference could be...
Thanks!
Tom
My solution was to add the following code at the end of Application_BeginRequest:
if (Request.RawUrl.TrimEnd('/') == HostingEnvironment.ApplicationVirtualPath.TrimEnd('/'))
Server.Transfer(Request.RawUrl+"Default.aspx", true);
DefaultHttpHandler is not supported,
so applications relying on sub-classes
of DefaultHttpHandler will not be able
to serve requests If your application
uses DefaultHttpHandler or handlers
that derive from DefaultHttpHandler,
it will not function correctly. In
Integrated mode, handlers derived from
DefaultHttpHandler will not be able to
pass the request back to IIS for
processing, and instead serve the
requested resource as a static file.
Integrated mode allows ASP.NET modules
to run for all requests without
requiring the use of
DefaultHttpHandler. Workaround
Change your application to use
modules to perform request processing
for all requests, instead of using
wildcard mapping to map ASP.NET to all
requests and then using
DefaultHttpHandler derived handlers to
pass the request back to IIS.
Hmmm, or this could be the issue.
ASP.NET modules in early request
processing stages will see requests
that previously may have been rejected
by IIS prior to entering ASP.NET,
which includes modules running in
BeginRequest seeing anonymous requests
for resources that require
authentication ASP.NET modules can run
in any pipeline stages that are
available to native IIS modules.
Because of this, requests that
previously may have been rejected in
the authentication stage (such as
anonymous requests for resources that
require authentication) or other
stages prior to entering ASP.NET may
run ASP.NET modules. This behavior is
by design in order to enable ASP.NET
modules to extend IIS in all request
processing stages. Workaround
Change application code to avoid
any application-specific problems that
arise from seeing requests that may be
rejected later on during request
processing. This may involve changing
modules to subscribe to pipeline
events that are raised later during
request processing.
http://learn.iis.net/page.aspx/381/aspnet-20-breaking-changes-on-iis-70/
When analyzing traffic with a packet sniffer, we are seeing an http response from a weblogic server prior to the completion of the http post to that server.
In this case, the jsp page on the server is basically a static page, no logic to do anything with the contents of the post at this time.
But why would the server send the response prior to completion of the post?
I found Weblogic documentation about how to configure the server to ignore a denial-of-service attack using Http post. Maybe that is what is happening?
No one I know has seen this behaviour before. Maybe some weblogic-savvy person will know what is going on.
Thanks
I don't think that Weblogic is analyzing the JSP to determine whether it is static or not.
My guess is that either
someone else was accessing the server at the same time
you saw the answer to a previous request
[EDIT] To determine what is going on, I suggest to set a breakpoint in the JSP. If you still get an answer without hitting the breakpoint, something further up the stack must be intercepting the request (for example, a cache).