I need to disable PUT, DELETE & TRACE HTTP requests on my Application Server, Apache Tomcat 6.0.
All other sources, i have searched till now, have directed me towards the limit parameter in httpd.conf, Hence I'd put it before-hand that I am not using Apache Web Server, and requests are directly being handled by Tomcat, and so there is no httpd.conf in picture.
Please suggest how should I do it on Tomcat?
Inside your WEBINF, add you can add a security constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<url-pattern>/blah/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>empty_role</role-name>
</auth-constraint>
</security-constraint>
Alternatively, you can do these two things:
In server.xml, edit the <connector> element, add an attribute: allowTrace="false". Then edit the DefaultServlet: $CATALINA_HOME/conf/web.xml
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>
org.apache.catalina.servlets.DefaultServlet
</servlet-class>
<!-- blah blah blah -->
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
The answer lies in the servlet specification. In looking at the API for the servlet: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServlet.html you'll see that different methods handle different kind of HTTP requests. Also, there is a great feature called filters that can be used to wrap some code around servlets and filters.
So the solutions are:
Modify the servlet to only support do and get; or
Create a filter to clear those other kind of requests.
Related
I want to listen to contextInitialized() and contextDestroyed() events. I created jetty.xml file where I want to specify the class that will be responsible for listening. The error message I get: Unknown tag: listener.
The content of the file:
<Configure class="org.eclipse.jetty.server.Server">
<listener>
<listener-class>test.Application</listener-class>
</listener>
</Configure>
<Configuration> is for configuring a specific object in Jetty.
That syntax has a DTD that explains what you are allowed to use as far as what XML elements.
<listener> is not available in that DTD.
That's the reason for the error Unknown tag: listener
Now, lets dig a bit deeper...
Why do you want a Listener that listens for contextInitialized() and contextDestroyed()?
I assume you want a javax.servlet.ServletContextInitializer based on those method names.
That's only available in a specific webapp, not for all webapps.
The most common way to configure that is in the webapp's own WEB-INF/web.xml
That's where your <listener> block needs to be.
I have a several servlets and in my case I need to implement ServletRequestListener. But, I don't want the listener to react on every request in any servlet. I would like to know if there any possibility to map a specific ServletRequestListener to a specific certain servlet. My web.xml looks like:
<servlet>
<servlet-name>CommonsServlet</servlet-name>
<servlet-class>
com.promptlink.dslib.gwt.common.server.rpc.CommonsServletImpl</servlet-class>
</servlet>
...
<listener>
<listener-class>
com.promptlink.dslib.gwt.common.server.httpListeners.ServletRequestListenerImpl
</listener-class>
</listener>
That's not possible with a ServletRequestListener. A servlet request listener listens on every servlet request. Just create a Filter instead which you can simply map directly to servlet name (no, not to its URL pattern, that's maintenance unfriendly).
<filter>
<filter-name>CommonFilter</filter-name>
<filter-class>com.example.CommonFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CommonFilter</filter-name>
<servlet-name>CommonsServlet</servlet-name>
</filter-mapping>
See also:
Our servlet filters wiki page
Why do we need a servlet name?
If you only want to react on the requests of a specific servlet then the servlet itself would be the ideal place to do this.
If you don't control the servlet code you can write a Filter and give it the same URL pattern as the servlet or directly refer to the servlet in the filter mapping.
I have a web application that performs ajax request to a web service on a different port (i.e. my application and the server are on different domains).I have not access to the server APIs, so I cannot use JSONP.I am resolving using the Smiley's HTTP Proxy Servlet, so my web.xml file contains this section:
<servlet>
<servlet-name>rs</servlet-name>
<servlet-class>org.mitre.dsmiley.httpproxy.ProxyServlet</servlet-class>
<init-param>
<param-name>targetUri</param-name>
<!-- my servlet is hosted at http://my_ip:my_port/webapp -->
<param-value>http://my_ip:other_port/rest-services/rs</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>rs</servlet-name>
<url-pattern>/rs/*</url-pattern>
</servlet-mapping>
Unfortunately I have to deploy the web application on different machines (development, test, production), that respond to different IP addresses.
Is there a way to make the IP address change dinamically in the web.xml file, or to retrieve the current domain somehow? Or do I have to manually change the IP address every time before compiling?
Ok, I found the solution by myself.
I just had to replace the IP with localhost:
<param-value>http://localhost:other_port/rest-services/rs</param-value>
(it seems like a stupid answer for a stupid question, but I was sure I already tried that on the past and failed. Now it seems to work.)
We have an existing application not using Spring MVC. We decided to keep existing features as is and add Spring MVC in for any other new features through a url like "/admin/*.
so here is the web.xml mapping:
<servlet>
<servlet-name>springRouted</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/mvc-config.xml</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springRouted</servlet-name>
<url-pattern>/admin/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ExistingServlet</servlet-name>
<url-pattern>existing.do</url-pattern>
</servlet-mapping>
Here in the ExistingServlet, there is a call to request.getRequestDispatcher().forward("/admin/...jsp"), somehow Spring will detect this fowarding and report an error that not able to find mapping for "/admin/...jsp". It seems calling request.getRequestDispatcher().forward("/admin/...jsp") will make servlet container to recheck the web.xml and reroute through Spring's DispatchServlet. is it true? I thought this kind of internal forward won't be intercepted by Spring's DispatchServlet
A RequestDispatcher will be resolved against the mappings you have in your deployment descriptor (web.xml) or other Servlet configuration, basically all servlet mappings.
When you do
request.getRequestDispatcher("/admin/...jsp");
The Servlet container finds the Servlet (or other resource) meant to handle that path and wraps it in a RequestDispatcher object. When you then perform RequestDispatcher#forward(..) on the returned object, you are executing the service() method of the Servlet that was previously found.
In your example, that would be the DispatcherServlet. If your DispatcherServlet is configured to handle a request to /admin/...jsp, then it will do so. If not, it will throw its own custom exception, responding to the HTTP request with a 404.
Here are some more details on how getRequestDispatcher() works.
I cannot connect to the auto generated spring security log-in page. According to the documentation, including the following lines in your security-context.xml will have Spring generate an html log-in form and redirect the user to it when trying to connect to the specific URL:
<http auto-config="true" >
<intercept-url pattern="/management-console" access="ROLE_ADMIN"/>
</http>
<authentication-manager ... />
Here is the rest of my configuration. Web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/context/applicationContext.xml <!-- I am importing my security-context.xml in here -->
<param-value>
</context-param>
<!-- Security Configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/management-console</url-pattern>
</filter-mapping>
I have tried importing the security-context.xml directly in the web.xml, but I still see the error.
After deploying my application, I can connect to each my specified urls without issue. However, when I try to go to localhost:{port}/{appName}/management-console, the filter chain redirects me to /spring_security_login (as expected). However, I see an "HTTP Status 405 - Request method 'GET' not supported" error once I am forwarded and the following comes up on the console (spring-mvc is the name I gave to my servlet):
org.springframework.web.servlet.PageNotFound | No mapping found for HTTP request with URI [/InternalManagementViewer/spring_security_login] in DispatcherServlet with name 'spring-mvc' |
I have seen this error before when I miss declaring a POST/GET mapping in the controller. According to the documentation, I should not have to include such a method in my controller to handle the /spring_security_login mapping. From what I have read, spring is supposed to know to return the auto-generated log-in html page.
Just to see what happens, I declared a method in my controller to handle the /spring_security_login mapping. Since the function returns void (because I do not know the local view name of the generated html log-in page), it looks for the resource named "spring_security_login.jsp", which is not explicitly created in my project, and thus I get an "HTTP resource not found" error.
I'm stumped on this one and could really use a hand. Thanks a lot for taking a look.
Apply springSecurityFilterChain filter to all URLs:
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
springSecurityFilterChain is an entry point for all Spring Security features. So if this filter is not applied to some URL then you will not be able use Spring Security there (in this case handle /spring_security_login URL).