I need help regarding spring security cookie path.
We have 2 web applications running in tomcat, app1 and app2. Both using the same domain, like www.company.com/app1 and www.company.com/app2 . Everything working fine and perfectly in tomcat.
But when we migrate to WebSphere, it started give issue. The issue is when a user login to app1, app2 cookie got overwritten because WebSphere storing the cookie in root path / and both applications using the same domain will overwrite another application cookie. In tomcat it storing in application path like /app1 and /app2 so no problem.
I am able to configure the WebSphere to make it work by configuring the application cookie path. Please see https://serverfault.com/questions/461518/websphere-jsessionid-cookie-overwrite-between-two-apps-on-the-same-domain-diffe for how to configure in WebSphere.
Now my question is, I don’t want to configure this in WebSphere. How can I do this in application level like configure the Spring Security xml or any other place. We want to make this in application level is because it will more portable and behave same in all containers.
I have try to configure the web.xml by adding the following but it not working.
<session-config>
<session-timeout>720</session-timeout>
<cookie-config>
<name>JSESSIONID</name>
<path>/app1</path>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Related
I'm deploying using VS2017, and MSdeploy WMSVC seems to be overwriting my IIS site settings being deployed to.
The site settings, in IIS manager, has IIS Authentication panel, Anonymous Authentication Credentials set as Application Pool Identity.
After deployment, all requests get 401.3 unauthorized error, because the Anonymous Authentication Credentials setting gets set to user:
Clearly this is getting overwritten because of a clash between SERVER specific settings and DEVELOPMENT specific settings.
In any MSDeploy scenario, what strategy can we use to prevent the target IIS settings from getting walked on by Development server settings? My first thought is, IIS first looks for site.config which would contain system.webService, then web.config updates/overrides any of those, ie <handler remove key="xxx" /> and so forth. Is this only solvable by XDT transforms?
In my opinion, the best solution to solve this is using web.config XDT transforms.
Since web.config file will also be published when deploy to the IIS server. If you have set the anonymousAuthentication setting in the web.config, it will use web.config setting instead of your server default setting.
Here is another solution(It will show the error page):
If you don't want to let the web.config to modify the default IIS setting, you could modify the feature delegation to disable override the setting from web.config.
You could find it from the IIS management feature:
Select read only:
Notice:
If you modify the Anonymous Authentication from the web.config. You will face below error:
I am getting below exception while deploying my application on WebSphere Application Server 8.5.5
java.lang.RuntimeException: SRVE8111E: The application, MyEAR, is trying to modify a cookie which matches a pattern in the restricted programmatic session cookies list [domain=*, name=JSESSIONID, path=/].
I found that if I remove below entry from my web.xml [session-config], then no error is shown with deployment and every things works fine.
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
The same ear is able to deploy and run perfectly with JBOSS and WebLogic server.
Please let me know what configuration change I have to do in which xml file to overcome this issue.
My application has application.xml, jboss-deployment-structure.xml and weblogic-application.xml.
Thanks in advance.
If you want the server to allow you to modify the session cookie it's using for HTTP Sessions, you can remove the cookie from Security > Global security > Programmatic session cookie configuration. in the WAS Admin Console.
But you shouldn't modify the session cookie.
I had the same issue in Websphere App Server and this was fixed after I changed the cookie path to the context root instead of the path =/. You could try the same.
Well, removing them from Global security is a solution, but this will impact other application also.
How I fixed this.
Changed the name of sessionId from default jsessionid to something else.
I have developed a play 1.2.5 application and implemented secure module module for authentication.Its working fine. Now I have developed another play 1.2.5 application which is running on a separate server. I have maintained a href tag in my first play application which has the link to second application.On loging in through my first application, I want the username to be passed to the second application because i am using the logged username. As soon as I log out from the first application, The session (username) should be removed from the second application too.
How can i achieve this ...Plz help!
If you run both of servers on 1 domain (such as www.example.com), and using load balancer (like nginx) to transfer requests to 2 server. You just make sure the config application.secret is the same for both.
If you run on different sub-domain (Recommend), you MUST do like that:
Server should use sub-domain, for example login server is login.example.com and application server is app.example.com
Use config application.defaultCookieDomain=.example.com for both server, then they can use the cookie each others
Make sure both servers have same config application.secret
If you really want to put 2 difference domain, like example.com and example.net. You should implement OAuth on login server and provide API to call from application server.
I am building a Facebook app using Django. So, for development, I connected the app to localhost. My app is loading on canvas and working fine but the Facebook debugger is unable to test it correctly when I give localhost address as input.
These are the requests I tried in debugger
http://localhost
https://localhost/
http://127.0.0.1/
localhost
etc
Almost for all possible combinations.. It showed me
Error Parsing URL: Error parsing input URL, no data was scraped.
When I deployed the same code on heroku and tried.. It was working!
So,
Can't I debug the project on localhost? What's the point in working on it then??
If I can work, how should I fix it?
Can't I debug the project on localhost? What's the point in working on it then??
You can debug your code etc. on localhost – but of course you can’t have Facebook’s debug tool reach a site on your localhost, because Facebook (and everyone else on the web) does have no idea what machine your localhost actually is. (Absolute bascis, dude!)
If I can work, how should I fix it?
You have to make your web server accessible from the “outside”, over the internet.
Set up your test server so that it accepts requests from outside IPs, and get a DynDNS address (basically something that can be resolved by third parties like Facebook over the DNS).
You can access Facebook apps locally but you need to fake the domain of your local computer. You can do this by adding
127.0.0.1 mysite.test.example.com
to /etc/hosts. You should update mysite.test.example.com to your domain. Your Facebook app needs to be configured for that domain. You can then use the Facebook app locally and debug your project.
The alternative is to setup up a web server and use its domain for testing purposes (but this is not ideal because you'll need to commit and build the code before you can see your changes).
I have a Rails app which provides service through Nginx server(with thin). Now I want to build another app in Node.js on the same machine.
My question is, can I have Nginx redirect users' reqeusts? e.g. when a user access 'foo.mydomain.com' it will be processed by Rails app, and when she visit 'bar.mydomain.com' it can be processed by Node app.
(I'm not sure whether it's related to the type of apps, i.e. Rails, Nodejs, etc)
You can set up two serverblocks in your nginx config; One listening for bar.mydomain.com and the other one for foo.mydomain.com and then use the proxy_pass module in nginx to pass forward the requests to your Node or Rails app.