We are forcing redirect from http to https using security constraint policy set to CONFIDENTIAL. Although in local development we want to remove the constraint. With Jetty 7 we were using override-web.xml that was reassigning transport security from CONFIDENTIAL to NONE. Now after we migrated to Jetty 9 it suddenly stopped doing so. I suspect that now with Jetty 9 instead of overriding transport security it adds constraint to the list.
How to override security constraint from CONFIDENTIAL to NONE in local environment?
This is the part that is coming from web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Some server</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
In local development we are running jetty with jetty-maven-plugin and specifying override-web.xml. This is the part that is coming from override-web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Some server</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Jetty version before: 7.6.10.v20130312
Jetty version after: 9.2.18.v20160721
This functionality should be working in Jetty 9 as in Jetty 7.
You can find the WebApp configuration instructions from here
They've changed the tags a bit in Jetty 9 so be extra careful when reading the configuration. You should have something like this in your pom.xml:
<configuration>
<webApp>
<overrideDescriptor>{path_to_your_override_xml}</overrideDescriptor>
</webApp>
</configuration>
For example, the tag
<webApp> </webApp>
was earlier
<webAppConfig> </webAppConfig>
Follow the Jetty startup log and verify that your overrides are applied:
[INFO] Web overrides = {path_to_your_override_xml}
Related
I have a very simple spring boot application which as one controller:
#RestController
public class HomeController {
#GetMapping(path = "/")
public String getHome() {
return "Hello world";
}
}
and the following security configuration to enforce https:
#Configuration
public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
// require https!
http.requiresChannel().anyRequest().requiresSecure();
}
}
the application.properties looks like this:
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
the maven dependencies are:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
The manifest.mf looks like this:
applications:
- name: jt-demo
memory: 1G
instances: 1
path: ./target/demo.jar
buildpacks:
- https://github.com/cloudfoundry/java-buildpack#v4.17.2
env:
JAVA_OPTS: -Djava.security.egd=file:///dev/urandom
JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 11.+ }}'
I install the app on two different cloudfoundry providers (pivotal and swisscom) via this command: cf push jt-demo -f manifest.yml
when I run this app on https://run.pivotal.io, and access it via https it works as expected and the browser shows me the expected "Hello world". But when I run it on the swisscom developer application cloud (https://developer.swisscom.com), then I get ERR_TOO_MANY_REDIRECTS (to many 302).
It seems the two cloudfoundry environments are not handling HTTPS the same way.
I know pivotal runs the cf api version 2.138.0 and swisscom has 2.136.0 - but I don't expect this to be the reason.
How can I fix the app/configuration for swisscom dev?
I finally found the answer to my problem here Spring Boot HTTPS redirect loop after Swisscom Application Cloud update
https://docs.developer.swisscom.com/devguide-sc/buildpacks/java/caveats.html
it's a bit unexpected to have to configure server.tomcat.internal-proxies for swisscom...
I'm trying to deploy a minimal Scalatra application on Openshift with DIY cartridge. I've managed to get SBT working, but when it comes to container:start, I get the error:
FAILED SelectChannelConnector#0.0.0.0:8080: java.net.SocketException: Permission denied
Apparently, embedded Jetty tries to open socket at 0.0.0.0, which is prohibited by Openshift (you can only open ports at $OPENSHIFT_INTERNAL_IP). How can I tell Jetty exactly which IP I need it to listen?
Yes you are right about $OPENSHIFT_INTERNAL_IP. So edit ${jetty.home}/etc/jetty.xml and set jetty.host in the connector section as follows:
…..
<Set name="connectors">
<Array type="org.mortbay.jetty.Connector">
<Item>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="host"><SystemProperty name="jetty.host" />$OPENSHIFT_INTERNAL_IP</Set>
<Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set>
...
</New>
</Item>
</Array>
</Set>
hth
I've never used Openshift, so I'm groping a bit here.
Do you have a jetty.host set?
You may need to set up a jetty.xml file and set it in there. See http://docs.codehaus.org/display/JETTY/Newbie+Guide+to+Jetty for how to set the host. You can tell the xsbt web plugin about jetty.xml by setting your project up like this:
https://github.com/JamesEarlDouglas/xsbt-web-plugin/wiki/Settings
Alternately, you may be able to pass the parameter to Jetty during startup. That'd look like this: -Djetty.host="yourhostname"
To get running with jetty 9.2.13.v20150730 on the Openshift with DIY cartridge you have to run with Java8 setting it to run on the $OPENSHIFT_INTERNAL_IP as follows. First ssh onto the host and download a jdk8 with
cd $OPENSHIFT_DATA_DIR
wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u5-b13/jdk-8u5-linux-x64.tar.gz
tar -zxf jdk-8u5-linux-x64.tar.gz
export PATH=$OPENSHIFT_DATA_DIR/jdk1.8.0_05/bin:$PATH
export JAVA_HOME="$OPENSHIFT_DATA_DIR/jdk/jdk1.8.0_05"
java -version
Then in your .openshift\action_hooks\start ensure you have the same exported variables with something like:
# see http://stackoverflow.com/a/23895161/329496 to install jdk1.8 no DIY cartridge
export JAVA_HOME="$OPENSHIFT_DATA_DIR/jdk/jdk1.8.0_05"
export PATH=$OPENSHIFT_DATA_DIR/jdk1.8.0_05/bin:$PATH
nohup java -cp ${OPENSHIFT_REPO_DIR}target/dependency/jetty-runner.jar org.eclipse.jetty.runner.Runner --host ${OPENSHIFT_DIY_IP} --port ${OPENSHIFT_DIY_PORT} ${OPENSHIFT_REPO_DIR}/target/thinbus-srp-spring-demo.war > ${OPENSHIFT_LOG_DIR}server.log 2>&1 &
(Note that jdk-8u20-linux-x64.tar.gz has also been reported to work so you may want to check for the latest available.)
That setup does not need a jetty.xml as it sets the --host and --port to bind to the correct interface and run the built war file. What it does require is that jetty-runner.jar is copied out of the ivy cache into the target folder. With maven to do that you add something like:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.3</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>copy</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-runner</artifactId>
<version>${jetty.version}</version>
<destFileName>jetty-runner.jar</destFileName>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions>
</plugin>
Google suggest that the SBT equivalent is simply retrieveManaged := true. You can ssh to the host and run find to figure out where the jetty-runner.jar dependency has been copied to and update the start command appropriately.
How do I change the log level for the classloaders in Jboss as 7?
As a side note;
I have found information on how to do this in Jboss 5 and below but since the classloading and logging has completely changed in Jboss 7 I cant figure out how to do it.
https://community.jboss.org/wiki/EnableClassloaderLogging
Add the following to JAVA_OPTS in your start up script.
-verbose:class
And the following to your Jboss config file (standalone.xml for example).
<profile>
<subsystem xmlns="urn:jboss:domain:logging:1.1">
<logger category="org.jboss.as.deployment">
<level name="DEBUG"/>
</logger>
</subsystem>
</profile>
For testing purposes I want to use Jetty 8 to serve only static content. I know how to start the webserver from the command line:
java -jar start.jar jetty.port=8082
I would like to be able to use a vanilla Jetty, preferably 8 or 7, and start it using something like:
java -jar start.jar OPTIONS=resources resources.root=../foo jetty.port=8082
The files should then be accessible from the root of the server. A file called ../foo/x.html should be accessible via http://localhost:8082/x.html.
I don't want to create a WAR file or anything fancy. Preferably it shouldn't do any caching on the server side, leaving the files unlocked on Windows machines. Also, I only want to serve files, even located in subdirectories, no fancy file browser or ways to modify them from a client.
Is this possible? If not, what is the minimum configuration needed to accomplish such behavior?
Additional information
I've tried the following command. I expected to be able to browse the javadoc shipped with Jetty 8 using http://localhost:8080/javadoc/, but it always gives me a 404
java -jar start.jar --ini OPTIONS=Server,resources etc/jetty.xml contexts/javadoc.xml
The simplest way to start Jetty and have it serve static content is by using the following xml file:
static-content.xml:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="FileServer" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="port"><Property name="jetty.port" default="8080"/></Set>
</New>
</Arg>
</Call>
<Set name="handler">
<New class="org.eclipse.jetty.server.handler.ResourceHandler">
<Set name="resourceBase"><Property name="files.base" default="./"/></Set>
</New>
</Set>
</Configure>
Than you can start Jetty using:
java -jar start.jar --ini static-content.xml files.base=./foo jetty.port=8082
If you omit files.base, the current direcory will be used; if you omit jetty.port, port 8080 will be used.
The --ini will disable the settings from start.ini, therefore also make sure no other handlers etc. will be activated.
A bit of offtopic, but somebody using maven may wish to this something like this (supposing that static resources have been copied to target/web):
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<version>8.1.9.v20130131</version>
<executions>
<execution>
<id>start-jetty</id>
<phase>install</phase>
<goals>
<goal>start</goal>
</goals>
<configuration>
<webAppConfig>
<resourceBases>
<contextPath>/</contextPath>
<resourceBase>${project.build.directory}/web</resourceBase>
</resourceBases>
</webAppConfig>
</configuration>
</execution>
</executions>
</plugin>
In your distribution under the contexts directory is a javadoc.xml that you can use as an example on how to do this easily enough.
http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-distribution/src/main/resources/contexts/javadoc.xml
that is what it actually looks like
you are looking to change the context path and the resource base
would also recommend just removing jetty-webapps.xml from the startup in the start.ini file and also removing the context files you don't want to deploy with
you can look at setting some of the other options in the start.ini file as well if you like
http://wiki.eclipse.org/Jetty/Feature/Start.jar
go there for information the start process
cheers
I have installed AppFabric on the server. I have created a cluster of a single computer . I have also create a cache named "Gagan".
used the following commands in order
Use-CacheCluster -Provider xml -ConnectionString \NB-GJANJUA\Cache
Start-CacheCluster
Result is that the cache service is up and running ..so far so good.
I then setup my web.config file like below
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="dataCacheClient"
type="Microsoft.ApplicationServer.Caching.DataCacheClientSection,
Microsoft.ApplicationServer.Caching.Core, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
allowLocation="true"
allowDefinition="Everywhere"/>
</configSections>
<!-- cache client -->
<dataCacheClient>
<!-- cache host(s) -->
<hosts>
<host
name="NB-GJANJUA.com"
cachePort="22233"/>
</hosts>
</dataCacheClient>
<system.web>
<compilation debug="true" targetFramework="4.0" >
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="Microsoft.ApplicationServer.Caching.Client, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.ApplicationServer.Caching.Core, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</assemblies>
</compilation>
<sessionState mode="Custom" customProvider="SessionStore" cookieless="true">
<providers>
<add name="SessionStore" type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider" cacheName="Gagan" />
</providers>
</sessionState>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
But as soon as I launch my site , it comes up with this error
Parser Error Message: ErrorCode:SubStatus:There is a temporary failure. Please retry later. (One or more specified Cache servers are unavailable, which could be caused by busy network or servers. Ensure that security permission has been granted for this client account on the cluster and that the AppFabric Caching Service is allowed through the firewall on all cache hosts. Retry later.)
Source Error:
Line 44: <sessionState mode="Custom" customProvider="SessionStore" cookieless="true">
Line 45: <providers>
Line 46: <add name="SessionStore" type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider" cacheName="Gagan" />
Line 47: </providers>
Line 48: </sessionState>
Is there something that I am missing ?
Note : I have already referenced the
Microsoft.ApplicationServer.Caching.Client and the
Microsoft.APplicationServer.Caching.Core assemblies
THanks for your time and patience
With Regards
Gagan Janjua
I was also having this error. Just to test client in development I switched off security by using AppFabric Power Shell command
Stop-CacheCluster
Set-CacheClusterSecurity -SecurityMode None -ProtectionLevel None
Start-CacheCluster
Also set following in client application in web.config
<dataCacheClient>
<securityProperties mode="None" protectionLevel="None"/>
</dataCacheClient>
This is not production scenario but the above error disappear when these settings are applied.
I had a similar issue, running IIS 7.5 on Windows Server 2008 R2. I resolved it by issuing the following commands in PowerShell (started from the Windows AppFabric folder in Start, All Programs):
New-Cache -CacheName NameOfCacheAsSetInWebConfig -TimeToLive 30
Grant-CacheAllowedClientAccount "IIS AppPool\NameOfAppPoolRunningSite"
Once I did that, I was all set.
Have you granted access to the cache for whatever user your website is running as?
Grant-CacheAllowedClientAccount Gagan
I solved this problem as follows:
Launch Windows Task manager and notice under what User Name your w3wp.exe is running?
In my case it was: ASP.NET v4.0
Launched Start -> All Programs -> Windows Server App Fabric -> IIS manager
In IIS , select Machine name and then Application Pools on top left handside.
In Application Pools..Verify that ASP.net v4.0 exists under Application Pools.
Launched Start -> All Programs -> Windows Server App Fabric -> Caching Administration Windows Power Shell
Type the following command on the prompt: Grant-CacheAllowedClientAccount "ASP.NET v4.0"
restarted the web application and following error went away:
ErrorCode<ERRCA0017>:SubStatus<ES0006>:There is a temporary failure. Please retry later. (One or more specified Cache servers are unavailable, which could be caused by busy network or servers. Ensure that security permission has been granted for this client account on the cluster and that the AppFabric Caching Service is allowed through the firewall on all cache hosts. Retry later.)
I had this problem and it was just that the Cache Cluster was down after a reboot. I didn't realize that you have to manually switch the service to start automatically in the services. Detailed information on that is here.
Commenting out the following in the config fixed it for me:
<sessionState customProvider="AppFabricCacheSessionStoreProvider" mode="Custom" timeout="90">
<providers>
<add name="AppFabricCacheSessionStoreProvider" type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider" cacheName="Session" sharedId="SharedApp" />
</providers>
</sessionState>
By default the worker processes will be setup as an iis user, those users need access. In your Caching Administration Windows Powershell type the following
Grant-CacheAllowedClientAccount IIS_IUSRS