I'm using jetty as an osgi bundle with paxweb.
I would like to be sure that all the servlets and resources registered thanks to the OSGI HttpService are secured by one common SecurityHandler (moreover I would like to use the JAASLoginService).
I also want to redirect all unauthenticated requests to a single login page.
Is it possible to configure this scenario?
If all Servlets use the same HttpContext it's possible.
As a runtime-container with a working Jaas I suggest using Apache Karaf.
It provides all that is needed, including Pax Web as HTTPService including the HttpWhiteboard Extender.
Look at Apache Felix whiteboard HTTP support. You can just register filters in the registry and they are used by the underlying Jetty: http://felix.apache.org/site/apache-felix-http-service.html
Filter service properties that are supported for filters:
pattern - Regular expression pattern to register filter with.
contextId - Id of context to register with.
service.ranking - Where in the chain this filter should be placed.
init.* - Filter initialization values.
I have not tried this myself yet but will soon ...
Related
1) Is it possible using burp suite/ ZAP or any other web testing tools to find out
if an application is making calls to web services?
2) As SOAP web services reply in XML is it also possible to view the responses of
the HTML request to distinguish between use of REST web services?
Thanks
Yes, this is normally possible.
You need to configure the application to use the interactive proxy (Burp, Zap, etc.) as its proxy. Most applications will use your system proxy settings.
Once the proxy is configured, you can see a full history of HTTP interactions (in Burp: Proxy > HTTP History). This includes requests and responses, which will clearly indicate a SOAP or REST service.
I'm embedding Jetty 9.1 from within a Java application. I'm configuring everything programmatically; I am not using web.xml or Spring or anything else. I have Wicket mapped to /* and a RestEASY JAX-RS API mapped to /rest/*. That's all working fine.
I wanted to add HTTP authentication, so I added the following (based upon as much Jetty documentation as I find):
HashLoginService loginService = new HashLoginService();
loginService.setName("My Realm");
loginService.setConfig("src/main/resources/realm.properties");
server.addBean(loginService);
I added a user with a role of admin to realm.properties. Then I tried to configure my REST service, putting the following annotation on my main JAX-RS resource:
#RolesAllowed({ "admin" })
Then I added the following annotation to my main Wicket page:
#AuthorizeInstantiation("admin")
None of these changes made any difference; I can still use my browser to navigate to my REST API and Wicket pages.
I'm guessing I need to turn on DIGEST authentication in Jetty. But how do I do that programmatically, without a web.xml file? What else do I need to do?
Another answer to a similar question, providing a link to a sample webapp, helped me immensely and got me up and running.
In Jetty v7, you chain the handlers together:
server.setHandler(securityHandler);
securityHandler.setHandler(resourceHandler);
Works on my machine! (tm)
How do they differ in action? Servlet print html only?
Servlet :
--is a web component
--it's a powerful java technology
--managed by a container (namely web server such as tomcat) that generates dynamic content
--platform independent java classes (byte code)
--interacts with web clients as request response paradigm
--Request handling methods
****doGet,doPost,doDelete,doPut,doOptions,doHead,doTrace****
Rest WS (Representational State Transfer Web Service)
--A way to achieving service oriented architecture in web application
--it's an architectural concept
--web service resource is uniquely identifiable using URLS
--it has explicit relationship with HTTP methods namely GET,POST,PUT,DELETE
--highly re useable across the platform
A Rest WS is a service which you call, which returns data in a REST format.
A Servlet is a bit of UI that shows information to the user.
They are very different, although a Servlet could get the information that it displays from a Rest web service.
All of them are web services, but what's the difference?
WSDL (Web Service Description Language) is a standard notatation for describing a Web Service in xml.
DISCO is a tool for querying SOAP and similar services and extracting useful information from the WSDL provied.
EVENTs is a proposed standard which uses WSDL and extends WSDL to support publish subcribe type event driven processes.
WSDL:
WSDL is a markup language that describes the web service. In order to use this Web service, the Client application developers need to know the methods exposed by the Web service and the parameters to be passed to these methods. It is imperative that access to these methodologies is available at development time and it is just this need that WSDL addresses.
DISCO:
The Web Service Discovery Tool (DISCO) is used to discover the URLs of XML Web Services located on a Web server and saves documents related to each XML service on a local disk. The DISCO takes the URL and discovers and produce publishes discovery documents (.wsdl, .xsd, .disco and .dicomap files) as arguments. Some of the options available for use with this tool are:
/d[omain]:domain - Specifies the domain name to use when connecting to a proxy server that requires authentication
/nosave - Does not save the discovered document or results
/nologo - Suppresses the Microsoft startup banner display
/o[ut]:directoryName - Specifies the output directory in which to save the discovered documents. Current directory is the default one.
/p[assword]:password - Specifies the password to use when connecting to a proxy server
/proxy:url - Specifies the URL of the proxy server to use for HTTP requests.
DISCO is a tool, not a web service itself.
EVENT:
if you mean to WS-Eventing, see here.
UDDI- UDDI is a central directory. It will have web services listed from multiple domain and servers.
DISCO- Disco contain web services listed from one domain and server.By which particular web service can be selected.
WSDL- It describe the rules or grammar for the function that are exposed in the web services.
I have different Spring Web Services, which are included into the context by the
Endpoint Annotation, so there are no dependencies despite the Annotation (no interface etc.). Therefore, no "context" information is present.
Now I want to chain a web service request, ie. an Endpoint is called which itself should call a web service on the same server. I can use Spring's WebServiceTemplate, however, I need the current server url for this request.
Is there any way how this url can be injected during application startup into the Endpoints? Since the Endpoints do not extend some class, there is no way to get this information anywhere inside the Endpoints, also the request parameters do not have this information (these are simple JAXB-classes, which are marshalled on request).
I believe the best option is to send the URL as part of the request.
This also enables you to dynamically change the URL to a third server later.