We are trying to log all http requests made to our Tomcat server, in particular SOAP requests.
Our server setup is as follows:
Tomcat 7.0.11
Axis 2
Gentoo Linux
So far we have used the RequestDumperFilter class however this only shows us the header information.
What we require is the ability to view the request body containing the SOAP request XML.
I guess you could make use of some request processing components but I'm not sure if there is an easy way to view the request body in Tomcat.
From what I know, the ExtendedAccessLogValve provides the most information about the request but even this is missing the body.
The most simple solution would be to move the logging away from Tomcat and use a proxy server. You place the proxy between the server and it's clients and do the logging in the proxy.
Proxy receives request, logs it, then forwards to Tomcat which generates response, sends it to the proxy which logs it and then sends it to client. The simplest proxy I used (and did its job pretty well) was the Apache TCP Monitor.
Additionally you could look at something like Fiddler and see if that helps.
Related
I am currently making a server that serves API requests to mobile clients. I want to somehow block web browsers or tools like cURL from making requests to my API. Is that possible? If it is, what is the most secure and efficient way of doing that?
Your server cannot really block individual curl requests. However, your server can refuse serving requests that it doesn't want to.
To explain it a bit better, suppose your mobile sends in an HTTP request. Any curl request can be made to mimic that exact mobile request, making it look like it came from your mobile (by sending the same headers, auth params etc). Your server doesn't see curl, it just sees the HTTP request.
You might try blocking requests with user agent string that looks like it comes from curl, but this won't be of much use; as I mentioned, curl can be used to mimic any HTTP request.
Coming to your comment
I have an authentication API that gives an auth token once the user logs in, but you could log in using cURL (and even the web browser)
If you have an https server, your requests are safe from getting hijacked, since the user can only read his own requests, not the ones sent by other devices. So you don't really need to block curl requests.
I want to check a http header in request, which is received on apache 2.2 and if it contains that header I would like to fire a new request to jboss whose ip is different from apache server's. Is this possible?
I have seen this doc
enter link description here
In the above link I can check if header exist, but how to create new request to another server with same header forwarded.
Any help is appreciated.
What you suggest would send a redirect response to the browser, and it would be the browser who would end up visiting your Jboss server.
I'm not sure if that's precisely what you want, but sounds like what you want is to get Apache to do that request to Jboss and then send the response to the browser. This would be the typical scenario with a web server (apache) and an application server (Jboss) where you normally don't access the application server directly.
What you want to make this work in apache is a reverse proxy.
I will be having a software which will give me information about the moving vehicles on the server side and I need to pass this information to the client computer on demand.
There will be a website which will act like a server and another website will act like a client. The client
website will ask for a data from the server website.
From here: https://stackoverflow.com/a/2849683/462608
As the protocol may not be HTTP, you may provide WebServices over mail or other protocols, and you do not need a web server for that.
I request an explanation on the above quote. In my case will I be needing a webserver?
There is a bunch of webservice protocols, some of them may use and some may not use http as transport layer. When http is used - you need a webserver on server-side of your service and a webbrowser as a client. If the transport is other than http, you need server of other type, and other client, for example, mail server and mail client in case of running service over smtp.
I have an ASPX page. When the page is loaded there is code in the code behind that uses an API. The API makes an HTTPS call out to a third party, commercial web service. I am trying to troubleshoot why the API calls are not working properly. Apparently the API actually constructs an XML request that is sent out over HTTPS to the web service. I've been told by the support rep that I need to provide them with the XML that is being sent. The only way I can figure out how to get the XML is to use a tool like Fiddler to see what is being sent out. So how can I use Fiddler to see the contents of the XML request that is being sent from the server out to the web service? I am running everything directly on the server but all I am seeing is the GET request for the ASPX file itself. I am not seeing anything in relation to the HTTPS request that the server code is sending out to the web service. I have not used Fiddler much so I am hoping that maybe I just don't have it set up right to monitor that traffic.
Corey
After mucking around with it a bit I found this post: Why isn't fiddler capturing request when invoking XMLRPC from iis?. That seemed to do the trick! Basically it sounds like the default proxy settings in Win7 are on a per user basis. So I went in and changed the identity of the AppPool for my site to a local user (Administrator) and then it worked great. I started up Fiddler. Then I started up my ASP.NET app and then when I loaded the page I saw the request that went out to the web service from my code behind! Yay!
I have a created web service that takes 2 complex types as parameters. I can use the auto-generated WSDL to create a new application that calls my web service and it works perfectly.
However, a 3rd party consumer is having trouble calling my web service. I see their incoming request in the IIS7 log file and a 500 error is being returned to them.
I suspect that their request is malformed. I would like to be able to see the entire <soap:envelope> that IIS7 is receiving so that I can troubleshoot the issue. I am using Windows Server 2008 and IIS7.
How can I do this?
I would open up a copy of WireShark while they are putting their request through. You can then see each packet which comes to your server. Wireshark is cool because it can put all of the packets back together so you can see the full HTTP request they're sending.