I'm using Tomcat 8 and Tuckey urlrewrite to remove ".jsp" from my web page URLs. Its working fine but I noticed the X-Frame-Options in the response header are not present when urlrewrite redirects from a page. mysite.com/Home translates to mysite.com/Home.jsp but the X-Frame options are not set. They are set for all the pages that I exclude from urlrewirte such as mysite.com/picture.png. Any guidance would be appreciated.
Web.xml
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
urlrewrite.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite
PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
"http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<urlrewrite>
<rule match-type="regex">
<condition type="request-url" operator="notequal">jsp$</condition>
<condition type="request-url" operator="notequal">html$</condition>
<condition type="request-url" operator="notequal">pdf$</condition>
<condition type="request-url" operator="notequal">txt$</condition>
<condition type="request-url" operator="notequal">apk$</condition>
<condition type="request-url" operator="notequal">app$</condition>
<condition type="request-url" operator="notequal">zip$</condition>
<condition type="request-url" operator="notequal">avi$</condition>
<condition type="request-url" operator="notequal">flv$</condition>
<condition type="request-url" operator="notequal">mp4$</condition>
<condition type="request-url" operator="notequal">mov$</condition>
<condition type="request-url" operator="notequal">wmv$</condition>
<condition type="request-url" operator="notequal">mp3$</condition>
<condition type="request-url" operator="notequal">wav$</condition>
<condition type="request-url" operator="notequal">jpg$</condition>
<condition type="request-url" operator="notequal">png$</condition>
<condition type="request-url" operator="notequal">/media/.*</condition>
<condition type="request-url" operator="notequal">/css/.*</condition>
<condition type="request-url" operator="notequal">/img/.*</condition>
<condition type="request-url" operator="notequal">/js/.*</condition>
<!-- negative look foward and back expresion to foward match pages that do not end in .jsp -->
<from>/.+(?:(?!jsp).).$</from>
<to type="forward">%{request-uri}.jsp</to>
</rule>
</urlrewrite>
So this turns out not to be a problem with URL Rewrite but a missing for the httpSecurityHeader filter that contained the x-frame-options. After adding the mapping "/*" every file now has the antiClickJacking options set. Below is the web.xml settings that make that happen.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Related
I tried spring security with GWT, its redirecting to login perfectly.
I stopped the server and started again and tried to access the URL.
Application doesn't show the login page. It directly going to home page.
Is this how the security works, how to make it work. User name, password and roles are configured in spring configuration files.
web.xml
<!-- web.xml -->
<web-app>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/gwtsecuritydemo-security.xml
/WEB-INF/gwtsecuritydemo-base.xml
</param-value>
</context-param>
<!-- Spring Security Filter Chain -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>greetServlet</servlet-name>
<servlet-class>au.com.securitydemo.gwt.maven.sample.server.GreetingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>greetServlet</servlet-name>
<url-pattern>/gwtsecuritydemo/greet</url-pattern>
</servlet-mapping>
<!-- Default page to serve -->
<welcome-file-list>
<welcome-file>gwtsecuritydemo.html</welcome-file>
</welcome-file-list>
</web-app>
and
spring configuration.
<!-- Spring Config -->
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user authorities="ROLE_USER" name="guest" password="guest" />
</user-service>
</authentication-provider>
</authentication-manager>
Thanks,
Bennet.
You server preserved sessions during restart or you configured "remember-me cookie".
To be sure, remove relevant cookies (usually JSESSIONID and REMEMBER_ME) from your browser and reload the page.
I have deployed my struts 2 application on jboss as 7 with eclipse. The console shows no error, but when I try to open "localhost:8080/site" I get a 404 page error. I tried to reach some resources from my browser e.g. localhost:8080/site/img/logo.png and it worked good, so the server is working fine, the application is actually deployed, but it seems I can't reach any jsp file. Any ideas?
The same application works fine on Tomcat 7.
This is the web.xml
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>versus</display-name>
<session-config>
<session-timeout>240</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<security-role>
<role-name>Denied</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Deny Direct Access</web-resource-name>
<url-pattern>*.pdf</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Denied</role-name>
</auth-constraint>
</security-constraint>
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>WARN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
This is index.jsp
<%# page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%><%# taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Versus</title>
<meta http-equiv="refresh" content="0;url=home?request_locale=en">
</head>
<body>
</body>
</html>
this is a snippet of struts.xml
<struts>
<constant name="struts.enable.DynamicMethodInvocation" value="false" />
<constant name="struts.devMode" value="false" />
<constant name="struts.custom.i18n.resources" value="resources.ApplicationResources" />
<constant name="struts.locale" value="en" />
<constant name="struts.multipart.maxSize" value="10000000" />
<constant name="struts.i18n.encoding" value="ISO-8859-1" />
<package name="default" extends="struts-default">
<!-- INTERCEPTOR -->
<interceptors>
<interceptor name="mobile" class="utils.MobileInterceptor" />
<interceptor-stack name="myStack">
<interceptor-ref name="mobile" />
<interceptor-ref name="defaultStack" />
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="myStack" />
<global-results>
<result name="success">/jsp/template.jsp</result>
<result name="input">/jsp/template.jsp</result>
<result name="error">/jsp/error.jsp</result>
<result name="none">/jsp/error.jsp</result>
</global-results>
<!-- GENERAL -->
<action name="index" class="controller.ActionIndex" method="execute" />
<action name="redirect" class="controller.ActionRedirect"
method="execute" />
<action name="login" class="controller.ActionLogin" method="login">
<result name="logged" type="redirectAction">redirect?request_locale=it&page=${page}&l4vUserLat=${l4vUserLat}&l4vUserLon=${l4vUserLon}
</result>
</action>
<action name="logout" class="controller.ActionLogin" method="logout" />
This question already has answers here:
Why request is going to Struts Dispatcher?
(2 answers)
Closed 6 years ago.
I am using jersey with Struts2. But by RestFul Service calls are not working. Below are my configurations files
struts.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.1//EN"
"http://struts.apache.org/dtds/struts-2.1.dtd">
<struts>
<package name="default" namespace="/" extends="struts-default">
<result-types>
<result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" />
</result-types>
<interceptors>
<interceptor-stack name="default">
<interceptor-ref name="defaultStack">
<param name="exception.logEnabled">true</param>
<param name="exception.logLevel">ERROR</param>
<param name="params.excludeParams">/service/*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="default" />
<action name="defaultAction"
class="com.gemini.web.controller.BinMasterController"
method="binMaster">
<result name="binMaster" type="tiles">binMaster</result>
</action>
</package>
</struts>
Web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<!-- Client config -->
<context-param>
<param-name>
org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG
</param-name>
<param-value>
/WEB-INF/tiles.xml
</param-value>
</context-param>
<filter>
<filter-name>struts2</filter-name>
<filter-class>
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.apache.struts2.tiles.StrutsTilesListener
</listener-class>
</listener>
<!-- Jersey Support Configuration for RestFul WebServices -->
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>
com.sun.jersey.spi.container.servlet.ServletContainer
</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.gemini.rest.controller</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/service/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
With this configuration Struts2 filter intercepts all requests.
To exclude your /service/* requests use struts.action.excludePattern constant:
<constant name="struts.action.excludePattern" value="/service/.*" />
I have a similar architecture (using Struts2 and Jersey).
In my web.xml I have:
<filter>
<filter-name>struts2</filter-name>
<filter-class>
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
My Jersey is configured through an extended ResourceConfig:
#ApplicationPath("rest")
public class Config extends ResourceConfig {
public Config() {
super();
register(new Binder());
packages(true, this.getClass().getPackage().getName());
}
}
So the two are on separate url paths:
Struts is on /admin and Jersey is on /rest.
I have commited the maven project to svn its working on my machine but when other's import that maven project they get exception :
Module declares a servlet class ....... , but the web.xml has no
corresponding mapping; please add the following lines to your web.xml
and this class belongs to the library my project using. I dont understand what is the problem. Please help me.
module.gwt.xml:
<?xml version="1.0" encoding="UTF-8"?>
<module rename-to='engile'>
<!-- Inherit the core Web Toolkit stuff. -->
<inherits name='com.google.gwt.user.User'/>
<!-- Inherit the default GWT style sheet. You can change -->
<!-- the theme of your GWT application by uncommenting -->
<!-- any one of the following lines. -->
<inherits name='com.google.gwt.user.theme.clean.Clean'/>
<!-- <inherits name='com.google.gwt.user.theme.standard.Standard'/> -->
<!-- <inherits name='com.google.gwt.user.theme.chrome.Chrome'/> -->
<!-- <inherits name='com.google.gwt.user.theme.dark.Dark'/> -->
<!-- Other module inherits -->
<inherits name="com.google.gwt.inject.Inject" />
<inherits name="com.appops.ui.basic.Fields" />
<inherits name='com.mvp4g.Mvp4gModule' />
<inherits name="gwtupload.GWTUpload"/>
<inherits name='com.google.api.gwt.oauth2.OAuth2'/>
<inherits name="com.google.gwt.xml.XML"/>
<inherits name="org.atmosphere.gwt.Client"/>
<!-- Logger at client side -->
<inherits name = "com.google.gwt.logging.Logging"/>
<set-property name="gwt.logging.enabled" value="TRUE"/>
<set-property name="gwt.logging.logLevel" value="INFO"/>
<set-property name="gwt.logging.popupHandler" value="DISABLED" />
<set-property name="gwt.logging.simpleRemoteHandler" value="ENABLED" />
<!-- Specify the app entry point class. -->
<entry-point class='com.engile.client.Engile'/>
<!-- Specify the paths for translatable code -->
<source path='client'/>
<source path='shared'/>
<!-- <set-property name="user.agent" value="safari"/>
<set-property name="user.agent" value="gecko1_8"/> -->
</module>
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<filter>
<filter-name>guiceFilter</filter-name>
<filter-class>com.google.inject.servlet.GuiceFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>guiceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.engile.server.guice.BootstrapListener</listener-class>
</listener>
<servlet>
<description>AtmosphereServlet</description>
<servlet-name>AtmosphereServlet</servlet-name>
<servlet-class>org.atmosphere.cpr.AtmosphereServlet</servlet-class>
<init-param>
<param-name>org.atmosphere.disableOnStateEvent</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.AtmosphereHandler</param-name>
<param-value>com.engile.server.services.AtmosphereHandler</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>AtmosphereServlet</servlet-name>
<url-pattern>/engile/gwtComet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>remoteLoggingService</servlet-name>
<servlet-class>com.google.gwt.logging.server.RemoteLoggingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>remoteLoggingService</servlet-name>
<url-pattern>/engile/remote_logging</url-pattern>
</servlet-mapping>
<!-- <servlet>
<servlet-name>testImpl</servlet-name>
<servlet-class>com.appops.server.TestImpl</servlet-class> </servlet>
<servlet-mapping> <servlet-name>testImpl</servlet-name>
<url-pattern>/engile/test</url-pattern>
</servlet-mapping> -->
<welcome-file-list>
<welcome-file>Engile.html</welcome-file>
</welcome-file-list>
</web-app>
You need to check all your interfaces which extends RemoteService and have declared a RemoteServiceRelativePath annotation, ensure that all such relative paths get mapped in web.xml
Example - in https://developers.google.com/web-toolkit/doc/latest/tutorial/RPC
#RemoteServiceRelativePath("stockPrices")
public interface StockPriceService extends RemoteService {
}
gets mapped to
<!-- Servlets -->
<servlet>
<servlet-name>stockPriceServiceImpl</servlet-name>
<servlet-class>com.google.gwt.sample.stockwatcher.server.StockPriceServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>stockPriceServiceImpl</servlet-name>
<url-pattern>/stockwatcher/stockPrices</url-pattern>
</servlet-mapping>
It runs without any log information. I can't find the log file on server anywhere, also didn't find any console info on server(because I don't know which console these log info will be displayed on). Should I do some further config or coding? Thanks.
I have configured GWT-Logging in .gwt.xml as below:
<inherits name="com.google.gwt.logging.Logging"/>
<set-property name="gwt.logging.enabled" value="TRUE"/>
<set-property name="gwt.logging.logLevel" value="FINE"/>
<set-property name="gwt.logging.popupHandler" value="DISABLED" />
<set-property name="gwt.logging.firebugHandler" value="DISABLED" />
<set-property name="gwt.logging.developmentModeHandler" value="DISABLED" />
<set-property name="gwt.logging.consoleHandler" value="DISABLED" />
<set-property name="gwt.logging.systemHandler" value="DISABLED" />
<set-property name="gwt.logging.simpleRemoteHandler" value="ENABLED"/>
remoteLoggingServlet has already been configured in web.xml:
<servlet>
<servlet-name>remoteLoggingServlet</servlet-name>
<servlet-class>com.google.gwt.logging.server.RemoteLoggingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>remoteLoggingServlet</servlet-name>
<url-pattern>/my.app.class.name/remote_logging</url-pattern>
</servlet-mapping>
in GWT Client codeļ¼
Logger logger = Logger.getLogger("NameOfYourLogger");
logger.log(Level.SEVERE, "this message should get logged ok!");
web client runs, but where is log file on server? Thanks.
for log-files:
After I put a logging.properties file under war\WEB-INF\classes, it works on tomcat if I deploy the GWT project. The location is tomcat\bin if you doesn't specify any path.
It still doesn't work in GWT devMode, maybe the Jetty server in devMode under eclipse works in a different way. But you can enable other handlers to find the log info on eclipse consoles. So far, that's enough for me.
Don't you need:
/your-gwt-module-name/remote_logging
and not
/my.app.class.name/remote_logging
in
<!-- remote logging -->
<servlet>
<servlet-name>remoteLogging</servlet-name>
<servlet-class>com.google.gwt.logging.server.RemoteLoggingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>remoteLogging</servlet-name>
<url-pattern>/your-gwt-module-name/remote_logging</url-pattern>
</servlet-mapping>