I am trying to implement Owasp CARF library (3.0.0). When I place the Owasp.CsrfGuard.js file in WEB-INF/ folder and try to deploy the application, I get the below error:
Unexpected token % at Owasp.CsrfGuard.js
I see the %DOMAIN_STRICT% and other variables which are not recognized.
I have configured the Javscriptservlet like:
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>/WEB-INF/Owasp.CsrfGuard.js</param-value>
</init-param>
<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>domain-strict</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
The server used is Weblogic 12.2.1.2
Do I need to configure anything. How do I resolve the js error??
Related
I have to migrate a rest web application to Java 11. I know, it is not trivial and I found out there many related posts. But, somehow none of them is my case.
The application is in use and runs in a Apache Tomcat 8.5.75 with Openjdk 1.8.0.222-2.b10.
Now, just simple deploying the application into an Apache Tomcat 9.0.58 with Eclipse Adoptium 11.0.14.1, the servlets are throwing java.lang.IllegalArgumentExceptions:
10-Jun-2022 08:13:45.840 SEVERE [main] org.apache.catalina.core.ApplicationContext.log Servlet.init() for servlet [RestOxServlet] threw exception
java.lang.IllegalArgumentException
at jersey.repackaged.org.objectweb.asm.ClassReader.<init>(ClassReader.java:170)
...
Such a servlet looks like this:
<servlet>
<servlet-name>RestOxServlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>
mx.ox;
mx.common.ox
</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
<param-value>
mx.ox.rest.Log4jServiceLoggingFilter;
mx.common.ox.servicelogging.filter.ServiceLoggerServerFilter
</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name>
<param-value>
my.ox.rest.Log4jServiceLoggingFilter;
mx.common.ox.servicelogging.filter.ServiceLoggerServerFilter
</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.feature.logging.DisableEntitylogging</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.feature.XmlRootElementProcessing</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
The use libraries are:
com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.4:compile
com.sun.jersey.contribs:jersey-apache-client:jar:1.19.4:compile
com.sun.jersey.contribs:jersey-multipart:jar:1.19.4:compile
com.sun.jersey.contribs:jersey-spring:jar:1.19.4:test
com.sun.jersey:jersey-client:jar:1.19.4:compile
com.sun.jersey:jersey-core:jar:1.19.4:compile
com.sun.jersey:jersey-server:jar:1.19.4:compile
com.sun.jersey:jersey-servlet:jar:1.19.4:compile
It is know that with Java 11 many of those classes/packages vanished from JDK. Who has already solved this kind of problem? Is there an equivalency table with all dependencies for Java 11?
SK
When trying to access /Example/Site a 404 no found page will be shown, but the jsp is in webapp/WEB-INF/jsp/. Why is this not working?
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>jmattheis rest app</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.stackoverflow.jmattheis.rest</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.forwardOn404</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>org.glassfish.jersey.server.mvc.jsp.JspMvcFeature</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.mvc.templateBasePath.jsp</param-name>
<param-value>/WEB-INF/jsp</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.tracing</param-name>
<param-value>ALL</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
Here the Resource:
#Component
#Path("Example")
public class Example {
#GET
#Path("/Site")
#Produces(MediaType.TEXT_HTML)
public Response getSite() {
return Response.ok(new Viewable("/test")).build();
}
}
Have a look at the Jersey2 MVC documentation
Jersey web applications that want to use JSP templating support should be registered as Servlet filters rather than Servlets in the application's web.xml. The web.xml-less deployment style introduced in Servlet 3.0 is not supported at the moment for web applications that require use of Jersey MVC templating support.
So you need to change your servlet to an filter to make it work.
It could be that this was not needed in the early versions of jersey 2, but I cannot find the older documentation for that so we'll never know.
Like this:
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>jmattheis rest app</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>jersey-filter</filter-name>
<filter-class>org.glassfish.jersey.servlet.ServletContainer</filter-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.stackoverflow.jmattheis.rest</param-value>
</init-param>
<init-param>
<param-name>jersey.config.servlet.filter.forwardOn404</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>org.glassfish.jersey.server.mvc.jsp.JspMvcFeature</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.mvc.templateBasePath.jsp</param-name>
<param-value>/WEB-INF/jsp</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.tracing</param-name>
<param-value>ALL</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>jersey-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I want to know what is the difference between declaring the "jersey servlet" as Servlet Or as Filter in the web.xml ...
Here is how I called the jersey servlet as Filter in the web.xml :
<filter>
<filter-name>jersey-serlvet</filter-name>
<filter-class>com.sun.jersey.spi.container.servlet.ServletContainer</filter-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>ca.tesias.services</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>jersey-serlvet</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and here is the jersey servlet called as Servlet in the web.xml :
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>ca.tesias.services</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
What solution should I use !
If you want to append a path at the end of base url, you can use servlets. However, if you dont want to append a path at the end of base url and just invoke something based on pattern matching, you can use filters.
Example
Suppose we have following two resources:
#javax.ws.rs.Path("path1")
public class Path1 {
}
#javax.ws.rs.Path("path2")
public class Path2 {
}
Now if we have servlet mapping as below:
<servlet-mapping>
<servlet-name>servlet_name</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
We can access the resources using following URLs:
http://<hostname>:<web_container_port>/<context_root_of_web_application>/rest/path1
http://<hostname>:<web_container_port>/<context_root_of_web_application>/rest/path2
On the other hand, if we have filter mapping as below:
<filter-mapping>
<filter-name>filter_name</filter-name>
<url-pattern>/path1</url-pattern>
</filter-mapping>
We can access path1 root resource by visiting the following URL:
http://<hostname>:<web_container_port>/<context_root_of_web_application>/path1
And in this case, the filter filter_name will be invoked
However, if we try to access path2 with following URL:
http://<hostname>:<web_container_port>/<context_root_of_web_application>/path1
No filter will be invoked in this case.
Reference: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_9.0.0/com.ibm.websphere.base.doc/ae/twbs_jaxrs_configwebxml_jrsfilters.html
I am using Swagger for REST api documentation, but facing issues with Container response filter filter used for jersey servlet and APIOriginFilter used for servlet for swagger. If I disable the Container response filter from jersey servlet swagger UI displays the APIs properly but the actual API call fails.
Please help and suggest how i can make common entry for the container response filter of jersey and api origin filter of swagger.
Below is snapshot from web.xml
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>
com.sun.jersey.spi.spring.container.servlet.SpringServlet
</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.harman.ctg.rest;com.wordnik.swagger.jersey.listing</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name>
<param-value>com.harman.ctg.rest.helper.CrossOriginResourceSharingFilter</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.feature.DisableWADL</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>DefaultJaxrsConfig</servlet-name>
<servlet-class>com.wordnik.swagger.jaxrs.config.DefaultJaxrsConfig</servlet-class>
<init-param>
<param-name>api.version</param-name>
<param-value>1.0.0</param-value>
</init-param>
<init-param>
<param-name>swagger.api.basepath</param-name>
<param-value>http://localhost:8080/Pro_IDX_VAS_Web/api/3.0/api-docs</param-value>
</init-param>
<init-param>
<param-name>swagger.filter</param-name>
<param-value>com.harman.ctg.rest.helper.ApiAuthorizationFilterImpl</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/api/3.0/*</url-pattern>
</servlet-mapping>
<!-- Filter to secure Jersey (JAX-RS) services -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/api/3.0/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>ApiOriginFilter</filter-name>
<filter-class>com.harman.ctg.rest.helper.CrossOriginResourceSharingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ApiOriginFilter</filter-name>
<url-pattern>/api/3.0/*</url-pattern>
</filter-mapping>
I have a maven project (with web and JPA facets) in Eclipse Java EE IDE for Web Developers. I have added the jars to my tomcat library and everything compiles great.
However, my webpage header does NOT reflect what I have enabled in my web.xml through the CORS filter.
My header looks like:
And my web.xml contains:
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!-- Servlet 1: Expose the OData service endpoint -->
<servlet>
<servlet-name>OData</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<!-- all additional parameters will be passed to your factory create method -->
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.odata4j.jersey.producer.resources.ODataApplication</param-value>
</init-param>
<init-param>
<param-name>odata4j.producerfactory</param-name>
<param-value>org.odata4j.producer.jpa.JPAProducerFactory</param-value>
</init-param>
<init-param>
<param-name>odata4j.jpa.persistenceUnitName</param-name>
<param-value>Resource</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>OData</servlet-name>
<url-pattern>/example.svc/*</url-pattern>
</servlet-mapping>
<!-- Servlet 2: Enable crossdomain access for browser clients -->
<servlet>
<servlet-name>CrossDomain</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.odata4j.producer.resources.RootApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CrossDomain</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- Use CORSFilter for CORS -->
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<!-- Note: All parameters are options, if ommitted CORS Filter
will fall back to the respective default values.
-->
<init-param>
<param-name>cors.allowGenericHttpRequests</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, HEAD, POST, OPTIONS, PUT, DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Content-Type, X-Requested-With, Accept, Authentication</param-value>
</init-param>
<init-param>
<param-name>cors.exposedHeaders</param-name>
<param-value>X-Test-1, X-Test-2</param-value>
</init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.maxAge</param-name>
<param-value>3600</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I fixed my headers to support CORS by implementing Padcom's CORS filter for Java application as described here.
I'm still not sure why the method I tried above didn't work...
But if you are stuck trying the method above, it is easy and work trying Padcom's method. :)