Added cache-control header to static war file in JBoss - jboss

I have a bunch of static files packaged into $JBOSS$/server/default/deploy/foo.war and accessed via http://example.com/foo/file.html There is no other configuration for foo.war.
Is it possible to control the headers of file.html to add a cache-control: no-cache header without spinning up a servlet?

Related

X-Frame-Options Header Not Set: How do I set it please?

I am using Apache server. While doing security testing, I got these error reports which says:
X-Frame-Options Header Not Set. For this I know that there are 3 types of X-Frame Options. But where do I implement the SAMEORIGIN option and how?
Header set X-Frame-Options: "SAMEORIGIN"
Tried adding the above in apache2.conf in /etc/apache2/
Tried with .htaccess file also
Restarted Apache and tried in Chrome , Developer Tools -> Networks -> Headers
No effect of new header . Please clarify how to add this header with file details.
Firstly look for .htaccess file in the html folder in the file manager (it could be par of the hidden files) and input this code
<If module mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule>
After that test again for Clickjacking

Http response header configuration is not working in Kafka rest proxy and schema registry

We are using confluent platform 5.3.1 community edition.
Recently as part of security scan we have got missing http header (X-XSS-Protection,X-Content-Type-Options) security vulnerability for Kafka rest proxy and schema registry services.
As per the confluent documentation, we can add response.http.headers.config property in the config to add/set the required header.
https://docs.confluent.io/platform/current/kafka-rest/production-deployment/rest-proxy/config.html
https://docs.confluent.io/platform/current/schema-registry/installation/config.html
We have added the config in the respective configuration file and restarted the services.
Lines added in the config
Rest proxy
response.http.headers.config=add X-XSS-Protection: 1; mode=block, add X-Content-Type-Options: nosniff
Schema Registry
response.http.headers.config="add Cache-Control: no-cache, no-store, must-revalidate", add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff
After restarting the services, we expected to receive additional http response headers in the response, but still we aren't getting those headers.
Request:
Get: http://xxxx:8082/
Response Headers
Any suggestion to get those missing headers in the response.? Thanks in Advance
After checking the source code of Confluent rest proxy. Identified that this property (response.http.headers.config) is added in confluent platform 6.0.x. So the platform need to be updated to use this property.
Reference:
https://cwiki.apache.org/confluence/display/KAFKA/KIP+577%3A+Allow+HTTP+Response+Headers+to+be+Configured+for+Kafka+Connect
https://docs.confluent.io/platform/current/release-notes/changelog.html
https://github.com/confluentinc/rest-utils/blob/6.0.x/core/src/main/java/io/confluent/rest/RestConfig.java

Where should I set 'Header set Access-Control-Allow-Origin "*"' Header in my apache2 server?

I want to access other servers from my server.
When I try to sent a GET/POST request to www.posttestserver.com, it is established successfully.
In response, that server provides me response header as:
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:129
Content-Type:text/html; charset=UTF-8
Date:Tue, 13 Jun 2017 07:24:27 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.18 (Ubuntu)
Vary:Accept-Encoding
Then, how do I set this same type of header:
Access-Control-Allow-Origin:*
over my server, so that other websites accessing my server receive this in their response headers?
My server is apache2 hosted on ubuntu 16.04.
Note:
I have set this header:
Header set Access-Control-Allow-Origin "*"
in /etc/apache2/apache2.conf in section,
and in .htaccess file in /var/www/html.
Since you're on ubuntu, it would be preferable to create a short config file in /etc/apache2/conf-available/ and then use a2enconf to enable it.
This allows you to keep the shipped configuration files unmodified.

JasperReport Server REST 2 api - Creating a new report

I was not able to find any api that can actually create a report on the JasperReports Server.
There is one to create resource.
http://community.jaspersoft.com/documentation/jasperreports-server-web-services-guide/v550/creating-resource
To an extend it tells about how to create a folder etc. but talks nothing about creating a report in all.
Any idea on how a report (jrxml) can be done in a programmatic way?
Thanks.
To post your reports manually to the JasperServer repository, use the same method as in the link you posted, but you aren't posting a resourceDescriptor. You should be posting a reportUnit instead.
Here is an example of the PUT command where I'm sending a (gzipped) jrxml file I named TestJrxmlFile to the repository creating a new report:
PUT http://localhost:8080/jasperserver-pro/rest_v2/resources/public/TestJrxmlFile?createFolders=true&overwrite=true HTTP/1.1
Content-Type: application/repository.reportUnit+xml
User-Agent: Jersey/2.13 (Apache HttpClient 4.3.4)
Transfer-Encoding: chunked
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=45F47838C567120CF4DB1068AE0473C4; userLocale=en_US
Cookie2: $Version=1
Accept-Encoding: gzip,deflate
82d
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><reportUnit><description>ds</description><label>TestJrxmlFile</label><permissionMask>1</permissionMask><uri>/public/TestJrxmlFile</uri><version>-1</version><alwaysPromptControls>true</alwaysPromptControls><controlsLayout>popupScreen</controlsLayout><resources/><inputControls/><jrxmlFile><label>Main jrxml</label><permissionMask>1</permissionMask><uri>/public/TestJrxmlFile_files/main_jrxml</uri><version>-1</version><content>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBDcmVhdGVkIHdpdGggSmFzcGVyc29mdCBTdHVkaW8gdmVyc2lvbiA2LjEuMC5maW5hbCB1c2luZyBKYXNwZXJSZXBvcnRzIExpYnJhcnkgdmVyc2lvbiA2LjEuMCAgLS0+CjwhLS0gMjAxNS0xMS0xM1QwOTo1OTo1MiAtLT4KPGphc3BlclJlcG9ydCB4bWxucz0iaHR0cDovL2phc3BlcnJlcG9ydHMuc291cmNlZm9yZ2UubmV0L2phc3BlcnJlcG9ydHMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL2phc3BlcnJlcG9ydHMuc291cmNlZm9yZ2UubmV0L2phc3BlcnJlcG9ydHMgaHR0cDovL2phc3BlcnJlcG9ydHMuc291cmNlZm9yZ2UubmV0L3hzZC9qYXNwZXJyZXBvcnQueHNkIiBuYW1lPSJCbGFua19BNCIgcGFnZVdpZHRoPSI1OTUiIHBhZ2VIZWlnaHQ9Ijg0MiIgY29sdW1uV2lkdGg9IjU1NSIgbGVmdE1hcmdpbj0iMjAiIHJpZ2h0TWFyZ2luPSIyMCIgdG9wTWFyZ2luPSIyMCIgYm90dG9tTWFyZ2luPSIyMCIgdXVpZD0iOTlmNDQzNzAtY2FjNi00YWVkLTgyMDUtMDdkMThmZDUwNmJmIj4KCTxxdWVyeVN0cmluZz4KCQk8IVtDREFUQVtdXT4KCTwvcXVlcnlTdHJpbmc+Cgk8YmFja2dyb3VuZD4KCQk8YmFuZCBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvYmFja2dyb3VuZD4KCTx0aXRsZT4KCQk8YmFuZCBoZWlnaHQ9Ijc5IiBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvdGl0bGU+Cgk8cGFnZUhlYWRlcj4KCQk8YmFuZCBoZWlnaHQ9IjM1IiBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvcGFnZUhlYWRlcj4KCTxjb2x1bW5IZWFkZXI+CgkJPGJhbmQgaGVpZ2h0PSI2MSIgc3BsaXRUeXBlPSJTdHJldGNoIi8+Cgk8L2NvbHVtbkhlYWRlcj4KCTxkZXRhaWw+CgkJPGJhbmQgaGVpZ2h0PSIxMjUiIHNwbGl0VHlwZT0iU3RyZXRjaCIvPgoJPC9kZXRhaWw+Cgk8Y29sdW1uRm9vdGVyPgoJCTxiYW5kIGhlaWdodD0iNDUiIHNwbGl0VHlwZT0iU3RyZXRjaCIvPgoJPC9jb2x1bW5Gb290ZXI+Cgk8cGFnZUZvb3Rlcj4KCQk8YmFuZCBoZWlnaHQ9IjU0IiBzcGxpdFR5cGU9IlN0cmV0 Y2giLz4KCTwvcGFnZUZvb3Rlcj4KCTxzdW1tYXJ5PgoJCTxiYW5kIGhlaWdodD0iNDIiIHNwbGl0VHlwZT0iU3RyZXRjaCIvPgoJPC9zdW1tYXJ5Pgo8L2phc3BlclJlcG9ydD4K
35
</content><type>jrxml</type></jrxmlFile></reportUnit>
0
Updating a single jrxml file would require posting a file a la
PUT http://localhost:8080/jasperserver-pro/rest_v2/resources/public/TestJrxmlFile_files/main_jrxml?createFolders=true&overwrite=true HTTP/1.1
Content-Type: application/repository.file+xml
User-Agent: Jersey/2.13 (Apache HttpClient 4.3.4)
Transfer-Encoding: chunked
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=CBE64F76548FC2D4CB73281A6FEB9319; userLocale=en_US
Cookie2: $Version=1
Accept-Encoding: gzip,deflate
93a
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><file><creationDate>2015-11-13T09:59:55</creationDate><label>Main jrxml</label><permissionMask>1</permissionMask><updateDate>2015-11-13T09:59:55</updateDate><uri>/public/TestJrxmlFile_files/main_jrxml</uri><version>0</version><content>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBDcmVhdGVkIHdpdGggSmFzcGVyc29mdCBTdHVkaW8gdmVyc2lvbiA2LjEuMC5maW5hbCB1c2luZyBKYXNwZXJSZXBvcnRzIExpYnJhcnkgdmVyc2lvbiA2LjEuMCAgLS0+CjwhLS0gMjAxNS0xMS0xM1QxMDoxMjowNiAtLT4KPGphc3BlclJlcG9ydCB4bWxucz0iaHR0cDovL2phc3BlcnJlcG9ydHMuc291cmNlZm9yZ2UubmV0L2phc3BlcnJlcG9ydHMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL2phc3BlcnJlcG9ydHMuc291cmNlZm9yZ2UubmV0L2phc3BlcnJlcG9ydHMgaHR0cDovL2phc3BlcnJlcG9ydHMuc291cmNlZm9yZ2UubmV0L3hzZC9qYXNwZXJyZXBvcnQueHNkIiBuYW1lPSJCbGFua19BNCIgcGFnZVdpZHRoPSI1OTUiIHBhZ2VIZWlnaHQ9Ijg0MiIgY29sdW1uV2lkdGg9IjU1NSIgbGVmdE1hcmdpbj0iMjAiIHJpZ2h0TWFyZ2luPSIyMCIgdG9wTWFyZ2luPSIyMCIgYm90dG9tTWFyZ2luPSIyMCIgdXVpZD0iOTlmNDQzNzAtY2FjNi00YWVkLTgyMDUtMDdkMThmZDUwNmJmIj4KCTxwcm9wZXJ0eSBuYW1lPSJpcmVwb3J0Lmphc3BlcnNlcnZlci51cmwiIHZhbHVlPSJodHRwOi8vbG9jYWxob3N0OjgwODAvamFzcGVyc2VydmVyLXByby8iLz4KCTxwcm9wZXJ0eSBuYW1lPSJpcmVwb3J0Lmphc3BlcnNlcnZlci51c2VyIiB2YWx1ZT0iamFzcGVyYWRtaW4iLz4KCTxwcm9wZXJ0eSBuYW1lPSJpcmVwb3J0Lmphc3BlcnNlcnZlci5yZXBvcnQucmVzb3VyY2UiIHZhbHVlPSIvcHVibGljL1Rlc3RKcnhtbEZpbGVfZmlsZXMvbWFpbl9qcnhtbCIvPgoJPHByb3BlcnR5IG5hbWU9ImlyZXBvcnQuamFzcGVyc2VydmVyLnJlcG9ydFVuaXQiIHZhbHVlPSIvcHVibGljL1Rlc3RKcnhtbEZpbGUiLz4KCTxxdWVyeVN0cmluZz4KCQk8IVtDREFUQVtdXT4KCTwvcXVlcnlTdHJpbmc+Cgk8YmFja2dyb3VuZD4KCQk8YmFuZCBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvYmFja2dyb3VuZD4KCTx0aXRsZT4KCQk8YmFuZCBoZWlnaHQ9Ijc5IiBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvdGl0bGU+Cgk8cGFnZUhlYWRlcj4KCQk8YmFuZCBoZWlnaHQ9IjM1IiBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvcGFnZUhlYWRlcj4KCTxjb2x1bW5IZWFkZXI+CgkJPGJhbmQgaGVpZ2h0PSI2MSIgc3BsaXRUeXBlPSJTdHJldGNoIi8+Cgk8L2NvbHVtbkhlYWRlcj4KCTxkZXRhaWw+CgkJPGJhbmQgaGVpZ2h0PSIxMjUiIHNwbGl0VHlwZT0iU3RyZXRjaCIvPgoJPC9kZXRhaWw+Cgk8Y29sdW1uRm9vdGVyPgoJCTxiYW5kIGhlaWdodD0iNDUiIHNwbGl0VHlwZT0iU3RyZXRjaCIvPgoJPC9jb2x1bW5Gb290ZXI+Cgk8cGFnZUZvb3Rlcj4KCQk8YmFuZCBoZWlnaHQ9IjU0IiBzcGxpdFR5cGU9IlN0cmV0Y2giLz4KCTwvcGFnZUZvb3Rlcj4KCTxzdW1tYXJ5PgoJCTxiYW5kIGhlaW dodD0iNDIiIHNwbGl0VHlwZT0iU3RyZXRjaCIvPgoJPC9zdW1tYXJ5Pgo8L2phc3BlclJlcG9ydD4K
23
</content><type>jrxml</type></file>
0

GWT three-tier architecture

I am developing GWT based application using JPA as data access layer. My application is required to support three-tier architecture. Main idea is to have HTTP server (Apache) with static content (html/javascript etc.), Web Application server (Glassfish) with business logic (servlets, beans, etc.) and Database server (PostgreSQL).
Is there any easy way to divide content of war file generated for simple GWT application to achieve described architecture?
Maybe there is a maven plugin which will help in creating separate war files with static content and business logic.
I was also considering creating proxy which will intercept GWT-RPC calls and invoke business methods on remote server.
I found very interesting article describing such solution (full article) but it requires a lot of work to achieve my goal. Hopefully there is a library or toolkit which will simplify proxy generation process.
Any ideas will be greatly appreciated.
I have a similar setup, just Tomcat instead of Glassfish, and maven to build everything. Here's how it works. Apache httpd and Tomcat are connected with mod_jk. Apache forwards all requests to Tomcat except for the GWT module dir (lets call it gwt_module), which contains all the GWT compiled stuff - that gets served by Apache and is configured to be cached.
The rest - servlets basically, gets forwarded to Tomcat (RPC, RequestFactory, other servlets). MongoDB as a database server.
Here's the relevant httpd.conf section:
JkMount /* webbalancer
JkUnMount /gwt_module/* webbalancer
Alias /gwt_module "/srv/web/app_servers/tomcat-1/webapps/ROOT/gwt_module/"
<Directory "/srv/web/app_servers/tomcat-1/webapps/ROOT/gwt_module/">
Order deny,allow
allow from all
Options -Indexes
<FilesMatch "\.cache\.*">
Header set Cache-control max-age=31536000
# Header unset ETag
# FileETag None
</FilesMatch>
# turning off ETags, to force browsers to rely only on Cache-Control and Expires headers.
# for some reason, FF wasn't using the cache for JS files if ETags are on.
Header unset ETag
FileETag None
</Directory>
# Tell clients to keep images in the cache
ExpiresActive On
ExpiresByType image/x-icon A2592000
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
#ExpiresByType application/x-javascript A2592000
ExpiresByType text/css A2592000
ExpiresByType application/xhtml+xml A2592000
# Compress output for text
AddOutputFilterByType DEFLATE text/html text/xml text/css application/x-javascript text/javascript application/javascript
Note: I'm not sure that serving static files with apache is faster than serving everything with only tomcat, I use apache for load balancing primarily.