I have to get all these Headers (mentioned below) green when checked the URL "https://.com" on securityheaders.com.
Headers: "Strict-Transport-Security" "Content-Security-Policy" "X-Frame-Options" "X-Content-Type-Options"
The Web Server running here is IBM WebSphere 9.0.5.13 here.
I know it need to be added in some Web.xml file with a context param but there are so manu web.xml files not sure which one, OR
we also tried from the Server Web Container Settings by adding this which didnt work:
com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP....value=max-age=31536000;includeSubDomains;preload
com.ibm.ws.webcontainer.addStrictTransportSecurityHeader....value=max-age=31536000;includeSubDomains;preload
But neither did work. I need to do this for all the Headers mentioned above.
We know how to do this for Tomcat, but having difficulty with WebSphere guys.
If anybody knows how to do this please help me. Thanking you guys in advance
Regards,
Mainak
You need to use the Servlet API's to set custom response headers, either in your application or in a filter. If you can't do that, you can often do similar if you have a proxy server in front of your application.
WebSphere Liberty has basic support for adding custom response headers via server.xml, but it's not available in the traditional websphere application server.
HSTS is unique as there is support for it at various levels in configuration.
Related
I was following a tutorial for setting up a WebSphere Liberty Server Here and didn't really know what a part of the tutorial did. I completed the tutorial and it works fine.
On step 3 it has me modify the server.xml with these two lines and I dont really know what they do.
<applicationMonitor updateTrigger="mbean" />
<feature>localConnector-1.0</feature>
I Found the documentation for localConnector-1.0 but its a little over my head
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.nd.doc/ae/rwlp_feature_localConnector-1.0.html
I think localConnector allows IntelliJ to run the server somehow but i dont know what updateTrigger="mbean" does.
If anyone has an explanation that would be great. Thanks!
The localConnector-1.0 feature enables the local JMX connector on Liberty so that the JMX Client (IntelliJ) can connect to and administer Liberty.
You can find more documentation on the feature here: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_admin_localconnector.html
updateTrigger="mbean" is setting the application updates to only occur when trigger by an mbean call (whereas the default is to poll for changes).
You can find more documentation here:
https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_setup_dyn_upd.html
I am using resin app server
request.getSession.invalidate();reguest.getSession(true) is not working properly and its not resetting session ID while using Resin.
Also I am not able to use request.changeSessionId() as the resin version is not able to use JavaEE7 libraries.
Please share your views on how to resolve session fixation with Resin
Resin 4.0.x doesn't implement Servlet 3.1 API.
Resin provides reuse-session-id configuration option that helps control session cookie behaviour.
http://caucho.com/resin-4.0/reference.xtp#session-config
I setup ActiveMQ 5.8.0 on a Windows 2003 virtual server for development purposes. I understand that there is suppose to be a REST interface for reading from and writing to queues and such. But, I can't seem to track down how to do it exactly. Port 8161 can be used to access the admin console, but every URL I try from Firefox Poster returns a 404. I tried URLs like these:
http://localhost:8161/queues <-- 404
http://localhost:61616/queues <-- some default message
http://localhost:61616/queue/inbox <-- same default message
http://localhost:8161/queue/inbox <-- 404
The documentation mentions mapping a URI to the servlet, but I'm not sure how or if I need to do this. The /demo feature is disabled by default, which is fine by me. How do I enable REST for my queues? Thanks!
As /demo is disabled, it been moved to /api
http://localhost:8161/api/message/
this is the path for all REST operations
I have specified the smtp server and authentication info in the mail.properties, but appfuse 2.2 just ignores the mail.username and mail.password properties.
How to workarround this problem?
Finally I figured it out.
The smtp setting is located in appfuse-service-2.2.1.jar/applicationContext-service.xml.
Copy it to src/resources, rename it to applicationContext-services.xml, and uncomment the authentication settings, modify the mail.properties to add auth info.
Modify the web.xml, change the contextConfigLocation, use the new applicationContext-services.xml.
I have a basic kaazing setup for stomp and its working fine with my webpage which is served up using http.
Now I want to connect using SSL (HTTPS) and I've changed all the settings on my web server to do so.
Since I did that, browser was not happy making a HTTP (unsecured) connection to Kaazing (I'm fine if there is way around it to just make kaazing work without https as well) and now I'm trying to setup ssl for Kaazing as well. I just appended an 's' to everything and changed tcp: to ssl:. also, generated a keystorefile with my servername.
Still in the browser I'm able to reach
https://servername:8000/jms/;e/ct?.kn=6433810530520803
this is the first file Kaazing libraries are trying to reach and the response to this is
https://servername:8000/jms/;e/ut/qJA49SDjQEHLINJVoWe5fHGZqpUYqe6e?.kn=6433810530520803
https://servername:8000/jms/;e/dt/qJA49SDjQEHLINJVoWe5fHGZqpUYqe6e?.kn=6433810530520803
2 more javascript files I'm assuming. But these files are not reachable, getting 404
I understand the question is little vague, please feel free to ask more details if you need. But if anybody has any idea whats going on and whats wrong, please let me know. I would really appreciate the help.
Have no clue how to debug this Kazzing thing nor Websocket connections.
Also Not that I'm trying to setup a internal ip-hop based on this document.
Here is my complete gateway-config.xml
Anand,
You have configuration issue. Let me explain it here:
<service>
<accept>wss://servername:8000/jms</accept>
<type>stomp.jms</type>
<properties>
<connect>tcp://localhost:61613</connect>
<connection.factory.name>ConnectionFactory</connection.factory.name>
<context.lookup.topic.format>dynamicTopics/%s</context.lookup.topic.format>
<context.lookup.queue.format>dynamicQueues/%s</context.lookup.queue.format>
<env.java.naming.factory.initial>org.apache.activemq.jndi.ActiveMQInitialContextFactory</env.java.naming.factory.initial>
</properties>
<accept-options>
<wss.bind>10.171.131.100:8000</wss.bind>
</accept-options>
<cross-site-constraint>
<allow-origin>https://23.23.23.23:80</allow-origin>
</cross-site-constraint>
<cross-site-constraint>
<allow-origin>https://servername:80</allow-origin>
</cross-site-constraint>
</service>
Note the last cross-site-constraint, it is https://servername:80 . This won't work. it should be http:servername:80 or https://servername:443 (if you have configured ssl correctly). This explains "2 more javascript files I'm assuming. But these files are not reachable, getting 404".
Alternately, you can relax the cross-site-constraint by putting the following:
<cross-site-constraint>
<allow-origin>*</allow-origin>
</cross-site-constraint>
Once you have it working and your deployment scenario is solid, limit the access by putting a tighter cross-site-constraint.
Hope that helps. Give it a try and update this thread.