JBOSS EAP 7 - Disable Trace Method - jboss7.x

For security findings, we would like to disable certain HTTP methods like DELETE, TRACE in JBoss EAP 7. Is there a way to do this by using JBoss configuration?

You can set the disallowed-methods on the Undertow subsystem. TRACE is disabled by default. With CLI it would look something like:
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=disallowed-methods, value=["TRACE", "DELETE"])
This can also be done in the Web Console as well.

Related

Using aws xray with apache

My understanding on aws xray is, xray is similar to dynatrace and I am trying to use xray for monitoring apache performance. I do not see any document related to xray with apache except below.
https://mvnrepository.com/artifact/com.amazonaws/aws-xray-recorder-sdk-apache-http
Can anyone please suggest if it is possible to use aws xray with apache and if yes can you also point some document related to it. Thanks.
I assume that by "apache" you mean the Apache Tomcat servlet container, since you are referring to a maven artifact which is a Java build tool.
Disclamer: I don't know what "dynatrace" is and I don't know which logging you specifically want.
But as far as the Apache Tomcat servlet container and X-Ray goes - here is the link to get started:
http://docs.aws.amazon.com/xray/latest/devguide/xray-sdk-java.html
Start by adding AWSXRayServletFilter as a servlet filter to trace incoming requests. A servlet filter creates a segment While the segment is open you can use the SDK client's methods to add information to the segment and create subsegments to trace downstream calls. The SDK also automatically records exceptions that your application throws while the segment is open.
As for the mentioned maven artifact:
aws-xray-recorder-sdk-apache-http – Instruments outbound HTTP calls made with Apache HTTP clients
So, you'll need this if, let's say, a client makes a request to your Tomcat server and your Tomcat server makes a request to another server thus acting as a client in this case.

How can you use Spring Sessions with Redis Service in Bluemix? Is IBM Session Cache an alternative?

The current app (with a competitor) is using Spring-Boot and Spring-Sessions to save session data independent from the instance in Redis.
How can we replicate this in Bluemix?
Is there a way to add on Spring-Sessions to the Redis service?
The other option would be the IBM Session Cache. Does that work with Spring-Boot and Spring-Session? Does the Session Cache service work without Tomcat? (Jetty for example?)
I haven't played with Spring-Sessions yet, but I might be able to point you in the right direction.
There is a general Redis service available on Bluemix. The open source Java buildpack (Tomcat) promises auto configuration of Redis. I would try this first. To use this buildpack:
cf push <appname> -b java_buildpack
If that doesn't work, you could read the credentials from VCAP_SERVICES and configure JedisConnectionFactory programmatically connect to it.
If you use the IBM Session Cache service with a Liberty application on Bluemix, the configuration is auto generated such that standard JEE HTTPSession objects are persisted to the service. It might work with other java runtimes, but configuration would be more manual.
Hope this helps.
Does the session cache work without Tomcat (Jetty for example)?
In general, the session cache should work with any webserver/servletcontainer, when Bluemix supports Jetty runtime for example, the session cache should support.
Session cache is based on IBM WebSphere eXtreme Scale caching technology, and the base product had been tested against WebSphere, Liberty and Tomcat runtime for the HTTP session use cases, but not tested under Jetty.

JBOSS EAP 6 JMX MBeans via rmi

I am kind of new to JMX , Here I am trying to use jconsole provided by jdk to remotely read the MBeans of JBOSS EAP 6. I followed tutorial ,http://magnus-k-karlsson.blogspot.in/2013/01/how-to-remote-connect-jconsole-to-jboss.html with this I am able to read remotely with the jconsole provided by eap 6 (EAP6_HOME)/bin/jconsole.sh ,but I was not able to do the same with jconsole of jdk ? Please give your thought on this. I suspect it may be due to the remoting-jmx protocol of the (service:jmx:remoting-jmx://192.168.0.3:9999 ) jmx remote url. Does jboss-eap6 support rmi(service:jmx:rmi:///jndi/rmi://ipadress/mbeanname) protocol to read MBeans in jconsole?
Thanks,
Leo.
By default, there will be a MBeans tab in the window of jconsole when connected as :
service:jmx:remoting-jmx://jbossHost:9999
To be able to use remoting-jmx protocol you need to have jboss-client.jar or jboss-cli-client.jar on the JConsole classpath.
Here is the relevant part from jconsole.sh provided by JBoss:
CLASSPATH=$JAVA_HOME/lib/jconsole.jar
CLASSPATH=$CLASSPATH:$JAVA_HOME/lib/tools.jar
CLASSPATH="$CLASSPATH:$JBOSS_HOME/bin/client/jboss-cli-client.jar"
$JAVA_HOME/bin/jconsole -J-Djava.class.path="$CLASSPATH" "$#"
P.S. You might need to create some user account first. See $JBOSS_HOME/bin/add-user.sh

Jboss Mbeans visible in jmx-console but not in JConsole

JBoss(4.0.x) has many useful MBeans (org.apache.commons.modeler.*) that are visible in:
/jmx-console
But i cannot see these beans listed in JConsole (MBeans tab).
Are these beans not exposed to outside world?
JBoss 4.x has its own internal MBean server, separate from the default JVM one (JBoss AS 4.x pre-dates Java 5 and its MBean server, so needed its own).
I believe that in JBoss AS 5.x you can tell it to use the JVM's MBean server, but I don't think JBoss AS 4.x provides that option.
Are these beans not exposed to outside world?
Yes they are - JBoss AS's internal MBean server is just as exposed as the JVM's one, it's just exposed differently. JConsole talks to the JVM's MBean server, you need different tools to talk to the JBoss AS one.
P.S. JBoss AS 4.0 is eye-poppingly old (2004? 2005?). You really should update it.

Start/stop a deployment in Weblogic 9 using JMX (or WLST)

I want to start/stop a deployment in weblogic 9 server.
I prefer to use JMX to talk to a weblogic MBean. I already use this to start/stop a server, but I cannot find the MBean for starting/stopping deployments/applications.
In weblogic server 11g there is a AppDeploymentRuntimeMBean which can stop/start deployments. That is described here:
http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e13951/mbeans/AppDeploymentRuntimeMBean.html
But I cannot find a simular MBean in weblogic 9
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/wlsmbeanref/core/index.html
Is there a way to start/stop a weblogic 9 deployment using jmx or wlst?
BTW, when I record a WLST-script during start/stop of a deployment the pyton-script is empty.
Well actually AppDeploymentRuntimeMBean was first introduced in WLS 10.3 version. And this bean along with DeploymentManagerMBean were created to replace DeployerRuntimeMBean (it is considered deprecated since 9.0.0.0 version). As for me it seems that there is no way to start\stop applications with JMX on WLS 9 unless you decide to use deprecated API. And also consider the fact that you need Administration Server running in order to access Domain Runtime MBean Server that will provide an entry point to DeployerRuntimeMBean.