I found that javax.servlet.http.HttpServletRequest.getRequestURL() behaves differently in 8.5.57 and 8.5.58. If I add a RemoteIpFilter setting to application's web.xml, the 8.5.57 getRequestURL returned https, while 8.5.58 returned http.
The environment is Azure WebApps.
The settings for web.xml are as follows.
<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
<init-param>
<param-name>remoteIpHeader</param-name>
<param-value>x-forwarded-for</param-value>
</init-param>
<init-param>
<param-name>remoteIpProxiesHeader</param-name>
<param-value>x-forwarded-by</param-value>
</init-param>
<init-param>
<param-name>protocolHeader</param-name>
<param-value>x-forwarded-proto</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
The same thing happened between 9.0.37 and 9.0.38.
I couldn't determine which content was affected by the change history, so please let me know.
Best regards.
2021/11/15 Added
I added the following logic to check.
response.setContentType("text/html");
PrintWriter out = response.getWriter();
Enumeration e = request.getHeaderNames();
while (e.hasMoreElements()) {
String name = (String)e.nextElement();
String value = request.getHeader(name);
out.println(name + " = " + value + "<br>");
}
The Key that the value was set to is as follows.
cache-control, connection, accept, accept-encoding, accept-language, cookie, host, max-forwards, user-agent, sec-ch-ua, sec-ch-ua-mobile, sec-ch-ua-platform, upgrade-insecure-requests, sec-fetch-site, sec-fetch-mode, sec-fetch-user, sec-fetch-dest, x-waws-unencoded-url, client-ip, x-arr-log-id, disguised-host, x-site-deployment-id, was-default-hostname, x-original-url, x-forwarded-for, x-arr-ssl, x-forwarded-proto, x-appservice-proto, x-forwarded-tlsversion
Related
I have followed Alfodoo documentation to integrate Alfresco with odoo, everything seems to work fine :
When I click on "Create folder in DMS" although a folder is created in alfresco an error is raised:
and no buttons to import files are showing, unless i refresh the page:
Here is my alfresco-global.properties:
# CMIS #
alfresco.restApi.basicAuthScheme=true
opencmis.context.override=true
opencmis.context.value=
opencmis.servletpath.override=true
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=http://192.168.0.141:8080/alfresco/api/
Here is my web.xml for enabling CORS:
<!-- CORS Filter Begin -->
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowGenericHttpRequests</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowSubdomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type, range</param-value>
</init-param>
<init-param>
<param-name>cors.exposedHeaders</param-name>
<param-value>Accept-Ranges, Content-Encoding, Content-Length, Content-Range</param-value>
</init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.maxAge</param-name>
<param-value>3600</param-value>
</init-param>
</filter>
<!-- CORS Filter End -->
<!-- CORS Filter Mappings Begin -->
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/api/*</url-pattern>
<url-pattern>/service/*</url-pattern>
<url-pattern>/s/*</url-pattern>
<url-pattern>/cmisbrowser/*</url-pattern>
<url-pattern>/definitions/*</url-pattern>
</filter-mapping>
<!-- CORS Filter Mappings End -->
[EDIT]:
CMIS configuration in Odoo:
I try to solve the error 403 Forbidden that I get when sending requests to my GeoServer. To debug the process, I use Network tab from Inspect option in Chrome (I also tried Firefox). This is the error that I see in the Network tab.
XMLHttpRequest cannot load
http://localhost:8080/geoserver/square/ows?service=WFS&version=1.1.0&requ…ture&typeName=square:InformationStores&outputFormat=application%2Fjson.
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:5601' is therefore not allowed
access. The response had HTTP status code 403.
My GeoServer 2.10.4 is CORS enabled according to multiple tutorials that I found on this topic. However, the error message that I receive seems to be related to proxy.
I spent so much time trying to solve this issue, so finally, I am absolutely lost. I tried a lot of things, but nothing has worked.
This is the configuration file of GeoServer to which I send request:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app>
<display-name>GeoServer</display-name>
<context-param>
<param-name>serviceStrategy</param-name>
<!-- Meaning of the different values :
PARTIAL-BUFFER2
- Partially buffers the first xKb to disk. Once that has buffered, the the
result is streamed to the user. This will allow for most errors to be caught
early.
BUFFER
- stores the entire response in memory first, before sending it off to
the user (may run out of memory)
SPEED
- outputs directly to the response (and cannot recover in the case of an
error)
FILE
- outputs to the local filesystem first, before sending it off to the user
-->
<param-value>PARTIAL-BUFFER2</param-value> </context-param>
<context-param>
<!-- see comments on the PARTIAL-BUFFER strategy -->
<!-- this sets the size of the buffer. default is "50" = 50kb -->
<param-name>PARTIAL_BUFFER_STRATEGY_SIZE</param-name>
<param-value>50</param-value> </context-param>
<!--Can be true or false (defaults to: false). --> <!--When true the JSONP (text/javascript) output format is enabled --> <!-- <context-param>
<param-name>ENABLE_JSONP</param-name>
<param-value>true</param-value> </context-param> -->
<!--
<context-param>
<param-name>PROXY_BASE_URL</param-name>
<param-value>http://localhost/geoserver</param-value>
</context-param>
-->
<!--
<context-param>
<param-name>GEOSERVER_DATA_DIR</param-name>
<param-value>C:\eclipse\workspace\geoserver_trunk\cite\confCiteWFSPostGIS</param-value>
</context-param> -->
<!-- pick up all spring application contexts -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:/applicationContext.xml classpath*:/applicationSecurityContext.xml</param-value>
</context-param>
<filter>
<filter-name>FlushSafeFilter</filter-name>
<filter-class>org.geoserver.filters.FlushSafeFilter</filter-class>
</filter>
<filter>
<filter-name>Set Character Encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter>
<filter-name>SessionDebugger</filter-name>
<filter-class>org.geoserver.filters.SessionDebugFilter</filter-class>
</filter>
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class> org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>xFrameOptionsFilter</filter-name>
<filter-class>org.geoserver.filters.XFrameOptionsFilter</filter-class>
</filter>
<filter>
<filter-name>GZIP Compression Filter</filter-name>
<filter-class>org.geoserver.filters.GZIPFilter</filter-class>
<init-param>
<!-- The compressed-types parameter is a comma-separated list of regular expressions.
If a mime type matches any of the regular expressions then it will be compressed.
-->
<param-name>compressed-types</param-name>
<param-value>text/.*,.*xml.*,application/json,application/x-javascript</param-value>
</init-param> </filter>
<filter>
<filter-name>Request Logging Filter</filter-name>
<filter-class>org.geoserver.filters.LoggingFilter</filter-class>
<init-param>
<!-- The 'enabled' parameter is a boolean value, "true" (case-insensitive) for true or
any other value for false. If enabled, then the logging will be performed;
otherwise the logging filter will have no effect. If not specified, this
parameter defaults to false.
-->
<param-name>enabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<!-- The 'log-request-bodies' parameter is a boolean value, "true" (case-insensitive) for
true or any other value for false. If enabled, then the logging will include the body
of POST and PUT requests. If not specified, this parameter defaults to false.
Note that this may noticeably degrade responsiveness of your geoserver since it will
not begin to process requests until the entire request body has been received by the
server.
-->
<param-name>log-request-bodies</param-name>
<param-value>false</param-value>
</init-param> </filter>
<filter>
<filter-name>Advanced Dispatch Filter</filter-name>
<filter-class>org.geoserver.platform.AdvancedDispatchFilter</filter-class>
<!--
This filter allows for a single mapping to the spring dispatcher. However using /* as a mapping
in a servlet mapping causes the servlet path to be "/" of the request. This causes problems with
library like wicket and restlet. So this filter fakes the servlet path by assuming the first
component of the path is the mapped path.
--> </filter>
<filter>
<filter-name>Spring Delegating Filter</filter-name>
<filter-class>org.geoserver.filters.SpringDelegatingFilter</filter-class>
<!--
This filter allows for filters to be loaded via spring rather than
registered here in web.xml. One thing to note is that for such filters
init() is not called. INstead any initialization is performed via spring
ioc.
--> </filter>
<filter>
<filter-name>Thread locals cleanup filter</filter-name>
<filter-class>org.geoserver.filters.ThreadLocalsCleanupFilter</filter-class>
<!--
This filter cleans up thread locals Geotools is setting up for concurrency and performance
reasons
--> </filter> <!-- Uncomment following filter to enable CORS --> <filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
</filter>
<!--
THIS FILTER MUST BE THE FIRST ONE, otherwise we end up with ruined chars in the input from the GUI
See the "Note" in the Tomcat character encoding guide:
http://wiki.apache.org/tomcat/FAQ/CharacterEncoding
-->
<filter-mapping>
<filter-name>Set Character Encoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Uncomment following filter to enable CORS -->
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>FlushSafeFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SessionDebugger</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>GZIP Compression Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>xFrameOptionsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Request Logging Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
If you want to use your security system comment out this one too
-->
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Advanced Dispatch Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Spring Delegating Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Thread locals cleanup filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- general initializer, should be first thing to execute -->
<listener>
<listener-class>org.geoserver.GeoserverInitStartupListener</listener-class>
</listener>
<!-- logging initializer, should execute before spring context startup -->
<listener>
<listener-class>org.geoserver.logging.LoggingStartupContextListener</listener-class>
</listener>
<!-- spring context loader -->
<listener>
<listener-class>org.geoserver.platform.GeoServerContextLoaderListener</listener-class>
</listener>
<!-- http session listener proxy -->
<listener>
<listener-class>org.geoserver.platform.GeoServerHttpSessionListenerProxy</listener-class>
</listener>
<!-- request context listener for session-scoped beans --> <listener> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener>
<!-- spring dispatcher servlet, dispatches all incoming requests -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<!-- single mapping to spring, this only works properly if the advanced dispatch filter is
active -->
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>xsl</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<mime-mapping>
<extension>sld</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<mime-mapping>
<extension>json</extension>
<mime-type>application/json</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>
Please see my answer to this question.
Instead of adding to the web.xml, simply uncomment the two CORS related blocks that are already in there.
I am trying to read the user id of the user that is calling my OData service.
In my web.xml the OData servlet is a protected area
<servlet>
<servlet-name>EJODataServlet</servlet-name>
<servlet-class>org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.apache.olingo.odata2.core.rest.app.ODataApplication</param-value>
</init-param>
<init-param>
<param-name>org.apache.olingo.odata2.service.factory</param-name>
<param-value>com.wombling.odata.service.EJServiceFactory</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>EJODataServlet</servlet-name>
<url-pattern>/EJOData.svc/*</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>FORM</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/a/*</url-pattern>
<url-pattern>/index.html</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>/EJOData.svc/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>extension_user</role-name>
</auth-constraint>
</security-constraint>
When I create the factory to serve the response to a query:
public class EJServiceFactory extends ODataServiceFactory {
#Override
public ODataService createService(ODataContext ctx) throws ODataException {
return RuntimeDelegate
.createODataSingleProcessorService(
new AnnotationEdmProvider(
"com.wombling.odata.models"),
new EJODataProcessor("admin")); //TODO this should not be hardcoded
}
}
I cannot see any way that I can get from the ODataContext the user that has passed authentication. If I were to be using basic auth - then I could just get the header, but I'm not using basic auth, but OAuth2 bearer tokens (created by a SAML assertion).
I'd expect the ODataContext provide me access to the request user id, but no luck. Is there some other means that I can use? Or do I need to force the calling application to insert the user id in the request headers (doesn't seem ideal to me!)
To retrieve the request object via the ODataContext object is a little bit tricky. Try this:
HttpServletRequest r = (HttpServletRequest) ctx.getParameter(ODataContext.HTTP_SERVLET_REQUEST_OBJECT);
ctx is your instance of the ODataContext class. From the request object you get all what you need.
I'm trying to set up a web application based on glassfish 3.1 + JSF2. The authorization is performed using a CAS server installing the jasig cas client in the web app as suggested here:
Configuring the JA-SIG CAS Client for Java in the web.xml
and I'm able to catch the principal object inside an EJB when the user is authenticated.
CAS principal attributes comes from LDAP on Active Directory. Now how can I add authorization?
How can I enable the access of certain web pages only to specific groups of users defined in AD?
The purpose is just to let users access different web pages according to their LDAP roles.
I've tried to follow Securing Web Applications from the Java EE tutorial and my web.xml is
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://casserver:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://casserver:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!--
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
-->
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Pagina di user</display-name>
<web-resource-collection>
<web-resource-name>index1</web-resource-name>
<description>ristretto a user</description>
<url-pattern>/faces/index.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>user only</description>
<role-name>AMP-User</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Pagina di profile</display-name>
<web-resource-collection>
<web-resource-name>index2</web-resource-name>
<description>risretto a profile</description>
<url-pattern>/faces/index_2.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>profile only</description>
<role-name>AMP-Profile</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>utente generico</description>
<role-name>AMP-User</role-name>
</security-role>
<security-role>
<description>Utente di alto profilo</description>
<role-name>AMP-Profile</role-name>
</security-role>
I've then assigned the roles to my LDAP groups in glassifh-web.xml
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AMP-Profile</role-name>
<group-name>AMP-Profile</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AMP-User</role-name>
<group-name>AMP-User</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
The problem is that when I access to the page index.xhtml a form is asking me to authenticate but the authentication should be done by the CAS server. Anyway I cannot authenticate.
How can I use CAS authentication and map LDAP groups to roles?
You can use the security annotations (JSR 250, javax.security.annotations), to define role based access control:
#Stateless
#DeclareRoles({"admin", "users"})
public class HelloEJB implements Hello {
#PermitAll
public String hello(String msg) {
return "Hello, " + msg;
}
#RolesAllowed("admin")
public String bye(String msg) {
return "Bye, " + msg;
}
}
Slightly adapted example from the first link below
Here I declared the roles first, using #DeclareRoles. #PermitAll grants access to all authenticated users, while #RolesAllowed only grants access to the mentioned roles.
You will need to set up roles in your deployment descriptors and in glassfish as well. I found this article very helpful. The Glassfish Server Security Guide goes through the details. You also might want to check out this question. If you run into some problems, ask back here on SO.
I wonder if anyone managed to get Primefaces' p:fileupload component work on Websphere Application Server 8.
I use Primefaces 2.2.1 version.
JSF code:
<h:form enctype="multipart/form-data">
<p:fileUpload
fileUploadListener="#{mailBean.handleFileUpload}"
multiple="true"
label="choose"
allowTypes="*.jpg;*.png;*.gif;"
description="Images"/>
</h:form>
Managed Bean code:
public void handleFileUpload(FileUploadEvent event)
{
files.add(event.getFile());
logger.info("File uploaded into MailBean: " + event.getFile());
System.out.println("File uploaded into MailBean: " + event.getFile());
}
Web.xml filter: (Servlet 3.0)
<filter>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<filter-class>org.primefaces.webapp.filter.FileUploadFilter</filter-class>
<init-param>
<param-name>thresholdSize</param-name>
<param-value>51200</param-value>
</init-param>
<init-param>
<param-name>uploadDirectory</param-name>
<param-value>c:/temp/pf</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
The component says HTTP error and turns into red, on the console I get a ViewExpiredException by Myfaces:
Caused by: javax.faces.application.ViewExpiredException: /createmail.xhtml
No saved view state could be found for the view identifier: /createmail.xhtml
at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:128)
at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:171)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:189)
I even tried with two other versions of Mojarra instead of Myfaces, but I got errors (2.1: handler doesnt get invoked, 2.0.3: viewexpired)
Did u have the .jars and the web.xml config (remove "c:", the default is that route) ? I had the same problem but then i restarted my WAS 8.5 and it worked.
I'm using Websphere 7 with JSF 2.0 with Mojarra 2 and PrimeFaces 3.4.2 (common-fileupload-1.2.2.jar and common-io-1.3.2.jar)
I see the fileUpload don't call the bean in WebSphere.
I see the bar that load the file but don't arrive the event on the managedBean.
It seems as if some other filter in Websphere capture the HTTP request and you can't get data sent by fileUpload because are just consumed :(