I am really hoping someone can help point me in the right direction.
I have Geoserver deployed within Tomcat 9 on an Ubuntu 18.04 server.
All was working absolutely fine until I added SSL to the Apache virtual host. I have no problem with logging in to Geoserver but when I try and change anything (e.g. save a new setting or try to add data to Geoserver) I get this error:
HTTP Status 400 – Bad Request
Type Status Report
Message Origin does not correspond to request
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
Apache Tomcat/9.0.43
This has only happened since I added SSL and if I remove the SSL Virtual Host in Apache and run the site just as HTTP, I don't get the error.
Can anyone point me in the right direction please?
Thank you
I solved this problem using the instructions here: https://dev.to/iamtekson/using-nginx-to-put-geoserver-https-4204
Added my domain name under Settings > Global > Proxy Base URL in the GeoServer admin site: https:www.mydomain.com
Check, "Use headers for Proxy URL"
Added the following code in web.xml located here: /webapps/geoserver/WEB-INF/web.xml
<context-param>
<param-name>GEOSERVER_CSRF_WHITELIST</param-name>
<param-value>example.org</param-value>
</context-param>
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>*</param-value>
</init-param>
</filter>
Related
I have a problem with Apache-Tomcat Servlet-mapping through url-pattern.
It has been working just fine till last year.
Very recently I tried to login and all of sudden 404 Not Found error showed up.
I still see all other pages fine. I don't know what has changed on server-side because I am borrowing a linux-server from vultr.
Since I haven't touched anything in my coding and everything looks fine to me, I have no clue.
It seems easy to solve for experts. Can anyone help me with this?
- Error Message
Not Found
The requested URL /login.do was not found on this server.
Apache/2.4.12 (Ubuntu) Server at xx.xx.xx.xx Port 80
Here xx is the ip address of my server
- tomcat/conf/server.xml
...
<Context path="" docBase="/.../tomcat/webapps/.../WebContent" reloadable="true"></Context>
...
- tomcat/conf/web.xml
...
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
...
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
...
- myapp/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>myapp</display-name>
...
<servlet>
<servlet-name>URIController</servlet-name>
<servlet-class>myapp.mvc.control.URIController</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>
/WEB-INF/commandHandler.properties
</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>URIController</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
...
- myapp/WEB-INF/commandHandler.properties
/login.do=myapp.mvc.command.Login
When I try to login, it says "The requested URL /login.do was not found on this server."
It has been working fine like this: when hitting "login" button, it passes the content in commandHandler.properties to the control class (myapp.mvc.control.URIController) and this class get the name of the login class (myapp.mvc.command.Login) in order to dispatch the request to the login class.
If this problem has something to do with Apache, I have no idea (no idea even what to show here) because it was done by a paid expert like 5 years ago.
Thanks a lot in advance !!
That is an httpd error message, not an Apache Tomcat one. It looks like something (can't tell what from the information provided) has broken the reverse proxy from httpd to Tomcat. You need to talk to whoever set up the reverse proxy for you.
I'm fairly new with Apache and Tomcat, so try to explain me the better you know :P I'm only working in local.
I have one application that needs Tomcat to execute Servlets, so I can type:
http://localhost:8080/rrcapp/xservlet?consult=list01
That works. I also have my webpage running with Apache 2.4, so I can type:
http://localhost:80/websrv/index.htm
That works too. The problem comes when in my index.htm serving in Apache, make a call in an Iframe with Chrome, to that Servlet, getting the error:
Refused to display ...in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
I've read about setting in my httpd.conf to unset x-frame-options or setting with ALLOW-FROM but it seems just doesn't work with Chrome.
Then, I've read about CSP policies, but I cannot figure out how to set this kind of policy in mi httpd.conf so I can run servlets inside the iframe, inside my Apache server.
Can anyone help me with this?
Regards :)
EDIT 1:
Thanks Eddie James Carswell II I understood the error came from the Tomcat. I've read the document he showed me, and tried to configure my web.xml inside my /conf dir in Tomcat, this is the result:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>http://localhost:80/*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
I restarted the Tomcat server and tried again to load the Iframe and got another error:
Invalid 'X-Frame-Options' header encountered when loading 'http://localhost:8080/rrcapp/xservlet?consult=list01': 'ALLOW-FROM http://localhost:80/*' is not a recognized directive. The header will be ignored.
EDIT 2:
It seems it works on the most recent version of Firefox (57.0 Quantum) as well in IE 10 and EDGE. Still, it doesnt work with Chrome :P
Maybe ALLOW-FROM has some problems with Chrome, but if I'm not wrong, I cannot establish CSP directives in Tomcat. How can I resolve this on Chrome?
Any help here? :)
Thanks in advance
Firstly, I want to thanks to Eddie James Carswell II, who assisted me with this issue all the time, giving me very valuable tips.
Finally, I got it with Proxys via httpd. As stated in the article linked, uncommenting this lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
And then configuring my app directory in Apache:
ProxyRequests Off
ProxyPass /rrcapp http://localhost:8080
ProxyPassReverse /rrcapp http://localhost:8080
<Location "/rrcapp">
Order allow,deny
Allow from all
</Location>
Now, I can write in a JS call,. Example:
document.location = '/rrcapp/xservlet?consult=list01';
And access to my apps resources, located in Tomcat.
Why this solution? Its universal in every browser, and easy to configure.
Why not the other one? It worked on the most recent version of Firefox (57.0 Quantum) as well in IE 10 and EDGE. Still, it didn't work with Chromem, wich is the browser I use. The configuration anyways set up, was this in the web.xml in Tomcat directory.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>http://localhost:80/*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Hope this helps in the future :)
Thanks Eddie!
I configured Apache Jackrabbit 2.6.3 to use WebDAV in an anonymous mode (empty credentials are mapped to anonymous:anonymous).
If I click on a direct link to some file (e.g. JPG or DOC) HTTP 403 error is thrown by GlassFish server. If I press F5, 403 is still there.
BUT if I simply press Enter in address bar in my browser on the same URL, everything is OK, and resource is accessible.
I think that only difference is a referrer in the HTTP header.
I searched for any information about a similar problem, but I couldn't find anything.
Does anybody have some idea how to force WebDAV (or Jackrabbit) to serve files in the anonymous mode despite the referrer or any other reason?
I found a solution.
In web.xml file in section WebDAV the following part must be uncommented:
<init-param>
<param-name>csrf-protection</param-name>
<param-value>disabled</param-value>
</init-param>
With disabled as param-value.
As description says:
Defines the behaviour of the referrer based CSRF protection
1) If omitted or left empty the (default) behaviour is to allow only requests with
an empty referrer header or a referrer host equal to the server host
2) May also contain a comma separated list of additional allowed referrer hosts
3) If set to 'disabled' no referrer checking will be performed at all
I'm using Jetty 6.1 together with PJL Compressing Filter.
Jetty removes the following header from the response:
Content-Encoding: gzip
This causes that most browsers cannot display the page anymore and show something like this:
Error 330 (net::ERR_CONTENT_DECODING_FAILED)
The Problem does not occur when I deploy my application on Tomcat 6.0. Also, if I disable the PJL Compressing Filter, the application works.
What can I do that Jetty leaves the header in the response?
make it sure you're using the last available jetty version.
It does work with this configuration for me:
<filter>
<filter-name>GzipFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class>
<init-param>
<param-name>mimeTypes</param-name>
<param-value>text/html,text/plain,text/xml,application/xhtml+xml,text/css,application/javascript,application/json,image/svg+xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Our application is running on WebLogic.
At some point the WebLogic is redirecting to Apache to allow the user to access PDF files.
This happens via:
final String encodedURL = resp.encodeRedirectURL(redirectURL);
resp.sendRedirect(encodedURL); //ok here because redirection to other server and not to itself
The problem is that WebLogic appends a JSESSIONIDto the URL and the apache fails to serve the PDF Document.
How can I prevent WebLogic from adding the JSESSIONID to the URL?
The whole point en encodeRedirectURL is to include the session ID in the URL if necessary. f you think it's not necessary to include it, don't encode the URL:
resp.sendRedirect(redirectURL);
the problem was, that in our weblogic.xml cookies were disabled:
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<session-descriptor>
<cookies-enabled>false</cookies-enabled>
</session-descriptor>
whe solved the issue by setting them to true. in this special application, this was not a problem:
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<session-descriptor>
<cookies-enabled>true</cookies-enabled>
</session-descriptor>
Adding this to my Facelets based application's web.xml avoids JSESSIONID:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>