I'm fairly new with Apache and Tomcat, so try to explain me the better you know :P I'm only working in local.
I have one application that needs Tomcat to execute Servlets, so I can type:
http://localhost:8080/rrcapp/xservlet?consult=list01
That works. I also have my webpage running with Apache 2.4, so I can type:
http://localhost:80/websrv/index.htm
That works too. The problem comes when in my index.htm serving in Apache, make a call in an Iframe with Chrome, to that Servlet, getting the error:
Refused to display ...in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
I've read about setting in my httpd.conf to unset x-frame-options or setting with ALLOW-FROM but it seems just doesn't work with Chrome.
Then, I've read about CSP policies, but I cannot figure out how to set this kind of policy in mi httpd.conf so I can run servlets inside the iframe, inside my Apache server.
Can anyone help me with this?
Regards :)
EDIT 1:
Thanks Eddie James Carswell II I understood the error came from the Tomcat. I've read the document he showed me, and tried to configure my web.xml inside my /conf dir in Tomcat, this is the result:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>http://localhost:80/*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
I restarted the Tomcat server and tried again to load the Iframe and got another error:
Invalid 'X-Frame-Options' header encountered when loading 'http://localhost:8080/rrcapp/xservlet?consult=list01': 'ALLOW-FROM http://localhost:80/*' is not a recognized directive. The header will be ignored.
EDIT 2:
It seems it works on the most recent version of Firefox (57.0 Quantum) as well in IE 10 and EDGE. Still, it doesnt work with Chrome :P
Maybe ALLOW-FROM has some problems with Chrome, but if I'm not wrong, I cannot establish CSP directives in Tomcat. How can I resolve this on Chrome?
Any help here? :)
Thanks in advance
Firstly, I want to thanks to Eddie James Carswell II, who assisted me with this issue all the time, giving me very valuable tips.
Finally, I got it with Proxys via httpd. As stated in the article linked, uncommenting this lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
And then configuring my app directory in Apache:
ProxyRequests Off
ProxyPass /rrcapp http://localhost:8080
ProxyPassReverse /rrcapp http://localhost:8080
<Location "/rrcapp">
Order allow,deny
Allow from all
</Location>
Now, I can write in a JS call,. Example:
document.location = '/rrcapp/xservlet?consult=list01';
And access to my apps resources, located in Tomcat.
Why this solution? Its universal in every browser, and easy to configure.
Why not the other one? It worked on the most recent version of Firefox (57.0 Quantum) as well in IE 10 and EDGE. Still, it didn't work with Chromem, wich is the browser I use. The configuration anyways set up, was this in the web.xml in Tomcat directory.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>http://localhost:80/*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Hope this helps in the future :)
Thanks Eddie!
Related
I am really hoping someone can help point me in the right direction.
I have Geoserver deployed within Tomcat 9 on an Ubuntu 18.04 server.
All was working absolutely fine until I added SSL to the Apache virtual host. I have no problem with logging in to Geoserver but when I try and change anything (e.g. save a new setting or try to add data to Geoserver) I get this error:
HTTP Status 400 – Bad Request
Type Status Report
Message Origin does not correspond to request
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
Apache Tomcat/9.0.43
This has only happened since I added SSL and if I remove the SSL Virtual Host in Apache and run the site just as HTTP, I don't get the error.
Can anyone point me in the right direction please?
Thank you
I solved this problem using the instructions here: https://dev.to/iamtekson/using-nginx-to-put-geoserver-https-4204
Added my domain name under Settings > Global > Proxy Base URL in the GeoServer admin site: https:www.mydomain.com
Check, "Use headers for Proxy URL"
Added the following code in web.xml located here: /webapps/geoserver/WEB-INF/web.xml
<context-param>
<param-name>GEOSERVER_CSRF_WHITELIST</param-name>
<param-value>example.org</param-value>
</context-param>
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>*</param-value>
</init-param>
</filter>
I have a problem with Apache-Tomcat Servlet-mapping through url-pattern.
It has been working just fine till last year.
Very recently I tried to login and all of sudden 404 Not Found error showed up.
I still see all other pages fine. I don't know what has changed on server-side because I am borrowing a linux-server from vultr.
Since I haven't touched anything in my coding and everything looks fine to me, I have no clue.
It seems easy to solve for experts. Can anyone help me with this?
- Error Message
Not Found
The requested URL /login.do was not found on this server.
Apache/2.4.12 (Ubuntu) Server at xx.xx.xx.xx Port 80
Here xx is the ip address of my server
- tomcat/conf/server.xml
...
<Context path="" docBase="/.../tomcat/webapps/.../WebContent" reloadable="true"></Context>
...
- tomcat/conf/web.xml
...
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
...
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
...
- myapp/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>myapp</display-name>
...
<servlet>
<servlet-name>URIController</servlet-name>
<servlet-class>myapp.mvc.control.URIController</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>
/WEB-INF/commandHandler.properties
</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>URIController</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
...
- myapp/WEB-INF/commandHandler.properties
/login.do=myapp.mvc.command.Login
When I try to login, it says "The requested URL /login.do was not found on this server."
It has been working fine like this: when hitting "login" button, it passes the content in commandHandler.properties to the control class (myapp.mvc.control.URIController) and this class get the name of the login class (myapp.mvc.command.Login) in order to dispatch the request to the login class.
If this problem has something to do with Apache, I have no idea (no idea even what to show here) because it was done by a paid expert like 5 years ago.
Thanks a lot in advance !!
That is an httpd error message, not an Apache Tomcat one. It looks like something (can't tell what from the information provided) has broken the reverse proxy from httpd to Tomcat. You need to talk to whoever set up the reverse proxy for you.
I am a stackoverflow fan. This website has solved most of technical questions without even asking them but by only reading previous similar questions. Indeed I have searched the web and stackoverflow but I could not find any answer and I could not solve this problem by myself. My only resort is to ask for your help. I have worked on a small JSF 2.0 application and everything is working fine on my local tomcat 6.0.35. I have all the JSF lib on my WEB-INF. I am using mojarra version 2.1.14. The url is accessed like this
on my local
http://localhost/application/page.jsf
and this application is deployed to an external hosted tomcat which has apache and Tomcat 6.0.36. The application is deployed under /home/username/public_html. the same url should be accessed by typing
http://website.com/application/page.jsf
but I am getting the error:
Not Found
The requested URL /application/page.jsf was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Additionally, html and JSP pages are working fine. I have a test application which has jsp page and it is loading just fine. xhtml pages on the other hand are not working on this apache box. For the JSP pages to work I added JSP and servlet support
/usr/local/cpanel/scripts/addservlets2 --domain=domain.com
This is the web.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>FacesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>FacesServlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
</web-app>
I strongly believe this web.xml has nothing to do with jsf not working and furthermore these settings are working well on my local. The tomcat log file is showing no error of page not found on the external host.
Here is the faces config file
<?xml version="1.0"?>
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
version="2.0">
</faces-config>
What is happening? Please help me. I am getting desperate. Why JSF request are returning not found on this apache server?
additional the el-impl-2.2.jar and el-api-2.2.jar are in the tomcat libs.
and javax.faces-2.1.14.jar, jstl-api-2.1.jar, jstl-impl-2.1.jar and all the required commons jars are all in the WEB-INF.
I have just fixed this problem. I have spent 6 days doing investigations how to fix this. What a waste of time. Today at work, I talked to my colleague and he suggested I direct my investigations toward apache connector to tomcat since I was claiming that everything is working fine on my local tomcat server. I made some research and I discovered that I needed to edit cp_jkmount.conf connector. JkMount is used to map a context path to a Tomcat worker. I added the following
<IfModule mod_jk.c>
JkMount /*.xhtml ajp13
JkMount /*.jsf ajp13
</IfModule>
at the end of these connectors
/usr/local/apache/conf/userdata/std/2/username/website.com/cp_jkmount.conf
/usr/local/apache/conf/userdata/ssl/2/username/website.com/cp_jkmount.conf
I hope this will help someone else.
I can't get ssi to work on Tomcat 5.5.27.
using standard ssi configuration and getting this in log
SEVERE: #include--Couldn't include file: /file/hi.html
java.io.IOException: Couldn't get context for path: /file/hi.html
I don't know what is the context.
Thanks for help
configuration
<servlet>
<servlet-name>ssi</servlet-name>
<servlet-class>
org.apache.catalina.ssi.SSIServlet
</servlet-class>
<init-param>
<param-name>buffered</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>expires</param-name>
<param-value>666</param-value>
</init-param>
<init-param>
<param-name>inputEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>outputEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>isVirtualWebappRelative</param-name>
<param-value>0</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ssi</servlet-name>
<url-pattern>*.shtml</url-pattern>
</servlet-mapping>
First of all, Tomcat 5.5 has not been supported by the ASF since 30 September 2012. You really need to upgrade. Further 5.5.27 was released in 2008 and there have been a lot of bug fixes and security fixes since then. More good reasons to upgrade.
With the minimal information you have provided (no details on how your app is deployed, no snippet showing the source that triggers this error) it looks like you are trying to do includes relative to the root of the web application without configuring the SSI servlet for that. Setting isVirtualWebappRelative to 1 should do the trick.
I'm using Jetty 6.1 together with PJL Compressing Filter.
Jetty removes the following header from the response:
Content-Encoding: gzip
This causes that most browsers cannot display the page anymore and show something like this:
Error 330 (net::ERR_CONTENT_DECODING_FAILED)
The Problem does not occur when I deploy my application on Tomcat 6.0. Also, if I disable the PJL Compressing Filter, the application works.
What can I do that Jetty leaves the header in the response?
make it sure you're using the last available jetty version.
It does work with this configuration for me:
<filter>
<filter-name>GzipFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.GzipFilter</filter-class>
<init-param>
<param-name>mimeTypes</param-name>
<param-value>text/html,text/plain,text/xml,application/xhtml+xml,text/css,application/javascript,application/json,image/svg+xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>