resolving session fixation bug fix in resin app server - resin

I am using resin app server
request.getSession.invalidate();reguest.getSession(true) is not working properly and its not resetting session ID while using Resin.
Also I am not able to use request.changeSessionId() as the resin version is not able to use JavaEE7 libraries.
Please share your views on how to resolve session fixation with Resin

Resin 4.0.x doesn't implement Servlet 3.1 API.
Resin provides reuse-session-id configuration option that helps control session cookie behaviour.
http://caucho.com/resin-4.0/reference.xtp#session-config

Related

Security headers setup on WebSphere 9.0.5.13

I have to get all these Headers (mentioned below) green when checked the URL "https://.com" on securityheaders.com.
Headers: "Strict-Transport-Security" "Content-Security-Policy" "X-Frame-Options" "X-Content-Type-Options"
The Web Server running here is IBM WebSphere 9.0.5.13 here.
I know it need to be added in some Web.xml file with a context param but there are so manu web.xml files not sure which one, OR
we also tried from the Server Web Container Settings by adding this which didnt work:
com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP....value=max-age=31536000;includeSubDomains;preload
com.ibm.ws.webcontainer.addStrictTransportSecurityHeader....value=max-age=31536000;includeSubDomains;preload
But neither did work. I need to do this for all the Headers mentioned above.
We know how to do this for Tomcat, but having difficulty with WebSphere guys.
If anybody knows how to do this please help me. Thanking you guys in advance
Regards,
Mainak
You need to use the Servlet API's to set custom response headers, either in your application or in a filter. If you can't do that, you can often do similar if you have a proxy server in front of your application.
WebSphere Liberty has basic support for adding custom response headers via server.xml, but it's not available in the traditional websphere application server.
HSTS is unique as there is support for it at various levels in configuration.

CORS policy errors

I have an .Net Core API running on https://localhost:44371 and a Blazor app running on https://localhost:44346. As you can see they aren't running on the same port, so I'm getting a CORs error of 'Access-Control-Allow-Origin'. These are new projects generated through Visual Studio.
Can I have them both run from the same port?
If so how can I dictate which port to use?
Will making them run from the same port fix this problem?
If not, what's a work around?
Thank you in advance!!
No, you cannot run two separated app at the same port.
and also, same port wont fix your issue.
You should enable the CORS middleware in asp.net core. try enable it using docs:
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0
and also be aware that you should have a exception handler because any unhandled exception will clear CORS headers.
you can use this doc:
https://learn.microsoft.com/en-us/aspnet/core/web-api/handle-errors?view=aspnetcore-5.0

SonarQube LDAP plugin deployed but not "enabled"

SQ 5.6, LDAP plugin 2.0.
I've successfully installed the LDAP plugin and restarted the SQ server. In the log (/opt/sonar/logs/sonar.log) the plugin is apparently deployed, but seemingly no attempt is made to initialize/enable it or connect to the LDAP server.
INFO web[o.s.s.p.ServerPluginRepository] Deploy plugin LDAP / 2.0 / 2910f3981167a70a201ccfae01471dfd26c794b7
.
.
INFO web[o.s.s.p.RailsAppsDeployer] Deploying app: ldap
These are the only mentions of ldap/LDAP in the log.
Relevant part of the conf/sonar.properties file:
sonar.security.realm=LDAP
ldap.url=ldap://myldap:389
ldap.user.baseDn=ou=mycompany,ou=People,dc=myurl,dc=com
I believe I've verified ldap.url and ldap.user.baseDn via JXplorer (an LDAP browser).
What really puzzles me is that I don't see anything like the following in the logs, which is what I'd expect from the SQ docs:
INFO org.sonar.INFO Security realm: LDAP ...
INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK
No errors of any kind are noted in the log.
Any idea why SQ is not even apparently trying to kick off LDAP authentication on a restart?
I had the same problem. I'm running Sonarqube using docker. It did not pick up on changes when I restart the server from the Sonarqube UI. Only after restarting the docker image it could pick up the changed file.
Well, now it just started working. I don't have an answer as to why though. Maybe something changed with my LDAP server, or there was some latency that needed to be overcome. I didn't change anything on my end that I'm aware of. In any case, thanks to those that responded.

Can't configure Glassfish for new JavaMail session

When I go to Glassfish web console localhost 4848 and go to Resources JavaMail and hit the "new" button, I get this error class java.lang.RuntimeException I'm fairly new to Glassfish and am trying to follow the mail tutorials. Can anyone give me some advice on where to start? Thx in advance!!
This is a bug introduced in the GlassFish 4.1.1 release. GlassFish 4.1 should work.
For any one struggling to do this via the Web Console and doesn't want to downgrade, just use the sub-command line option to create the mail session then continue on the web console to add additional properties.
asadmin> create-javamail-resource --mailhost localhost
--mailuser sample --fromaddress sample\#sun\.com mail/MyMailSession
Fortunately I was able to get the email to work. The problem was that they had setup Exchange for an Anonymous user with no security (SMTP not SMTPS). However, I never did get the JavaMail in Glassfish to work. Due to some other reasons, the decision was made to stick with the current version of Glassfish. I did try to go back to 4.1 as noted, but had similar issues in getting JavaMail setup as a Resource. Once I got the basic issue resolved, I abandoned the effort to go back to 4.1, so I'm not sure if that would have changed anything.
Thx

OpenAM Conditional Login Url

I'm using openAM 10.0.0 and the admin guide mention it support conditional login (just no on console):
com.forgerock.agents.conditional.login.url
Then I configure agent as local config:
com.forgerock.agents.conditional.login.url[0]= songjing.com|http://openam.songjing.com:8080/openam/UI/Login
om.forgerock.agents.conditional.login.url[1]= brandA.songjing.com|http://openam.songjing.com:8080/openam/UI/LoginBrandA
When I browse to brandA.songjing.com, it still go back to http://openam.songjing.com:8080/openam/UI/Login login page. I thought it is cause by
com.sun.identity.agents.config.login.url[0] = http://openam.songjing.com:8080/openam/UI/Login
And remark it.
Then end up with error say com.sun.identity.agents.config.login.url not found.
I try with web agent 3.0.4 and 3.1 for apahche httpd, both not working
Any help?
Rgds
SJ
Solved. web agent 3.0.4 not support conditional login url.
for web agent 3.1 the key is:
com.forgerock.agents.conditional.login.url
and for j2ee agent 3.1 the key is
com.sun.identity.agents.config.conditional.login.url
and due to I use virtual server, I need configure fqdn mapping:
com.sun.identity.agents.config.fqdn.mapping[branda.com] = branda.com