Remove 'Server' http header from api response - apache-camel

I have an application which uses camel-jetty, camel-cxf to expose a REST api and runs in apache karaf (fuse esb). Because of security reasons, I need to remove 'Server' header from API response. I removed the header from camel exchange headers but still it returns in api response as Jetty(7.6.7.v20120910). How can I remove the header from API response ?

The jetty component, you can turn off sendServerVersion by setting sendServerVersion=false in the endpoint uri.
For Apache CXF or camel-cxf I am not sure if that is possible. You would need to check Apache CXF documentation.

I added following line to jetty.xml and got server header removed.
<Set name="sendServerVersion">false</Set>

Related

Enable CORS in an Angular Paypal Docker application

My application with angular front end and springboot backend is trying to make a REST POST call to one of the PayPal APIs from Angular front end. The application is deployed as a Docker container in GCP VM instance. If I dont open the broser with web security disabled I get the ERROR
"Access to XMLHttpRequest at 'https://pilot-payflowpro.paypal.com/' from origin 'http://myserverip' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."
I see lot of answers for this question in SO and others with adding headers in httpd.conf / .htaccess files. But I dont have both these files. I tried adding headers to Dockerfile and also adding commands to docker-compose.yaml file. Also tried adding the end URL in angular proxy configuration file. None of it worked.
Is there any way to enable CORS either in a docker config file or in the server itself.
docker-compose.yml
image: docker.image.link
privileged: true
ports:
- '80:8080'
restart: 'no'
volumes:
- '/var/sftp/upload:/usr/share/invoice/invoiceFile'
environment:
- SPRING_PROFILES_ACTIVE=docker
- DB_CONN_STRING=jdbc:postgresql:url
- DB_USER=postgres
- DB_PASS=postgres
- HOST_NAME=hostname
- SMTP_HOST=smtphost
- SMTP_PORT=25
- SMTP_AUTH_TRUE_FALSE=false
Dockerfile
FROM openjdk:8-jdk-alpine
ARG JAR_FILE
ADD target/${JAR_FILE} /usr/share/application.jar
ADD template/ /usr/share/template
VOLUME /tmp
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "/usr/share/application.jar"]
The CORS error is an error emitted by the browser when the request response, from the backend, hasn't the properly headers to tell to the browser that this client can perform/view the request.
So, in your case the backend is the PayPal (https://pilot-payflowpro.paypal.com/ -> paypal.com) not your backend, so even if you add any headers to your backend or frontend, the problem will persist because the only header that is important when you perform the request to the https://pilot-payflowpro.paypal.com/ is the header from the response of this request.
To solve this problem the https://pilot-payflowpro.paypal.com/ needs to send the correct header response allowing you to perform this request, and I think it's not possible because security reasons.
Some endpoints can't be use from a frontend application, only from a backend, and I think it's your case.
To avoid the CORS problem you can create an endpoint in your backend that call the https://pilot-payflowpro.paypal.com/. So, in your frontend you call your backend endpoint and the backend call the PayPal API.
calling the REST call is one solution. Another solution would be to mask the endpoint URL in the proxy configuration in Angular.
"/paypal" : {
"target" : "https://pilot-payflowpro.paypal.com/",
"secure" : true,
"changeOrigin": true,
"pathRewrite":{
"^/paypal":""
}
}
And calling /paypal where we have to do the REST call.

tried to access the data via axios but Response to preflight request doesn't pass access control check

I was working over react and made a request using axios but in the browser it shows "Response to preflight request doesn't pass access control check" i had installed the corx extension but still getting the same error
Assuming you are using create-react-app you can try defining a proxy property in your package.json file and give the url to your api server, something like
"proxy": "http://localhost:8000".
This will proxy your api calls through the express server provided within create-react-app without the need for any CORS configuration in your browser
Note : This can be only used in your local environment and for production setup, you should try alternate approaches by configuring CORS setting in the API server or hosting the UI and API applications under the same hostname

Artemis mqtt client interceptor: java.lang.ClassNotFoundException

I want to intercept message send by a mqtt client to artemis broker.
I am following the example "interceptor-client-mqtt".
My problem is that I am always getting an error "java.lang.ClassNotFoundException: SimpleMQTTInterceptor".
My question is where should I put the interceptor class so that the broker could find it?
Should I put only the class of the interceptor, or should I put a jar file?
Put your interceptor class in a jar in the broker's "lib" directory.

Interceptors and Apache Camel

I am new to camel so my question is how to get request and responce values that is displayed on saop UI to the log file using Interceptors configuration. I need to apply some interceptor configuration before the request hit to camel so that we can filter the request object and same with the responce.
Look at logging interceptors in camel cxf endpoint declaration : inInterceptors
http://camel.apache.org/cxf.html
Or
You can just print the request inside your route as well using ${body}
Add this to your route configuration:
interceptFrom()
.when(exchange -> isToBeIntercepted(exchange)) //which routes are to be intercepted
.process(doSomeStuffHere());

grails REST API with Spring Security core and CORS plugins not working for OPTIONS http method requests

Trying to do cross-domain request [CORS] from AngularJS front-end to Grails 2.3.1 RESTful Service on other server.
AngularJS sends OPTIONS http request first for any cross-domain requests.
To support this, I added following method to my Controller that extends RestfulController
static allowedMethods = [save: "POST", update: "PUT", delete: "DELETE", options: "OPTIONS", trace: "TRACE", head: "HEAD"]
#Secured(value=['permitAll'], httpMethod='OPTIONS')
def options() {
log.debug("i am in options method")
response.setHeader("Allow", "GET,POST,PUT,DELETE,OPTIONS,TRACE,HEAD")
return
}
For cURL command bellow, my options() method on my Controller never getting called. curl always gets 301 response.
curl -H "Origin: http://example.com" -X OPTIONS --verbose http://localhost:8080/Console/tenants/1/spaces.xml
Is this a bug in Spring Security core plugin or am I missing something?
My environment consists, Grails 2.3.1, Spring Security Core and ACL 2.0-RC1 plugins and CORS plugin 1.1.1
That's because the browser checks for cross domain requests before your action. You can do that using a servlet filter, or just use the CORS Grails plugin.
using latest CORS Grails plugin solves the problem. It includes a filter that intercept OPTIONS request and provide the response.

Resources