I am developing an app using AngularJS and Resteasy. As expected I am facing the well known problem of
XMLHttpRequest cannot load http://localhost:8080/..... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 403.
As seen on other stack overflow posts [1], I tried using Resteasy's CorsFilter from a Feature object, but I get:
[33m02:06:57,883 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-1) failed to execute: javax.ws.rs.ForbiddenException: Origin not allowed: http://localhost:3000
at org.jboss.resteasy.plugins.interceptors.CorsFilter.checkOrigin(CorsFilter.java:194)
at org.jboss.resteasy.plugins.interceptors.CorsFilter.filter(CorsFilter.java:134)
My CorsFeature object:
#Provider
public class CorsFeature implements Feature {
#Override
public boolean configure(FeatureContext context) {
CorsFilter corsFilter = new CorsFilter();
corsFilter.getAllowedOrigins().add("*");
context.register(corsFilter);
return true;
}
}
In web.xml I added:
<context-param>
<param-name>resteasy.providers</param-name>
<param-value>org.jboss.resteasy.plugins.interceptors.CorsFilter</param-value>
</context-param>
I see that when I comment this context-param, I don't get the aforementioned Exception and the response status is 200, rather than 403.
In the angular module config I added:
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
I know there is the option of creating a node.js proxy, but I'd like to solve this the hard way.
Can you please help me overcome this big obstacle in life?
Thanks :)
Later edit:
I managed to accomplish that by annotating the feature class (CorsFeature) si #Component. That way the application context is aware of it.
Solution for Wildfly
edit standalone.xml:
config
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="Access-Control-Allow-Origin"/>
<filter-ref name="Access-Control-Allow-Methods"/>
<filter-ref name="Access-Control-Allow-Headers"/>
<filter-ref name="Access-Control-Allow-Credentials"/>
<filter-ref name="Access-Control-Max-Age"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/>
<response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
<response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
<response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
<response-header name="Access-Control-Max-Age" header-name="Access-Control-Max-Age" header-value="1"/>
</filters>
</subsystem>
restart Wildfly
Related
I'm using Wildfly 10 and I'm trying to add an expression filter in the undertow configuration to validate the secret value from mod_jk. It is however always returning error code 403.
Below is my configuration in standalone-full.xml
<subsystem xmlns="urn:jboss:domain:undertow:7.0" ...>
...
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<ajp-listener name="ajp" socket-binding="ajp"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
...
<!-- add the following with your AJP port (8009) -->
<filter-ref name="secret-checker" predicate="equals(%p, 8009)"/>
</host>
</server>
...
<filters>
<!-- add the following with your credential (YOUR_AJP_SECRET) -->
<expression-filter name="secret-checker" expression="not equals(%{r,secret}, 'verysecure') -> response-code(403)"/>
</filters>
Below is the configuration in workers.properties for mod_jk.
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=127.0.0.1
worker.ajp13.type=ajp13
worker.ajp13.secret=verysecure
I'm trying to mitigate the ghostcat vulnerability detailed on this link.
https://access.redhat.com/solutions/4851251
Any help is appreciated. Thanks in advance.
place "and equals(%{PROTOCOL}, 'AJP')" after the port.
predicate="equals(%p, 8009) and equals(%{PROTOCOL}, 'AJP')"
but I am getting a 404 and not the expected 403 :(
Could someone please advise me what's the main difference between loops like for and <load loop="">?
I've figured out strange behavior.
I have the config file:
<?xml version="1.0"?>
<!DOCTYPE tsung SYSTEM "/usr/share/tsung/tsung-1.0.dtd">
<tsung loglevel="debug" dumptraffic="true" version="1.0">
<clients>
<client host="localhost" use_controller_vm="true" maxusers="1"/>
</clients>
<servers>
<server host="example.com" port="443" type="ssl"/>
</servers>
<load loop="100" duration="2" unit="minute">
<arrivalphase phase="1" duration="1" unit="second">
<users maxnumber="1" arrivalrate="1" unit="second"/>
</arrivalphase>
</load>
<sessions>
<session name="one" type="ts_http" probability="100">
<request>
<http url='/Service.asmx' version='1.0' contents_from_file="/home/user/file.xml" content_type='text/xml; charset=UTF-8' method='POST'>
<soap action="Retrieve"/>
</http>
</request>
</session>
</sessions>
</tsung>`
It produces about 1900 requests during the load process.
But if I remove the attribute loop="100" from the <load> tag and add the for loop the number of requests decreases to 70 requests. In this case the config file looks like so:
<?xml version="1.0"?>
<!DOCTYPE tsung SYSTEM "/usr/share/tsung/tsung-1.0.dtd">
<tsung loglevel="debug" dumptraffic="true" version="1.0">
<clients>
<client host="localhost" use_controller_vm="true" maxusers="1"/>
</clients>
<servers>
<server host="example.com" port="443" type="ssl"/>
</servers>
<load duration="2" unit="minute">
<arrivalphase phase="1" duration="1" unit="second">
<users maxnumber="1" arrivalrate="1" unit="second"/>
</arrivalphase>
</load>
<sessions>
<session name="one" type="ts_http" probability="100">
<for var="counter" from="1" to="100" incr="1">
<request>
<http url='/Service.asmx' version='1.0' contents_from_file="/home/user/file.xml" content_type='text/xml; charset=UTF-8' method='POST'>
<soap action="Retrieve"/>
</http>
</request>
</for>
</session>
</sessions>
</tsung>
Besides it creates 61 sessions, though the <client maxusers="1"/> and <users maxnumber="1"/> attributes doesn't change. Here's the screenshot of both reports: enter link description here
Why does it work in different ways? Logically they should work identically, just repeat the sequence of requests.
Loop on load section will generate new users, so new sessions, cookies and all users related. Loop inside a session will re-use same users.
I would like to use Sharedcache (sharedcache.codeplex.com) in our Silverlight v4.0 project. However, we are using NLog v2.0 for the client logging. SharedCache currently release only support NLog v1.1 which will collide with NLog v2.0 on our web server.
So I decided to convert Sharedcache windows service to use NLog v2.0. The compilation was successful. But as soon as I start the service, I got this error. Can somebody familiar with NLog help? I think it is complaining about the layout.
Here is the windows service configuration file:
<nlog autoReload="true" throwExceptions="true">
<targets async="true">
<target name="shared_cache_general" type="File" layout="${longdate}|${level:uppercase=true}|${aspnet-request:item=logSession}|${message}" filename="C:\temp\logs\server\${date:format=yyyy-MM-dd}_shared_cache_general_log.txt"/>
<target name="shared_cache_traffic" type="File" layout="${longdate}|${level:uppercase=true}|${aspnet-request:item=logSession}|${message}" filename="C:\temp\logs\server\${date:format=yyyy-MM-dd}_shared_cache_traffic_log.txt"/>
<target name="shared_cache_tracking" type="File" layout="${longdate}|${level:uppercase=true}|${aspnet-request:item=logSession}|${message}" filename="C:\temp\logs\server\${date:format=yyyy-MM-dd}_shared_cache_tracking_log.txt"/>
<target name="shared_cache_sync" type="File" layout="${longdate}|${level:uppercase=true}|${aspnet-request:item=logSession}|${message}" filename="C:\temp\logs\server\${date:format=yyyy-MM-dd}_shared_cache_sync_log.txt"/>
<target name="shared_cache_memory" type="File" layout="${longdate}|${level:uppercase=true}|${aspnet-request:item=logSession}|${message}" filename="C:\temp\logs\server\${date:format=yyyy-MM-dd}_shared_cache_memory_log.txt"/>
</targets>
<rules>
<logger name="General" minlevel="Debug" writeTo="shared_cache_general" final="true"/>
<logger name="Traffic" minlevel="Debug" writeTo="shared_cache_traffic" final="true"/>
<logger name="Tracking" minlevel="Debug" writeTo="shared_cache_tracking" final="true"/>
<logger name="Sync" minlevel="Debug" writeTo="shared_cache_sync" final="true"/>
<logger name="Memory" minlevel="Debug" writeTo="shared_cache_memory" final="true"/>
<logger name="*" minlevel="Debug" writeTo="shared_cache_general"/>
<logger name="*" minlevel="Info" writeTo="shared_cache_general"/>
</rules>
When I started the service in Visual Studio, I got the following NLog exception:
{"Error when setting property 'Layout' on File Target[shared_cache_general]"}
at NLog.Internal.PropertyHelper.SetPropertyFromString(Object o, String name, String value, ConfigurationItemFactory configurationItemFactory) in c:\NLogBuild\src\NLog\Internal\PropertyHelper.cs:line 107
at NLog.Config.XmlLoggingConfiguration.ConfigureObjectFromAttributes(Object targetObject, NLogXmlElement element, Boolean ignoreType) in c:\NLogBuild\src\NLog\Config\XmlLoggingConfiguration.cs:line 828
at NLog.Config.XmlLoggingConfiguration.ParseTargetElement(Target target, NLogXmlElement targetElement) in c:\NLogBuild\src\NLog\Config\XmlLoggingConfiguration.cs:line 562
at NLog.Config.XmlLoggingConfiguration.ParseTargetsElement(NLogXmlElement targetsElement) in c:\NLogBuild\src\NLog\Config\XmlLoggingConfiguration.cs:line 538
at NLog.Config.XmlLoggingConfiguration.ParseNLogElement(NLogXmlElement nlogElement, String baseDirectory) in c:\NLogBuild\src\NLog\Config\XmlLoggingConfiguration.cs:line 344
at NLog.Config.XmlLoggingConfiguration.ParseTopLevel(NLogXmlElement content, String baseDirectory) in c:\NLogBuild\src\NLog\Config\XmlLoggingConfiguration.cs:line 301
at NLog.Config.XmlLoggingConfiguration.Initialize(XmlReader reader, String fileName, Boolean ignoreErrors) in c:\NLogBuild\src\NLog\Config\XmlLoggingConfiguration.cs:line 247
I figured it out. Just remove the following layout and it supports for NLog v2.0 now.
${aspnet-request:item=logSession}|
I have created a simple WCF-Service which I want to be accessible via https. The WCF-Service uses a UserNamePasswordValidator, customBinding and UserNameOverTransport as authentication mode. I run it in the IIS7.5 where I have created a self-signed server certificate.
I try to connect to that service with an Silverlight 4 application. I create a Service Reference in my Silverlight 4 app, and VS 2010 automatically creates the needed code (so obviously it is able to connect to the service and get the information).
When I call the WCF, I get a SecurityException with no infos about the reason.
I have fiddler running to see what is happening.
GET https://my.server:8099/clientaccesspolicy.xml 404 Not Found (text/html)
GET https://my.server:8099/crossdomain.xml 200 OK (text/xml)
So the GET for the crossdomain.xml seems to be the last call to the server.
The crossdomain.xml looks as follows:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
The exception happens, when base.EndInvoke(...) is called on the client and the ExceptionMessage is the following:
{System.Security.SecurityException ---> System.Security.SecurityException: Sicherheitsfehler
bei System.Net.Browser.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
bei System.Net.Browser.BrowserHttpWebRequest.<>c_DisplayClass5.b_4(Object sendState)
bei System.Net.Browser.AsyncHelper.<>c_DisplayClass2.b_0(Object sendState)
--- Ende der internen Ausnahmestapelüberwachung ---
bei System.Net.Browser.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state)
bei System.Net.Browser.BrowserHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
bei System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)}
Here is my UserNamePasswordValidator. Note, that included a logger for debugging reasons. Strange thing is, that the logger never writes anything, so it seems, that the Validate function isn't even called.
namespace ServiceConfiguratorDataSource
{
public class UserCredentialsValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
if (userName != "xyz" || password != "xyz")
{
logging.Logger.instance.StatusRoutine("LogOn Error: " + userName);
throw new FaultException("Credentials are invalid");
}
else
{
logging.Logger.instance.StatusRoutine("LogOn Success: " + userName);
}
}
}
}
Here is the Web.config of my WCF-Service:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="ServiceConfiguratorDataSource.Service" behaviorConfiguration="ServiceConfiguratorDataSourceBehaviour">
<endpoint address="" binding="customBinding" bindingConfiguration="ServiceConfiguratorCustomBinding" contract="ServiceConfiguratorDataSource.IService" />
</service>
</services>
<bindings>
<customBinding>
<binding name="ServiceConfiguratorCustomBinding">
<security authenticationMode="UserNameOverTransport"></security>
<binaryMessageEncoding></binaryMessageEncoding>
<httpsTransport/>
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceConfiguratorDataSourceBehaviour">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="ServiceConfiguratorDataSource.UserCredentialsValidator,ServiceConfiguratorDataSource" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
and here the ServiceReferences.ClientConfig
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IService">
<security authenticationMode="UserNameOverTransport" includeTimestamp="true">
<secureConversationBootstrap />
</security>
<binaryMessageEncoding />
<httpsTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://my.server:8099/ServiceConfiguratorDataSource/Service.svc" binding="customBinding" bindingConfiguration="CustomBinding_IService" contract="WCFDataProvider.IService" name="CustomBinding_IService" />
</client>
</system.serviceModel>
</configuration>
I'm out of ideas what might be the cause of the problem.
Thanks in advance,
Frank
Does you clientaccesspolicy.xml allow https?
Here is example.
The working clientaccesspolicy.xml -> Tipp from Samvel Siradeghyan
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="https://*"/>
<domain uri="http://*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
I was wondering if it is possible to build a cxf-bc with WS-SecurityPolicy instead of just the WS-Security. WS-SecurityPolicy seems to be a more elegant solution since everything is in the WSDL. Examples welcome. :)
Well with David's help I got the CXF-BC to install and running on the ESB, but I can't seem to test it. It keeps coming back with:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
My msg:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://nwec.faa.gov/wxrec/UserAccount/types">
<soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-25" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>bob</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobspassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:Action>http://nwec.faa.gov/wxrec/UserAccount/UserAccountPortType/ApproveDenyAccountRequest</wsa:Action>
</soapenv:Header>
<soapenv:Body>
...
</soapenv:Body>
Here's the policy in the wsdl:
<wsp:Policy wsu:Id="UserAccountBindingPolicy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
<wsp:All>
<wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsp:Optional="true" />
<wsp:Policy >
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
As of the resolution of https://issues.apache.org/activemq/browse/SMXCOMP-711 and https://issues.apache.org/activemq/browse/SMXCOMP-712 (servicemix-cxf-bc-2010.01) it should be possible and easy to do.
See http://fisheye6.atlassian.com/browse/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcSecurityJAASTest.java?r=HEAD for an example. Specifically the testJAASPolicy method.
As for the error relating to asserting the UsernameToken assertion, you may want to try putting the UsernameToken assertion inside of a SupportingToken or binding assertion depending on what you want to do with the token. It looks like you just want a username and password to be passed in the message without any other security such as a cryptographic binding of the token to the message or encryption so a supporting token will likely fit your needs.
I also urge you to consider the following additional precautions when using a UsernameToken:
Cryptographically bind the token to the message using a signature.
Use a nonce and created timestamp and cache the token on the server to prevent replay
Consider encrypting the token (before signing if you also sign) using XML enc
Using TLS either in lieu of or in addition to the above suggestions
With david's and Freeman over at the servicemix-user mailing-list. I was able finally get the correct configuration to implement WS-Security Policy.
Here's my final beans.xml for the my BC
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cxfbc="http://servicemix.apache.org/cxfbc/1.0" xmlns:util="http://www.springframework.org/schema/util"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:person="http://www.mycompany.com/ws-sec-proto"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd
http://servicemix.apache.org/cxfbc/1.0
http://repo2.maven.org/maven2/org/apache/servicemix/servicemix-cxf-bc/2010.01/servicemix-cxf-bc-2010.01.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.oarg/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-http.xml" />
<import resource="classpath:META-INF/cxf/osgi/cxf-extension-osgi.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml" />
<bean id="myPasswordCallback" class="com.mycompany.ServerPasswordCallback" />
<cxfbc:consumer wsdl="classpath:wsdl/person.wsdl"
targetService="person:PersonService" targetInterface="person:Person"
properties="#properties" delegateToJaas="false" >
<!-- not important for ws-security
<cxfbc:inInterceptors>
<bean class="com.mycompany.SaveSubjectInterceptor" />
<bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
</cxfbc:inInterceptors>
-->
</cxfbc:consumer>
<util:map id="properties">
<entry>
<key>
<util:constant
static-field="org.apache.cxf.ws.security.SecurityConstants.CALLBACK_HANDLER" />
</key>
<ref bean="myPasswordCallback" />
</entry>
</util:map>
<httpj:engine-factory bus="cxf">
<httpj:engine port="9001">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" resource="certs/cherry.jks" />
</sec:keyManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_WITH_3DES_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:exclude>.*_WITH_NULL_.*</sec:exclude>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<sec:clientAuthentication want="false"
required="false" />
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
<bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl" />
<bean class="org.apache.servicemix.common.osgi.EndpointExporter" />
</beans>
Full example can be found here but it may not be there after a while.