Develop Reference

Tomcat 6.0.35 - how to bypass new CSRF protection on the manager application?

I have a command line script (actually a git post-checkout hook) that reloads my Solr application by doing a cURL to:
http://localhost:8080/manager/html/reload?path=/solr
Since I upgraded to Ubuntu 13.04, it now fails, where it used to work before the upgrade.
The cause of the problem is that my newer version of Tomcat (6.0.35), has some new CSRF protection and it now returns 403 Access Denied.
How can I solve the issue and bypass the CSRF protection?
More info:
My /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager"/>
<user username="tomcat" password="secret" roles="manager"/>
</tomcat-users>
The documentation for Configuring Manager Application access in tomcat mentions some new manager roles, however my error specifically mentions that the single "manager" role still exists for the moment (and I tried the other roles anyway without success).

(As I was writing the question, I found the answer.) Instead of cURLing to the HTML application, I needed to cURL to the "plain text interface".
i.e. instead of
http://localhost:8080/manager/html/reload?path=/solr
Use:
http://localhost:8080/manager/reload?path=/solr
It turns out:
The HTML interface is protected against CSRF but the text and JMX interfaces are not.
This fits with the new role called "manager-script". To ensure my app will work in the future I changed my /etc/tomcat6/tomcat-users.xml file:
<?xml version='1.0' encoding='utf-8'?>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="secret" roles="manager-gui,manager-script"/>
</tomcat-users>

Deploying CXF webservices in Tomcat

I am trying to deploy a web service in Tomcat7 using maven.
Below I provide some configuration info:
web.xml
...
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
...
pom.xml
...
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>tomcat-maven-plugin</artifactId>
<version>1.1</version>
<configuration>
<url>http://localhost:8080/manager/text</url>
<server>TomcatServer</server>
<path>/services/userinfo</path>
...
Given the <url-pattern>/services/*</url-pattern> and <path>/services/userinfo</path> configuration, the URL http://localhost:8080/services/userinfo shows 404.
If using instead <url-pattern>/*</url-pattern> everything works as expected (i.e. http://localhost:8080/services/userinfo shows the list of available methods).
The question:
Why /services/* doesn't work in my case?

The path in your tomcat-maven-plugin configuration
<path>/services/userinfo</path>
defines where you are deploying the webapp (the context root). In this case, you are deploying it to
http://localhost:8080/services/userinfo
Check out the webapps directory in your Tomcat installation.
Since you are defining the CXFServlet mapping as /services/*, the CXF service list would show at
http://localhost:8080/services/userinfo/services/
When you re-defined the mapping to /*, it just appeared to work as expected, but that was only because the context root you used and the service listing path you expected were the same.

CXF Web service client not encrypting the SOAP Request XML message

I am learning Webservice security . I am using CXF framework for that. I have developed one test service it will just double up the value whatever we sent. Based on this tutorial
i have added the WS-Policy for XML encryption and signature.
Then i developed the web service client for this service as a eclipse project using CXF.
The following is my client configuration file
<jaxws:client id="doubleItClient" serviceClass="com.DoubleIt" address="http://localhost:8080/myencws/services/DoubleItPort?wsdl">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
<jaxws:properties>
<entry key="ws-security.callback-handler" value="com.ClientKeystorePasswordCallback"/>
<entry key="ws-security.encryption.properties" value="com/clientKeystore.properties"/>
<entry key="ws-security.signature.properties" value="com/clientKeystore.properties"/>
<entry key="ws-security.encryption.username" value="myservicekey"/>
</jaxws:properties>
I have generated all the keystore file , and i created the clientKeystore.properties file and placed in the src directory of my project.
But whenever i run this client the SOAP request message was not encrypted. So inn server side i am getting exception like
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
The following is my SOAP request
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:doubleValue
xmlns:ns2="http://com/"><arg0>5</arg0></ns2:doubleValue></soap:Body></soap:Envelope>
I am using CXF2.7.3. I dont know whats wrong . Please help me.

I have a similar issue with my code before, what was missing was the jar dependencies which does the actual encryption when the security policy are read by your client from the WSDL.
My fix was to add certain maven dependencies in your POM to enable encryption. Check this url: http://cxf.apache.org/docs/using-cxf-with-maven.html
Also read "Enabling WS-SecurityPolicy" section in url http://cxf.apache.org/docs/ws-securitypolicy.html
I hope this helps

Make sure you are using the correct library. Try to include cxf bundle only, remove other cxf dependencies
If you are using maven, something like this:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-bundle</artifactId>
<version>2.7.18</version>
</dependency>

I ran into the same issue and after much experimentation, the following guidelines help every single time.
Structure your cxf client config xml to have import of META-INF cxf.xml.
Define the cxf bus features (for logging)
Define the http conduits (if needed for TLS Handshake etc)
jaxws:client bean with name attribute as {targetNameSpaceWSDL)/PortName and createdFromAPI=true and abstract=true
Make client tag contain jaxws features. Remember to use latest "security" and not "ws-security"
In your java client class, use the SpringBus to load the cxf client config xml.SVN Link for SpringBus Client Config
Make sure all the required dependencies for WS policy processing is present in classpath like cxf-rt-ws-policy and cxf-rt-ws-security.jar and bouncycastle providers if needed
Note:
security.signature.properties and security.encryption.properties can be externalized as well and directly referred to with the absolute path in the xml value.

Web.xml:welcome file displayed incorrectly

Welcome file is not displayed correctly on hosting.
web.xml:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
on local Tomcat:
http://localhost:8099/Teal-0.1-BETA/ is OK
equals to
http://localhost:8099/Teal-0.1-BETA/index.html is OK
on hosting:
http://domain/index.html is OK
http://domain/ is displayed non correctly
As I observed this is displayed not correctly too:
http://domain/index.xhtml
I suspect web.xml config. Looks like problem in .html vs .xhtml extension.
Real file name is index.xhtml

I think that the problem is that you use JSF, but Tomcat renders welcome-file only with JSP engine. That might have been adressed in newer tomcat (7.x) which you have locally, but server uses older Tomcat.
But that's just my guess. Still I don't have much info.
Either case, try setting a welcome page to a plain file with immediate redirection to /index.html . Or better, handle it in Apache (or whatever you have in front of Tomcat).

Jboss webservice error using topdown approach

I started creating a sample webservice using top-down approach in jboss4.2.2 GA.
From the wsdl, i generated stubs using wsconsume
I created a new java class: SalesTaxImpl implementing the interface in the generated stub. Configured #WebService with endpointInterface, portname, wsdllocation.
My war application has the following:
WEB-INF/classes/
WEB-INF/wsdl/SalesTaxService.wsdl
WEB-INF/web.xml
In web.xml i have,
<web-app>
<servlet>
<servlet-name>SalesTax</servlet-name>
<servlet-class>com.hp.np.ws.SalesTaxImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SalesTax</servlet-name>
<url-pattern>/tax</url-pattern>
</servlet-mapping>
</web-app>
After placing the war in <JBOSS_HOME>/server/default/deploy path, i am getting the following error:
19:25:05,046 INFO [DefaultEndpointRegistry] register: jboss.ws:context=JbossWST
opDown,endpoint=SalesTax
19:25:05,078 INFO [TomcatDeployer] deploy, ctxPath=/JbossWSTopDown, warUrl=.../
tmp/deploy/tmp13893JbossWSTopDown-exp.war/
19:25:05,171 ERROR [MainDeployer] Could not start deployment: file:/C:/jboss-4.2
.2.GA/server/default/deploy/JbossWSTopDown.war
org.jboss.ws.WSException: Cannot build meta data: Cannot get URL for: WEB-INF/ws
dl/SalesTaxService.wsdl
at org.jboss.ws.metadata.builder.jaxws.JAXWSWebServiceMetaDataBuilder.bu
ildWebServiceMetaData(JAXWSWebServiceMetaDataBuilder.java:207)
at org.jboss.ws.metadata.builder.jaxws.JAXWSServerMetaDataBuilder.setupP
roviderOrWebService(JAXWSServerMetaDataBuilder.java:50)
I tried giving different combination, but no luck