Setting 'HttpOnly' and 'Secure' in web.xml - security

I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.
After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".
I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.
Any thoughts?
Thanks!

The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">

Related

CSRF & XSS not working using HDIV

I am using HDIV in my project for securing from OWASP list but text boxs are accepting <script>alert(1);</script> as an input and saving to db.
I want to write test case for all OWASP issue.
Below are the project configuration
web.xml Configuration
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring/applicationContext-db.xml
WEB-INF/spring/spring-security.xml
WEB-INF/spring/hdiv-config.xml
</param-value>
</context-param>
webmvc-config.xml Configuration
<import resource="applicationContext-hdiv.xml" />
applicationContext-hdiv.xml Configuration
<beans>
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor" />
<bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>
<mvc:annotation-driven validator="editableValidator" />
</beans>
hdiv-config.xml Configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">
<hdiv:config excludedExtensions="css,js,ttf" errorPage="/manage/security-error" maxPagesPerSession="10" confidentiality="true" strategy="memory" randomName="true">
<hdiv:sessionExpired loginPage="/main/common" homePage="/"/>
<hdiv:startPages method="get">/,/.*,/manage/.*,/login</hdiv:startPages>
</hdiv:config>
<hdiv:validation id="customValidation" componentType="text">
<hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9#.\-_]*$]]></hdiv:acceptedPattern>
<hdiv:rejectedPattern><![CDATA[(\s|\S)*(--)(\s|\S)*]]></hdiv:rejectedPattern>
</hdiv:validation>
<hdiv:editableValidations registerDefaults="true">
<hdiv:validationRule url=".*" enableDefaults="false">customValidation</hdiv:validationRule>
</hdiv:editableValidations>
</beans>
XSS is an output problem, not an input problem. Input validation is about making sure data is correct according to the domain. So for instance you want to check that a field expecting to take a year actually receives a number within the expected range. You may also want to make sure that only allowed characters are in use. And in many cases this will stop many attacks.
However for complex inputs, this is no longer viable. Consider a text field where you want to allow users to comment. The user should be allowed to to write a comment such as "An hence x < 4". Now we are allowing characters used to build html tags.
Now we have two options:
Use a tool to strip out dangerous HTML - likely to fail at some point
Use context aware escaping as described in the OWASP XSS prevention cheat sheet
Remove 'requestDataValueProcessor' and 'editableValidator' beans from 'applicationContext-hdiv.xml' file, they are automatically created by tag.
Have a look at this project configuration for a working example:
https://github.com/hdiv/hdiv-spring-mvc-showcase

Java EE + JSF url mappings

I can't find in Internet any good explanation of mapping URLs in Java EE with JSF + managed bean (Yes - I know, that there are ten million of tutorials, but after reviewing first million with HelloWorld page I resigned of reading rest of them..).
Before reading about Java EE + JSF I was working with Spring + JSP project, where URL mapping was made with annotations #GET/#POST etc in controllers, with url as attribute - very easy solution with one method per one URL with putting resources to response page with method. (I don't know how it was made in background - I'm beginner, but solution was very easy :) )
Now I read a book about Java EE, there was something about mapping in web.xml file, but it was very unclear. I feel, that there is other thinking - JSF page while needs to be rendered is connecting to managed bean to obtain needed values. But how is the mapping done here?
It's probably not clean, so I'll explain with my sample.
I have the following structure of project
I want, that pages customerdetails.xhtml and customers.xhtml could be read with url localhost:8080/P1WSClient/customerdetails.xhtml and customers.xhtml respectively.
I've done the following web.xml configuration:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Customers servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Customers servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
Ok, It's working. But how to make for example, when I want to make page customer to be loaded on default location localhost:8080/P1WSClient/ , or clients loaded on location localhost:8080/P1WSClient/something1/something2/mypage.html?
Other cuestion - why at the beginning url pattern is ´/faces/*.jsp´ and ´/faces/index/hxtml´? And index is being loaded on default url.. I don't get it!
Other cuestion - what is the thinging here - one ManagedBean per one page, or per one entity or.. ??
I can't find any good sample or tutorial, which could explain the urls mapping for many pages and many urls structure. If someone can explain mechanism of mapping in Java EE projects, please add it here. Any diagrams of mapping recognize with connection with managed beans and jsp inside app are also welcome :-)
If you want to change the default page (which is seen at localhost:8080/P1WSClient/) change the welcome file option in web.xml
<welcome-file-list>
<welcome-file>customers.xhtml</welcome-file>
</welcome-file-list>
If you want to reach a page under some directory, create folder in web-pages folder.
localhost:8080/P1WSClient/something1/something2/mypage.html
-Web Pages
--something1
----something2
-------mypage.xhtml
JSF requests go to the JSF servlet, which is the one in charge of locating the XHTML file, processing it and do the "work".
Sometimes the servlet is mapped to the all the URLs that end in .xhtml, other times only to the .xhtml URLs in a subdirectory. Of course, only requests that are mapped will be processed (if you have mapped the servlet to /faces/*.xhtml and you get a request for /myFiles/index.xhtml, the container will return index.xhtml as an static resource. As you understand, it could be any path, faces is just more usual.
I am not sure if how you can get the "redirect to some file if the URL does not specify one". I would try a Filter.
And for managed beans, it depends. Usually I am using one for the data and one for the controller of each page (data usually #ViewScoped, controller most times #RequestScoped), plus additional beans when needed for composite components.

Cannot get Jsf tag outputText appear

I am new in JSF and EJB applications, hence I encounter problems even in the simple JavaEE applications. I am creating a simple JavaEE application in eclipse with JBoss with goal just to try some tags of JSF and the binding of them to Java Beans. I cannot find out why the following JSf code does not get nothing appear to the output page:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:ui="http://java.sun.com/jsf/facelets">
<f:loadBundle basename="resources" var="msg" />
<head>
<title><ui:insert name="pageTitle">Page Title</ui:insert></title>
<style type="text/css">
</style>
</head>
<body bgcolor="#ffffff">
<h:body>
<h:outputText value="#{hello.world}" />
<h:outputText value="TTT" />
</h:body>
</body>
</html>
Not only the value hello.world coming form Bean, but a simple text "TTT" does not appear as well. The code of the Bean is:
#ManagedBean
public class Hello {
final String world = "World";
/**
* Default constructor.
*/
public Hello() {
}
public String getWorld(){
return "Hello" + world;
}
}
The facelets-config.xml file is:
<?xml version="1.0" encoding="UTF-8"?>
<faces-config version="2.1" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee /web-facesconfig_2_1.xsd">
<managed-bean>
<managed-bean-name>hello</managed-bean-name>
<managed-bean-class>com.al.jsftest.Hello</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
</faces-config>
When I try the tag with a plain text, it comes out on the screen, but it does not work again with #{hello.world}, namely the binding to the Bean fails. As soon as I have a have I hint to how get the JSF tag give successfully output, I would appreciate hint regarding what I should take care of, in order to get the Bean bind to JSF?
UPDATE:
It seems to be the same problem with similar question, but my application is in Eclipse with JBoss, not in Netbeans with GlassFish. I add therefore my web.xml file, probably a modification in that is required, but I still cannot figure out it.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee /web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>JsfTest</display-name>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
You'll have to tell the server that your page should be loaded by the JSF-Servlet defined in your web.xml-file.
If I understand your sample right, you have a welcome file called index.xhtml which should be presented to the user with JSF by calling your website.
There is the problem:
All your pages won't be rendered by JSF unless you 'put them through' your defined JSF-Servlet.
Your servlet definition should look like this:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern> /* !important */
</servlet-mapping>
And therefore you have two (there are more for sure :) ) ways to tell the server to load your page with the JSF-Servlet:
Tell your welcome-file to be loaded with the JSF-Servlet
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file> /* note the /faces/ prefix */
</welcome-file-list>
Extend your <url-pattern> inside the servlet-mapping
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
<url-pattern>*.xhtml</url-pattern> /*tell JSF to render all pages with xhtml-extension*/
</servlet-mapping>
Ther shouldn't be any difference between Netbeans+Glassfish and JBoss+eclipse but you should check if the JSF libraries are loaded by the server.
One last note:
You're configurating your Beans via faces-config.xml, that'll do the job but since JSF 2.x you're able to do the same inside your class via annotations, e.g.
#ManagedBean
#SessionScoped
public class TestBean {
// your stuff here
}
For me this is much easier and more readable.
Hope this helped, have Fun!
Edit:
After your comments I've tested your set-up: nothing wrong!
At first I've got an error because of the <f:loadBundle basename="resources" var="msg" /> which was not defined in my set-up but after deleting this line everything worked fine.
Nevertheless, I've made a small typo in my first list item so please check this again.
Your xhtml-skeleton looked fine for me and works in my test, so there shouldn't be anything wrong either.
Please check the following:
Are the JSF-libraries loaded either by the server or your application
Are there anymore Servlets defined inside your web.xml-file
What's the detailed error message
Cheers!
I created a new Dynamic Web Project and I added this time index.xhtml file using a "Blank Facelet Page" as template instead of "Common Facelet Page". I changed the url-pattern in my web.xml file as *.xhtml and it finally worked either by the full path name on the browser (\index.xhtml) or not. Following the same process with a "Common Facelet Page", I didn't manage to do it work. Strange.
I have also noticed, that after selecting "Common Facelet Page" and clicking next, a list of libraries appears and the user has the option to check some of them. I didn't check anything, maybe I should have.

Render JSF component based on user role

How do I render JSF components based on a logged in user's role? I know the external context exposes the principals, but how should I do the rendering properly in JSF? In JSP it would be something like
<% isUserInRole(Roles.ADMIN) { %>
<button>Edit!</button>
<% } %>
How do I write this in JSF the best possible way? My best guess is the rendered attribute tied to a backing bean's method that returns a boolean, but that would introduce an irrelevant backing bean if I have to render some navigation items only for admins...
Glassfish V3.1, JSF 2.x
If your web.xml is declared as Servlet 3.0 (which implicitly relates to JSP/EL 2.2)
<?xml version="1.0" encoding="UTF-8"?>
<web-app
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
then you can take benefit of being able to invoke methods with arguments in EL like as ExternalContext#isUserInRole():
rendered="#{facesContext.externalContext.isUserInRole('ADMIN')}"
Note that this requires a Servlet 3.0 capable container, but since you're using Glassfish 3 (which supports Servlet 3.0), it should work without any issues.
Also note that if you're using Facelets instead of JSP, then you've the HttpServletRequest available as #{request} in EL, allowing you the following shorter expression:
rendered="#{request.isUserInRole('ADMIN')}"
Conditionally displaying JSF components
Conditional rendering of non-JSF components (plain vanilla HTML and template text)
JSF: How control access and rights in JSF?
In response to #wasimbhalli, there are two reasons I have found that the expression would always return false:
The role name is case sensitive.
rendered="#{facesContext.externalContext.isUserInRole('ADMIN')}" may return false, but try
rendered="#{facesContext.externalContext.isUserInRole('admin')}", or rendered="#{facesContext.externalContext.isUserInRole('Admin')}".
You have to define your roles in both web.xml (or as annotations) and map it in glassfish-web.xml.
The following is how to specify a role in web.ml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
The following is how to map the authentication group to the role in glassfish-web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app>
<security-role-mapping>
<role-name>admin</role-name> <!-- name defined in web.xml or annotations -->
<group-name>admin</group-name><!-- name from authentication mechanism -->
</security-role-mapping>
</glassfish-web-app>
In my testing it was necessary to do the mapping even when the names were the same, as I show in my example code. Also in my testing, I tried to only define the mapping and only to define the role in web.xml, and neither worked. I needed both, as specifying the role name in the correct case.
Store role in session attribute and just compare that using rendered attribute.
e.g. rendered="#{yoursessionbean.userRole == Roles.ADMIN}"

JSF tags not being rendered as HTML [duplicate]

This question already has an answer here:
JSF returns blank/unparsed page with plain/raw XHTML/XML/EL source instead of rendered HTML output
(1 answer)
Closed 6 years ago.
I'm following the Java EE firstcup tutorial using Netbeans and Glassfish.
When I execute the JSF web tier I've been instructed to code, the browser gets the same JSF markup coded in the .xhtml file, and the tags are not rendered as HTML tags. I know this by using the view source code in my browser.
For example, for this code:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html">
<h:head>
<title>Page title here</title>
</h:head>
<h:body>
<h2>
<h:outputText value="#{bundle.WelcomeMessage}" />
</h2>
</h:body>
</html>
The browser should get something like:
<html ...>
<head>
<title>Page title here</title>
</head>
<body>
<h2>
the welcome message goes here
</h2>
</body>
</html>
Right?
Well, my browser is getting jsf code (the first piece of code above) and not the html code (the second piece of code above).
It seems to be a configuration problem in netbeans or glassfish but don't know what. Any ideas?
This is my web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/firstcup/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>greetings.xhtml</welcome-file>
</welcome-file-list>
</web-app>
This is my faces-config.xml file:
<?xml version='1.0' encoding='UTF-8'?>
<!-- =========== FULL CONFIGURATION FILE ================================== -->
<faces-config version="2.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
<application>
<resource-bundle>
<base-name>firstcup.web.WebMessages</base-name>
<var>bundle</var>
</resource-bundle>
<locale-config>
<default-locale>en</default-locale>
<supported-locale>es</supported-locale>
</locale-config>
</application>
<navigation-rule>
<from-view-id>/greetings.xhtml</from-view-id>
<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/response.xhtml</to-view-id>
</navigation-case>
</navigation-rule>
</faces-config>
Moreover:
The url I'm entering in the browser is http://localhost:8081/firstcup/ but I've also tried: http://localhost:8081/firstcup/greetings.xhtml
I've checked Glassfish logs and there's no information about not being able to load FacesServlet
If JSF tags are not been parsed, then it simply means that the request has not been passed through the FacesServlet. That servlet is the one responsible for all that JSF stuff. You need to verify if the request URL used matches the url-pattern of the FacesServlet. Note that it is case sensitive.
This may however also happen if you opened the file directly in the builtin browser of the IDE. You shouldn't do that. You need to specify the right URL yourself in the address bar of either the builtin browser or an external browser (e.g. MSIE/Firefox).
Update: one more thing, did you declare the JSF HTML taglib in <html xmlns> attribtue? You omitted that in your code snippet.
It should look like
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html">
The following code in web.xml
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
instead of faces/* has solved my problem of non-rendered jsf tags.
Note: *.html causes stackoverflow
Check either your web.xml or your faces-config.xml. Something's obviously missing.
edit :
i don't know jsf 2, but in my jsf 1 faces-config.xml i have this :
<application>
<view-handler>com.sun.facelets.FaceletViewHandler</view-handler>
</application>
Maybe you should take a look a this. (could be a hint, sorry i cannot help any further)
edit 2 : this is not the answer, sorry
SOLVED: Changing the welcome-file in web.xml to the following solved the problem:
<welcome-file-list>
<welcome-file>firstcup/greetings.xhtml</welcome-file>
</welcome-file-list>
This may not be relevant to you, but after hours of searching for the solution for a similar problem, my culprit turns out to be this file in WEB-INF/faces-config.xml :
<?xml version="1.0"?>
<faces-config version="1.2" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"/>
For some strange reason JBoss Tools 3.3.0.M2 put that file in my JSF 2.0 project and BOOM! Nothing works. The file looks very innocent yet (probably due to version="1.2") it made me quite frustrated.
I've searched logs (nothing!), WEB-INF/lib, classpaths, even removing dependencies and it turned out to be a single faces-config.xml :-P
Hopefully this helps someone...
I have also suffered from problem of jsf tags, not rendered at all. I used welcome file in web.xml as login/entry.xhtml.
When I changed that file to faces/login/entry.xhtml, it is working well.
It must be due to facesServelet is not intercepting the page.
It leads to rendering of only plain html and jsf tags are simply ignored.
Thanks #hendy-irawan
I solved my issue by changed my faces-config header
From
<?xml version="1.0" encoding="UTF-8"?>
<faces-config
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"
version="1.2">
</faces-config>
To
<?xml version="1.0" encoding="UTF-8"?>
<faces-config
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_2.xsd"
version="2.2">
</faces-config>
I had the same problem. I deleted some richfaces jars from the WEB-INF/lib and JSF is working now.

Resources