We have some soap based web services using java to wsdl approach in our organization. There is a security requirement to now fix limits on the request parameters being passed to service methods. Currently we have the maxoccurs attribute for a parameter to be unbounded in wsdl because we have the parameter as a collection in java.
To resolve this it looks like we need to make some changes in java source to regenerate the WSDL's which are compliant to this requirement. I know there are some unofficial api's available which can be used as replacement to jaxb providing annotations which can be added in java source. This may result in WSDL generated having maxoccurs to a fixed configured value. But, there are some issues in using these third party solutions due to licensing and other issues. Also, we need to enable schema validation for the WSDL.
I would like to know if there is a solution to have this check done outside the scope of either the WSDL or java source to be compliant with this requirement. What I am looking at is a configurable solution without touching wsdl's or java source. We are using IBM Datapower in our organization. Want to have if we can have a policy or something configured using datapower that will intercept the web service request parameters and throw fault if the maxoccurs for any of the web service method parameters is above a configured value.
Has anyone used datapower for a use case like this. Or is there a better way of achieving it.
I believe you can limit the maximum length of messages. This will actually be better than a WSDL limit for preventing DDOS as it will happen in the network layer.
Related
Recently a 0-day exploit got disclosed, that uses a security vulnerability in log4j which allows unauthorised remote code execution.
I'm wondering, what was the actual reason, why log4j has implemented this JNDI lookups, which have cause the vulnerability at all?
What would be an example for using this LDAP lookup feature in log4j?
Log4j is a popular logging framework used in Java (you can figure the popularity by seeing the widespread impact of the vulnerability). Log4j offers a specific feature, where you can add tokens to your logging string, that get interpolated to fetch specific data. E.g. "%d{dd MMM yyyy}" will insert the date at which the message was logged.
In the mean time JNDI (Java Naming and Directory Interface) is commonly used for sharing configuration settings to multiple (mirco)services.
You can imagine a situation where somebody would like to log configuration settings in e.g. error situations.
See this article explaining a bit
A Java based application can use JNDI + LDAP together to find a Business object containing data that it might need. For example, the following URL ldap://localhost:3xx/o=BusinessObjectID to find and invoke theBusinessObject remotely from an LDAP server running on either a same machine (localhost) on port 3xx or remote machine hosted in a controlled environment and goes on to read attributes from it.
The update it refers to mentions it as "LOG4J2-313: Add JNDILookup plugin." The motivation is found in the Apache JIRA entry
Currently, Lookup plugins [1] don't support JNDI resources.
It would be really convenient to support JNDI resource lookup in the configuration.
One use case with JNDI lookup plugin is as follows:
I'd like to use RoutingAppender [2] to put all the logs from the same web application context in a log file (a log file per web application context).
And, I want to use JNDI resources look up to determine the target route (similarly to JNDI context selector of logback [3]).
Determining the target route by JNDI lookup can be advantageous because we don't have to add any code to set properties for the thread context and JNDI lookup should always work even in a separate thread without copying thread context variables.
[1] http://logging.apache.org/log4j/2.x/manual/lookups.html
[2] http://logging.apache.org/log4j/2.x/manual/appenders.html#RoutingAppender
[3] http://logback.qos.ch/manual/contextSelector.html
The big problem with log4j, is that by default all string interpolation of all modules is turned on. In the mean time it has become opt-out, but it wasn't always.
I have a solution in Azure that has multiple networking components, and am trying to trace requests through from component to component. I have enabled a LogAnalyticWorkspace that these components output to.
Application Gateway w/ WAFv2,
API Management Instance,
Application Gateway w/o WAF,
Container Instance,
AppGW-WAF-->APIM-->AppGW-->Container
Is there some common attribute/header value/query string addition, etc. that I can use in the LAW to trace a request from point to point in the sequence above?
Any advice is appreciated!
it sounds like you want to do tracing on the application / HTTP layer to get something like this?!
Then you want to look at Application Insights and Correlation, probably using distributed tracing.
This also nicely integrates out of the box with APIM.
As said in the title, is there a way to add application users in Thorntail WilFly server, much like you would do with "add-user.sh -a" script in the full server distribution?
I understand you can provide an external configuration file to Thorntail but that seems a bit of overhead just for specifying where users are located.
Thanks
The answer by Thomas Herzog is very good from a conceptual point of view -- I'd especially agree with securing the application using an external Keycloak, potentially with the help of MicroProfile JWT. I'm just gonna provide a few points in case you decide not to.
You can define users directly in project-defaults.yml, like this:
thorntail:
management:
security-realms:
ApplicationRealm:
in-memory-authentication:
users:
bob:
password: tacos!
in-memory-authorization:
users:
bob:
roles:
- admin
The project-defaults.yml file doesn't have to be external to the app, you can build it directly into it. Typically, in your source code, the file will be located in src/main/resources, and after building, it will be embedded inside the -thorntail.jar. It can be external, of course, and if this is something else than a throwaway prototype or test, sensitive data like this should be external.
You can also use the .properties files from WildFly:
thorntail:
management:
security-realms:
ApplicationRealm:
properties-authentication:
path: .../path/to/application-users.properties
properties-authorization:
path: .../path/to/application-roles.properties
It depends on for what you need the users? Thorntail creates standalone Microservices, which are different to hosted applications in a wildfly-server.
Is there are a management console in thorntail?
Yes there is, but I have never used it.
https://docs.thorntail.io/2.2.0.Final/#_management
https://docs.thorntail.io/2.2.0.Final/#_management_console
The users you maybe able to create there shouldn't be persistent, because there is no wildfly-server installation as you are used to with a standalone wildfly-server installation, it is all packaged in the jar. A Microservice shouldn't need to be configured after its deployment anymore, at least not like this.
How to secure my application?
I would recommend to use an external user management via keycloak, which is integrated in thorntail via the keycloak fraction. With the keycloak fraction you can define security constraints to your endpoints similar in a web.xml.
https://docs.thorntail.io/2.2.0.Final/#_keycloak
Another way is to use the security fraction which provides you JAAS support for your microservice.
https://docs.thorntail.io/2.2.0.Final/#_security
The configuration is done via the thorntail specific project-defaults.yml configuration file, where you can configure the fractions via YAML.
What is a thorntail fraction?
A thorntail fraction is similar to a spring boot start dependency with spring, whereby the fraction provides the API for the developement and bundles the implementation and integration into thorntail. The fraction actually is a jboss module which is packaged into the standalone Microservice during re-packaging phase.
Where can I find examples?
See the following links for examples how to use security in thorntail. You should take a look at them.
https://github.com/thorntail/thorntail-examples/tree/master/security
Take a look at the src/main/resources/projects-defaults.yml which contains the configuration for thorntail fractions and the pom.xml which defines the used fractions.
Its a Spring Integration application.I have a requirement where I need to persist to DB and then post to Queue/Topic. This should be part of a single transaction. I am planning to use the JTATransactionManager. Application Server is Tomcat. Would someone please provide some sample configuration code required for this implementation.
You need a third party stand-alone XA transaction manager such as Atomikos. Tomcat doesn't have one.
You might also consider alternatives to using full-blown 2pc.
As a followup to Does ServiceStack support binary responses?, I'm wondering whether there are injection points built (or planned) to use binary serializers such as Mark Gravell's protobuf-net for efficiency between non-HTTP clients. In fact, it might not be long before protocol buffers work in JavaScript.
Yep, ServiceStack has a custom pluggable format API where its own built-in CSV Format and HTML Report Format are both registered using it. The tutorial of Nortwind Database's custom v-card media type shows how to register your own format/media type using this API.
Support for protobuf-net is planned for the near future. There was someone on the ServiceStack Group looking at exploring adding support for it. In any case, I plan to be catching up with protobuf-net's author soon so I'll find out the best way of how to add support for it then.