The scenario is this: I'm developing a Java EE application with an Angular 2 frontend. The client has an Apache server which is usually used to serve static resources and an Oracle Weblogic for the dynamic part. The problem is that by default the Angular 2 App and the Weblogic server will not be able to talk each other due to the Same Origin Policy.
So far I have 3 possible deployment approaches in mind:
Set up a Reverse Proxy in Apache to point the REST endpoints to Weblogic
Package the Angular App in a WAR/EAR and deploy it to Weblogic. So I would end up with something like: myserver/myapp for the UI and myserver/myapp-rest for the Backend.
Package the Angular App in the same WAR as the Java backend. So I would end up with myserver/myapp for the UI and myserver/myapp/api for the REST endpoints.
There is a 4th option which would be setting up CORS, but I'm worried about the security using that approach.
Which is the right approach?
If you are allowed to make infra decisions , change apache webserver to nginx , we switched to nginx and got lot of added values in terms of concurrent processing.
In our project the angular client is served by nginx webserver which talks to java backend hosted on tomcat 8.x(our app server) , also there are couple of tiers after app-server a separate DB server and an elastic search server.
Don't feel intimidated to set up CORS, you will eventually need to allow some origins requests which don't originate on your domain and port.
If your java tech stack has spring mvc , then setting up CORS is just a matter of adding few lines of configuration. You can even hardcode your angular url to allow backend server to serve requests only from your angular URL.
In normal JavaEE world, CORS is just another filter or interceptor where you can set response headers with all the allowed origins, http methods etc. It's very simple you can look it up.
For your given choices
seems plausible and a value addition that you get is you can
delegate SSL encryption to proxy server .
seems rather odd, you would want to separate the static content server from dynamic contents server, your angular js bundles, assets
etc are mostly static, if you keep your static server separate then
you can configure cookie-less domains down the line that would make
serving a lot faster.
3 same as 2.
I would strongly suggest the CORS option , from my past experiences.
Related
We're using Websphere to host a series of applications for us:
We have an API that's hosted at the root, written in Java
We have an Angular application hosted at /admin
We have another Angular application hosted at /marketing
My concern is about deep-linking. If a user is at /marketing/products/1, and they refresh their browser or share the link, I need the server to send that route to the correct Angular application so it can be generated correctly.
In a simpler setup, where the Angular application is living at the root, I would use the Java application's web.xml file to redirect traffic to "/". But in my current scenario, I need traffic for the marketing site to go to "/marketing", not just to "/". Just like a deep-link from the admin site would need to go to "/admin".
Furthermore, the base URLs for these Angular applications are subject to change, and we also plan to add additional Angular sites to this same server. So I'm really looking for a solution that can work dynamically and have the server redirect to the first "slug" in the URL rather than matching specific directories.
Any ideas? (And please excuse and correct any misconceptions I've demonstrated above -- I currently know very little about WebSphere)
I can see a couple possible ways forward.
You could still use the error-page directive in web.xml, but specify the URL of a servlet in your application that could do the inspection manually and issue a redirect as appropriate. How the list of context roots is provided to your app will differ based on how it's packaged, but it could be done using files, environment variables, or JNDI entries in server.xml.
If the URLs could be changed, the Angular apps could be changed to use HashLocationStrategy in their routers which would sidestep the error page. It doesn't seem likely that that's the case but I'll put it here to get it out of the way.
You could consider splitting each Angular app into its own .war file and configuring the context root in the webApplication element in server.xml. Then redirecting to / in web.xml would work since that / is relative to the context-root.
We ended up combining those separate Angular applications into 1 so that WebSphere could direct everything to "/" and Angular routing could handle everything from there.
I have to make an application in tomcat which core responsibility is to redirect all request coming from browser application to API server. It works like proxy server between browser application and API application. Have to write it on tomcat. How can i achieve this, do i have write a REST API application on tomcat too?
Project Description
Requirement is like we have two application one is developed on React, its a web-portal and the other one is on spring-boot as a backend application (json apis).
spring-boot application is going to be deployed on secure zone and web-portal is in DMZ. web-portal in on internet, backend application is on intranet. As web-portal is a CSR application so the api's calls from web-portal contains backend application IP/URI but it cannot be accessible from internet.
So i am planning to write an application on DMZ zone and it will be deployed on apache tomcat, so like when request comes at tomcat it redirect it to backend application server which is on intranet with all headers/payload and redirect response from backend server to web-portal.
You want to set up a reverse proxy which is a standard pattern. Take a look at the answers at Reverse Proxy Java or just search the web for "reverse proxy java".
If you are not bound to implement it in java take a look at Nginx which we use in many projects to transfer the request from the web app to the REST backend.
I have separate application for client side which is in ReactJs and NodeJS (Express server) and Web Services in Java application running in tomcat.
My query is which is better approach in terms of making web service call.
One is making direct web service call from ReactJS and get the data.
Other one is calling web service in Express server. Request from client browser will go to Express and Express will make all web services call.
I know one issue in making direct call to web service will be cross domain policy which can be handle by setting configuration in Java server.
Apart from it what should be better approach.
From my experience it ended up better using direct calls from UI application and avoiding intermediate server.
Reason for doing this directly is that our servers ended up with a lot of restrictions based on IP addresses, and all requests have been coming from intermediate server (nodeJS server), so DDOS protection of end server had to have some exceptions (our node server which could be on ACS with dynamic IP addresses so it might be hard to manage).
Also If you want to pass and track end users IP addresses, you need to manage headers on Node server (to be sure you are passing it as it was in original request).
It is way simpler to manage this kind of situation if calls are comming from React app and simply set up CORS on java server.
Also its way easier to debug it on UI app directly, so you will be watching response logs on one place only. Other way around you could end up debugging your node server and UI app.
Hope this helps a bit.
Best way IMO is to create a router in Node js specifically for all your Java webservices and act as a proxy.
Suppose if your url pattern is like http://domain/java-ws/api then all these requests will be routed to your Java service.
If you have an Apache server directing requests to your node JS then configure url pattern proxy using proxy module.
Browsers are blocking CORS requests for a reason. You may get away by setting things on your server.
I am a little confused about the roles of a java application server and its differences from a web server.
I found many sites explaining the same difference between the two but not to my satisfaction.
So please explain me about the two following cases:-
1)App. Server and its difference with web server:
From these two links:
Difference between an application server and a servlet container?
What is the difference between application server and web server?
web server: It handles everything through http protocol by accepting requests from clients and sending
responses to them with the help of its servlet container(e.g Apache Tomcat)
App. Server: An application server supports the whole of JavaEE like JMS,JPA,RPC etc.
Now what I am confused with is that how can I use a lot of JavaEE APIs like JMS,JPA etc. with my Tomcat
by adding their jar files in my web application ?
Does that mean that if I use an appliation server I don't have to add those jar files?(I don't think so)
2)The roles of an appl. server (This is very important to me)
From Wikipedia
http://en.wikipedia.org/wiki/Application_Server
An application server provides services such as security,transaction support etc.
"The term is often used for web servers which support the JavaEE" -- It sounds like if we add the required jar files of JavaEE APIs a web server becomes an appl. server.What about it.
Now my question is how an application server performs the tasks of security control or transaction management by itself ?
E.g. in my web application using Spring framework I am providing security by using spring-security and transaction management by using #Transactional annotation and all those things you know.
So does the appl. server have anything to do with my security or transaction management or it has its own ways ?
Forgive my ignorance.
Using Spring, you're in fact embedding some kind of Java EE container inside your application. But even when using Spring, if you need JTA support (because you need distributed XA transactions), you'll need to use an additional transaction manager. If you need JMS, you'll need to install an additional JMS broker. If you need connection pooling, you'll need to use an additional connection pool. Sometimes it's as simple as adding additional jars to the classpath and properties or XML files. Sometimes it's harder.
A Java EE app server comes with everything bundled. You have less flexibility, but you don't need to install, configure and make everything work by yourself.
When you use the Java EE framework, that is a specification. So the application server, if it is Java EE compliant, needs to implement this. So once it is implemented the specification, then it will address Security,transaction etc because it is mentioned in the spec. So it is a contract. Whereas, in a web server, it will just pull out your static resource. There is no need for handling other stuff.
In case of the Spring framework, the framework knows how to handle transaction, security etc. So particularly the developer need not look into these aspects which are implemented by the Application Server in the other scenario.
how an application server performs the tasks of security control or transaction management by itself
It is rather the specification that address these issues, not the application server. So, the duty of the app server is to implement these.
So, if your application is Java EE compliant, then these areas will be addressed and the implementation would have been done by the app server.
May be this is oversimplification,
A web server is basically a HTTP server serving contents over http protocol. So a web server is simply about serving the contents over http protocol. A typical example would be Apache web server. This is simply a file server.
Now the question is where does the web server gets the contents from ? Possible sources are
Static contents (the contents like images/css etc) which are not generated on request but statically served.
Dynamic contents: Simply put, the contents to be served are generated upon the user request.
For the static contents, the web server does not need anything as it simply reads the file and serves it.
For dynamic contents, the web server might need help of additional components which will generate the contents to be served.
Here the Application Server comes into picture.
Now these additional components referred earlier, might interact with database or some other system etc.
In a web environment where your website is exposed to huge number of users (intended/unintended), you need typical services like transaction/security/concurrency etc. so that the user get expected responses and do not see inconsistencies in the behavior of the application.
An application server has inbuilt abilities to manage transaction/security/concurrency/resource management. generally these are referred as Managed services and environment offered by them is called Managed Environment where these basic services are managed by the application server and programmer does not have be bother for them.
Application Server needs web servers or we can say Web servers use Application server's services to generate dynamic contents.
For example, JBoss uses Tomcat as inbuilt web server. Whereas web logic has its own web server. Tomcat again can be called as application server (in principle) as it also offers managed environment for servlets (it manages concurrency and instance pool of servlets/JSPs ).
Coming your your example of Spring:
An Application server will come inbuilt with transaction/security etc whether you need it or not. The Spring offers a very nice way handling this. Spring has all these things BUT you use what you need. Not just these, but just a Java Web Sever like Tomcat is sufficient to build a full fledged services that needs an application server.
If we are to separate our web server and app server, would we need java on both machines? I've had one coworker say to install jboss on both machines (seems to defeat the purpose if both machines have app server installed) and another says just install jboss on one and apache on the other (app server/web server).
I have the web project setup already and it uses servlets and JSPs. The JSPs display the content while the servlets do the action. The servlets receive requests and forward responses to the JSP. My question is how do I do this if the web server only has apache and therefore displays static content? I understand how to forward the requests from the web server to the app server but what about maintaining session state, is that done on the web server and if so how would it be done?
If the login page is html and the content after the login is html then how could I stop people from accessing the content if they haven't logged in?
The latter setup you describe, with Apache serving static content and forwarding requests for JSP/servlets onto the app server is the standard setup.
Session state is maintained as normal, your Java webapp on the app server sends the user back a cookie containing a JSESSIONID and when the user makes subsequent requests, Apache includes all request info (including cookies) in what it forwards to the app server.
The setup becomes a bit more complicated if you want to have Apache sit in front of and load balance requests to multiple JBoss instances, but it's still pretty easy to set up with mod_proxy_balancer.
Some links that might help you:
http://help.shadocms.com/blog/2009/how-to-setup-apache-with-jboss-on-a-shado-site.cfm
http://redlumxn.blogspot.com/2008/01/configure-apache2-and-jboss-422ga.html
There are many possibilities.
On web machine install just apache with mod_jk to redirect the requests to tomcat/jboss.
In this case you don't need java on this machine.
You can also separate your jsp container (e.g. tomcat/jboss) and your app server in this case you you will need to install java where you have your web container.
Generally where there is a need of higher security people combine the above mentioned possibilities. Thin web layer (apache + no java) + Web container (e.g. tomcat) + app layer (jboss/glassfish)
The first solution is normally the standard one.
Your scenario reminds me of SiteMinder. It was used to access control into our application. It has built in HTTP forwarding so from the user's perspective the browser talks to siteminder and siteminder talks to the real application. They both use session cookies and siteminder's called SMSESSION while the app's called JSESSIONID so there is no conflict.
A common deployment is to use Apache fronting servers to serve static content and forwarding requests for dynamic content to the JSP server. This is mainly for performance reasons, Apache being both faster at serving content and reducing the load on the JSP server.
I don't see any reason why you couldn't, for example, use IIS as the fronting server (removing Java from the equation), although with the wealth Apache modules and accompanying information about the configuration I think you might be making life difficult for yourself if you did.
Short answer - No.
Long answer -
It depends on the needs of your application. There are a few reasons why you would want to have the web server on a different physical machine:
You want to have the web server serve
the static content, and leave the app
server free to only process
servlet/jsp content
You wish to implement software based
load balancing. You would have the
apache server proxy requests to
multiple backing app servers
In your login example, the html page is served by apache, and the action of the html form points to your servlet for processing - so JBoss/java will still manage the session. Keep in mind that any static content you want apache to server will need to be present on the web server.