Is it possible to prevent requests that are not using https from calling a get/post in code.
For example I am implementing a rest api with java and spring, and I would like to return a http status to the caller if they were not using https.
/api/getBlah using https would return the item, however using just http would not work and return the appropriate http status.
For an API server, I strongly encourage you to don't answer a redirect
If you do answer a redirect, if a developer make the mistake to use the http version of your API he will not see immediately that he used an insecure connexion
If you answer a "400 Bad Request", "401 Unauthorized" or a "405 Method Not Allowed" with a body explaining that only https is allowed, then the developer will immediately see the problem.
In short, answering a redirect http=>https in an API encourage bad practices.
There are a few different ways of handling this. Web Server Handling in my opinion, is the most common and makes the best use of the strengths of web servers and application serves.
Web Server Handling
As mentioned in the comments above, a common method of deploying Java web applications is to place a web server (such as apache or nginx) in front of a Java Application Server (tomcat, wildfly, jetty, etc.). The web server then proxies requests to the application server.
In a setup like this you can simply return a static response or redirect the user.. In this way, you don't need to return anything special from your own Java application. The web server does the lifting for you.
It should be noted (as in the answer from #Tom), that in the API use-case, an HTTP to HTTPS redirect is not best approach. This is more commonly
Application Server Separate Servlets
On the Java side, you could essentially create two separate web applications. The first would be configured to receive requests from the HTTP listener and would provide proper error messages or redirects. The other would be your main application and would be configured to only receive requests from the HTTPS listener.
Again responding with a static error would be best for an API.
Application Server Single Application
When a servlet handles requests, it will populate information in the ServletRequest, including information about if the requests was secure (used HTTPS). See the [ServletRequest documentation][2] and specifically the isSecure() method. You can inspect the ServletReuest within your application to determine the appropriate way of responding to the request.
Don't Answer
You can also simply configure your webserver/app server to not listen for HTTP requests. You'll miss the change to provide a sensible error to the user, but you'll achieve the affect of not allowing any requests over HTTP.
Related
I am working on a web application, which is deployed to weblogic cluster. Upon user invoking an action in jsp, at the server side we make an outbouond call (with 2-way ssl) to an external service. This service returns me some data, which we send to the client side for rendering on UI. This flow is working as fine.
Outbound request for 2-way SSL are made from a utility class within the application, using java.net.URLConnection. However, upon checking the access.log for weblogic, I don't see these outbounds call logs in the access logs.
Now, business has Access log monitoring software in place, to monitor specific urls/reponse code and alert IT team if the number of non-200 responses crosses some threshold.
So, the challenge I am having currently is, how to log the outbound request's url & response status to the access log of weblogic server. I have been googling over the net, but couldn't find anything so far which can suggest how to go about it. I am new to weblogic, so not sure if this is possible OOTB or I need to write some custom code for this.
Need advice from weblogic experts out there. Thanks in advance!
Weblogic only traces incoming http/s requests in its access logs. Your application is responsible for logging its own outbound requests in its own logs. Do not log your entries in weblogic's logs.
I have separate application for client side which is in ReactJs and NodeJS (Express server) and Web Services in Java application running in tomcat.
My query is which is better approach in terms of making web service call.
One is making direct web service call from ReactJS and get the data.
Other one is calling web service in Express server. Request from client browser will go to Express and Express will make all web services call.
I know one issue in making direct call to web service will be cross domain policy which can be handle by setting configuration in Java server.
Apart from it what should be better approach.
From my experience it ended up better using direct calls from UI application and avoiding intermediate server.
Reason for doing this directly is that our servers ended up with a lot of restrictions based on IP addresses, and all requests have been coming from intermediate server (nodeJS server), so DDOS protection of end server had to have some exceptions (our node server which could be on ACS with dynamic IP addresses so it might be hard to manage).
Also If you want to pass and track end users IP addresses, you need to manage headers on Node server (to be sure you are passing it as it was in original request).
It is way simpler to manage this kind of situation if calls are comming from React app and simply set up CORS on java server.
Also its way easier to debug it on UI app directly, so you will be watching response logs on one place only. Other way around you could end up debugging your node server and UI app.
Hope this helps a bit.
Best way IMO is to create a router in Node js specifically for all your Java webservices and act as a proxy.
Suppose if your url pattern is like http://domain/java-ws/api then all these requests will be routed to your Java service.
If you have an Apache server directing requests to your node JS then configure url pattern proxy using proxy module.
Browsers are blocking CORS requests for a reason. You may get away by setting things on your server.
I have a java client that sends a message to the server .The server is a servlet deployed on jboss. My question is can the servlet send data back to the client as acknowledgment? is it possible in servlets?
From Java EE 5 tutorial chapter 4:
What Is a Servlet?
A servlet is a Java programming language class that is used to extend the capabilities of servers that host applications accessed by means of a request-response programming model. Although servlets can respond to any type of request, they are commonly used to extend the applications hosted by web servers. For such applications, Java Servlet technology defines HTTP-specific servlet classes.
Yes it is possible with servlets. Read the basics here.
Of course it's possible; a servlet that didn't have the ability to send data back to the client wouldn't be very useful.
There are many ways to do so but the most "raw" way is by writing to ServletResponse.getOutputStream(). The ServletResponse is passed to the service method of a Servlet implementation. Note that the data is of course going to be sent back as a valid HTTP response (identified using MIME, etc).
Ashwinm if you are looking for posting a result to a socket (on client) and not returing the result through mormal HTTP response.
Which I believe is not a servlet question then. You can anyway do anything in java. But have to look at normal "how to write to a socket" tutorial.
GenreicServlet might provide some extensibility or some solution.
EDIT
I read your commentes below later. Yes you need URLConnection in that case at the bare minimum.
An http servlet works on http request and can send back the http response. You can connect to it using URLConnection as described above.
If you don't want to get at this level (layer), you can work at with the packets directly (using sockets). Here you dont need a servlet actually. Here your server (a simple java application) will listen on a socket for any incoming connection and the client can connect to it.
could you please give me a sample code on how an Http Server(Java) receives the request of a client(android)? I mean the client sends the request via Httppost, how the server takes the content of these requests in order to see the context and reply? I am trying to built a chat application.
Thank you in advance!
The server-side of HTTP is usually implemented using the protocol stack provided by a web container. You would then implement your application's server-side as servlets. There are numerous tutorials on this.
If that's the way you want to proceed, look at one of the standard web containers; e.g. Tomcat, Jetty, Glassfish, etc. The source code for all of these is available for you to browse, though I should warn you that they are all complicated under the hood.
Assuming that your HTTP service is going to be delivering JSON or XML (rather than HTML) to clients, you may want to look into using a RESTful framework.
Have a look at ServerSocket. Keep in mind that accept() blocks and, as you will probably run it in a service, you will want to time it out and check for the completion of the service. That should probably run in its own thread as should the responders to requests.
From there, you can open input and output streams to receive the request and write the response. There are any number of packages that can help you with the interaction, or you can roll your own, but it doesn't seem like you've done a lot of homework. Perhaps some searching, reading, and more specific questions would more you along more quickly.
As per title really I'm wanting to send a custom HTTP post request to a web server and I have little experience in this area. The web server uses an LDAP server for access control (not sure if that's important) for which of course I know the username and password. Could anyone flesh out some code to do this or at least get me started?
Edit for one of the comments, the server is running a LAMP stack with PhP 5+ and Apache 2+
You can use HttpClient module from Apache.
Although the java.net package provides
basic functionality for accessing
resources via HTTP, it doesn't provide
the full flexibility or functionality
needed by many applications.
HttpClient seeks to fill this void by
providing an efficient, up-to-date,
and feature-rich package implementing
the client side of the most recent
HTTP standards and recommendations.
Designed for extension while providing
robust support for the base HTTP
protocol, HttpClient may be of
interest to anyone building HTTP-aware
client applications such as web
browsers, web service clients, or
systems that leverage or extend the
HTTP protocol for distributed
communication.
LDAP and authentication are separate issues from sending POSTs to web servers.
Th server side needs to do that authentication. Set it up either in your code or in the web server itself.
If your client is a Java application, you can create a POST using UrlConnection.
If your client is an HTML page or JSP, you need a form with a POST action.