Wednesday, December 22, 2010

slf4j over sysout not thread safe

I started using it to redirect all sysout and syserr to log files instead of catalina.out but its not thread safe as I started getting below exceptions. Solution was to patch the library and make LoggerAppenderImpl.appendAndLog and LoggerAppenderImpl.append methods synchronized for now as I am relying on assumption that we wont have too many system.out in third party libraries.


java.lang.StringIndexOutOfBoundsException: String index out of range: 117
at java.lang.String.(String.java:212)
at java.lang.StringBuilder.toString(StringBuilder.java:430)
at uk.org.lidalia.sysoutslf4j.context.LoggerAppenderImpl.flushBuffer(LoggerAppenderImpl.java:62)
at uk.org.lidalia.sysoutslf4j.context.LoggerAppenderImpl.appendAndLog(LoggerAppenderImpl.java:57)
at uk.org.lidalia.sysoutslf4j.system.SLF4JPrintStreamDelegate.appendAndLog(SLF4JPrintStreamDelegate.java:76)
at uk.org.lidalia.sysoutslf4j.system.SLF4JPrintStreamDelegate.delegatePrintln(SLF4JPrintStreamDelegate.java:56)
at uk.org.lidalia.sysoutslf4j.system.SLF4JPrintStreamImpl.println(SLF4JPrintStreamImpl.java:111)
at com.danga.MemCached.Logger.log(Logger.java:107)


and

java.lang.ArrayIndexOutOfBoundsException
at java.lang.String.getChars(String.java:855)
at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:391)
at java.lang.StringBuilder.append(StringBuilder.java:119)
at uk.org.lidalia.sysoutslf4j.context.LoggerAppenderImpl.appendAndLog(LoggerAppenderImpl.java:56)
at uk.org.lidalia.sysoutslf4j.system.SLF4JPrintStreamDelegate.appendAndLog(SLF4JPrintStreamDelegate.java:76)
at uk.org.lidalia.sysoutslf4j.system.SLF4JPrintStreamDelegate.delegatePrintln(SLF4JPrintStreamDelegate.java:56)
at uk.org.lidalia.sysoutslf4j.system.SLF4JPrintStreamImpl.println(SLF4JPrintStreamImpl.java:111)
at com.danga.MemCached.Logger.log(Logger.java:107)

Tuesday, December 21, 2010

Jersey mapped to /* but tomcat to serve other static content

Ran into interesting issue where Jersey was to be mapped to /* to make the REST urls easy. I mean instead of http://foo.bar.com/rest/HelloWorld the rest urls had to be http://foo.bar.com/HelloWorld.

But also the JSP and in local dev env all static content needed to be served by tomcat. Was searching for a solution and ran into this Jersey mapped to all url and tomcat to serve JSP.

This thread on nabble made my day as I was looking for this solution for 2-3 days but was trying all wrong options.

Friday, December 3, 2010

Securing JSESSIONID cookie if tomcat is fronted by apache

In my previous post Creating a custom Valve in tomcat I descibed the valve solution I tried to secure the JSESSIONID cookie but it didnt worked so finally I had to patch the tomcat class to get it working. We are using tomcat 5.5.28 so I downloaded the source and modify the class apache-tomcat-5.5.24-src/container/catalina/src/share/org/apache/catalina/connector/Response.java. In addCookie method I had to add this code


 String cookieName = cookie.getName();
 if (request != null && "JSESSIONID".equals(cookieName)) {
    String clientId = request.getHeader("X-Forwarded-For");
    if (clientId != null) {
  cookie.setSecure(true);
    }
 } 


Then compile the code and replace the catalina.jar in tomcathome/server/lib

Tomcat creating a custom Valve

I recently tried registering an app with Salesforce and they reported a security vulnerability of JSESSIONID cookie not being secure in it. The app uses https but this JSESSIONID cookie is created by tomcat. The app is fronted by tomcat so the Apache-tomcat connector is not secure. There were various solution like:

1) Adding secure="true" on http connector, but it didnt worked, somehow it used to work in older tomcat but not in the version of tomcat we use.
2)Other solution is to write an apache module to rewrite the Set-Cookie header but that is too complex.
3)I tried implementing a filter and wrapping the HttpServletResponse and overriding setHeader method but unfortunately by the time the call reaches the filter tomcat has already added the cookie in response and if I add another one there were two cookies sent one with secure and other with no secure attribute so that defeats the purpose.

Here I thought Valves comes to rescue so I implemented a tomcat Valve (unfortuntely the Valve solution also doesn't work because I had to wrap the org.apache.catalina.connector.Response and it has protected fields that can be directly used by some classes so I had to drop the solution). But I learnt how to create a valve so thought of sharing it.

A tomcat Valve is similar to servlet filter except you get tomcat request,response classes that extend the HttpServletRequest/Response. Without going into much BS as we all are programmers let me paste the real code

package org.apache.catalina.connector;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;

import org.apache.catalina.valves.ValveBase;

public class SecureSessionCookieValve extends ValveBase {

 @Override
 public void invoke(Request request, Response response) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String clientId = httpRequest.getHeader("X-Forwarded-For");
        if (clientId != null) {
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response to mark session cookies as secure");
      }
         response = new SecureSessionCookieResponse(response, true, containerLog);
        } else {
         //this is done so that local tests show no wrapping side effects
      if(containerLog.isDebugEnabled()) {
       containerLog.debug("wrapping response but will not mark session cookies as secure");
      }
         response = new SecureSessionCookieResponse(response, false, containerLog);
        }
        request.setResponse(response);
        getNext().invoke(request, response);
 }

}


The valve checks if the request is forwarded from apache->tomcat then it tries to make the cookie secure else it would leave it as is.

Once you have written the valve create a jar file out of classes and put it in tomcathome/server/lib and then modify the server.xml to add the valve under Context tag as shown below

 <Context path="" docBase="ROOT" debug="0" privileged="true">
 <Valve className="org.apache.catalina.connector.SecureSessionCookieValve" />


Not posting the SecureSessionCookieResponse class as this solution doesnt work. In next post Patching tomcat to make JSESSIONID secure I would describe how I patched the tomcat class to make the JSESSIONID secure.