glassfish
  1. glassfish
  2. GLASSFISH-20135

new WARNING logged in server.log when launch console

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0_dev
    • Fix Version/s: 4.0_dev
    • Component/s: admin_gui
    • Labels:
      None

      Description

      Recently, a few WARNING is showing up server.log when server starts and console is launched.

      this WARNING message shows up in server.log after i started the server and then launch console.

      [#|2013-04-02T12:26:25.860-0700|WARNING|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=88;_ThreadName=Thread-9;_TimeMillis=1364930785860;_LevelValue=900;|
      JACC: For the URL pattern /resource/*, all but the following methods were uncovered: GET|#]

      [#|2013-04-02T12:26:25.879-0700|WARNING|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=88;_ThreadName=Thread-9;_TimeMillis=1364930785879;_LevelValue=900;|
      JACC: For the URL pattern /theme/com/*, all but the following methods were uncovered: GET|#]

      [#|2013-04-02T12:26:25.879-0700|WARNING|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=88;_ThreadName=Thread-9;_TimeMillis=1364930785879;_LevelValue=900;|
      JACC: For the URL pattern /theme/META-INF/*, all but the following methods were uncovered: GET|#]

      [#|2013-04-02T12:26:25.880-0700|WARNING|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=88;_ThreadName=Thread-9;_TimeMillis=1364930785880;_LevelValue=900;|
      JACC: For the URL pattern /theme/org/*, all but the following methods were uncovered: GET|#]

      [#|2013-04-02T12:26:27.208-0700|INFO|glassfish 4.0|javax.enterprise.resource.webcontainer.jsf.config|_ThreadID=88;_ThreadName=Thread-9;_TimeMillis=1364930787208;_LevelValue=800;_MessageID=jsf.config.listener.version;|
      Initializing Mojarra 2.2.0-m12 (-SNAPSHOT 20130320-0201 https://svn.java.net/svn/mojarra~svn/tags/2.2.0-m12@11773) for context ''|#]

      [#|2013-04-02T12:26:29.469-0700|INFO|glassfish 4.0|javax.enterprise.web|_ThreadID=88;_ThreadName=Thread-9;_TimeMillis=1364930789469;_LevelValue=800;_MessageID=AS-WEB-GLUE-00172;|
      Loading application [__admingui] at [/]|#]

      This need to be addressed.

        Activity

        Hide
        Anissa Lam added a comment -

        Advice from Craig is to remove the line
        <http-method>GET</http-method>
        in web.xml which is for the images, css etc. specified in the security constraint.

        Hi Tim, Anissa,

        These messages are the result of adding support for the handling of uncovered HTTP methods. There is logging requirement in the Servlet 3.1 specification to indicate where uncovered methods exist in the application.

        For the URL patterns listed below, all the HTTP methods except for GET are unprotected by the security constraints of the admingui.

        -Craig

        I see, there are sections of the admingui that get opened up and the warning results because you only listed a single HTTP method in the security constraint.

        <!-- resources like images, css, etc. that don't need protection -->
        <security-constraint>
        <web-resource-collection>
        <web-resource-name>public</web-resource-name>
        <url-pattern>/theme/com/*</url-pattern>
        <url-pattern>/theme/org/*</url-pattern>
        <url-pattern>/resource/*</url-pattern>
        <url-pattern>/theme/META-INF/*</url-pattern>
        <http-method>GET</http-method>
        </web-resource-collection>
        </security-constraint>

        Simply remove the <http-method> element and then all HTTP methods will be "covered" by this security constraint. Then end result is that the desired behavior based on the comment is achieved.

        Show
        Anissa Lam added a comment - Advice from Craig is to remove the line <http-method>GET</http-method> in web.xml which is for the images, css etc. specified in the security constraint. Hi Tim, Anissa, These messages are the result of adding support for the handling of uncovered HTTP methods. There is logging requirement in the Servlet 3.1 specification to indicate where uncovered methods exist in the application. For the URL patterns listed below, all the HTTP methods except for GET are unprotected by the security constraints of the admingui. -Craig I see, there are sections of the admingui that get opened up and the warning results because you only listed a single HTTP method in the security constraint. <!-- resources like images, css, etc. that don't need protection --> <security-constraint> <web-resource-collection> <web-resource-name>public</web-resource-name> <url-pattern>/theme/com/*</url-pattern> <url-pattern>/theme/org/*</url-pattern> <url-pattern>/resource/*</url-pattern> <url-pattern>/theme/META-INF/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> </security-constraint> Simply remove the <http-method> element and then all HTTP methods will be "covered" by this security constraint. Then end result is that the desired behavior based on the comment is achieved.
        Hide
        Shing Wai Chan added a comment -

        In the given web.xml, combing with another security-constraint, those files will only be accessible by users with role admin for http method other than GET.
        If the above http-method is removed, then this means those files will be accessible by any users for all http method.
        If there is no essential information there, then this is ok.

        An alternative solution is to use the web.xml 3.1 schema and then add <deny-uncovered-http-methods/> element in web.xml. In this case, no one will be able to access those files through http method other than GET.

        Show
        Shing Wai Chan added a comment - In the given web.xml, combing with another security-constraint, those files will only be accessible by users with role admin for http method other than GET. If the above http-method is removed, then this means those files will be accessible by any users for all http method. If there is no essential information there, then this is ok. An alternative solution is to use the web.xml 3.1 schema and then add <deny-uncovered-http-methods/> element in web.xml. In this case, no one will be able to access those files through http method other than GET.
        Hide
        Anissa Lam added a comment -

        I modified the web.xml to use the 3.1 , here is how it looks like.
        My understanding is that, I should add <deny-uncovered-http-methods/>, and specify GET for those resources , that will be the correct way to do, and shouldn't get any WARNING.

        However, doing that still generates the WARNING message.

        I can't attach the entire web.xml, but here is the new segment:

        <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee web-app_3_1.xsd" version="3.1">

        ...
        ...
        <error-page>
        <exception-type>javax.faces.application.ViewExpiredException</exception-type>
        <location>/</location>
        </error-page>
        <deny-uncovered-http-methods/>
        <security-constraint>
        <web-resource-collection>
        <web-resource-name>protected</web-resource-name>
        <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
        <role-name>admin</role-name>
        </auth-constraint>
        </security-constraint>

        <!-- resources like images, css, etc. that don't need protection -->
        <security-constraint>
        <web-resource-collection>
        <web-resource-name>public</web-resource-name>
        <url-pattern>/theme/com/*</url-pattern>
        <url-pattern>/theme/org/*</url-pattern>
        <url-pattern>/resource/*</url-pattern>
        <url-pattern>/theme/META-INF/*</url-pattern>
        <http-method>GET</http-method>
        </web-resource-collection>
        </security-constraint>

        ---------------
        I don't know why the WARNING is still showing up. Waiting for input from Shing Wai & Craig.

        Show
        Anissa Lam added a comment - I modified the web.xml to use the 3.1 , here is how it looks like. My understanding is that, I should add <deny-uncovered-http-methods/>, and specify GET for those resources , that will be the correct way to do, and shouldn't get any WARNING. However, doing that still generates the WARNING message. I can't attach the entire web.xml, but here is the new segment: <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee web-app_3_1.xsd" version="3.1"> ... ... <error-page> <exception-type>javax.faces.application.ViewExpiredException</exception-type> <location>/</location> </error-page> <deny-uncovered-http-methods/> <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <!-- resources like images, css, etc. that don't need protection --> <security-constraint> <web-resource-collection> <web-resource-name>public</web-resource-name> <url-pattern>/theme/com/*</url-pattern> <url-pattern>/theme/org/*</url-pattern> <url-pattern>/resource/*</url-pattern> <url-pattern>/theme/META-INF/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> </security-constraint> --------------- I don't know why the WARNING is still showing up. Waiting for input from Shing Wai & Craig.
        Hide
        Anissa Lam added a comment -

        Actually a closer look to server.log shows that the WARNING message is now changed to INFO with the above changes.

        [#|2013-04-03T15:08:53.874-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933874;_LevelValue=800;|
        JACC: For the URL pattern /resource/*, all but the following methods have been excluded: GET|#]

        [#|2013-04-03T15:08:53.899-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933899;_LevelValue=800;|
        JACC: For the URL pattern /theme/com/*, all but the following methods have been excluded: GET|#]

        [#|2013-04-03T15:08:53.899-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933899;_LevelValue=800;|
        JACC: For the URL pattern /theme/META-INF/*, all but the following methods have been excluded: GET|#]

        [#|2013-04-03T15:08:53.900-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933900;_LevelValue=800;|
        JACC: For the URL pattern /theme/org/*, all but the following methods have been excluded: GET|#]

        So, upgrading to Servlet 3.1 so we can get the <deny-uncovered-http-methods> will be able to avoid the WARNING.

        I will go through the approval process to commit the change.

        Show
        Anissa Lam added a comment - Actually a closer look to server.log shows that the WARNING message is now changed to INFO with the above changes. [#|2013-04-03T15:08:53.874-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933874;_LevelValue=800;| JACC: For the URL pattern /resource/*, all but the following methods have been excluded: GET|#] [#|2013-04-03T15:08:53.899-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933899;_LevelValue=800;| JACC: For the URL pattern /theme/com/*, all but the following methods have been excluded: GET|#] [#|2013-04-03T15:08:53.899-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933899;_LevelValue=800;| JACC: For the URL pattern /theme/META-INF/*, all but the following methods have been excluded: GET|#] [#|2013-04-03T15:08:53.900-0700|INFO|glassfish 4.0|javax.enterprise.system.core.security|_ThreadID=86;_ThreadName=Thread-8;_TimeMillis=1365026933900;_LevelValue=800;| JACC: For the URL pattern /theme/org/*, all but the following methods have been excluded: GET|#] So, upgrading to Servlet 3.1 so we can get the <deny-uncovered-http-methods> will be able to avoid the WARNING. I will go through the approval process to commit the change.
        Hide
        Anissa Lam added a comment -

        These WARNING are the result of adding support for the handling of uncovered HTTP methods. There is logging requirement in the Servlet 3.1 specification to indicate where uncovered methods exist in the application.

        We can upgrade the console to user Servlet 3.1 and then add the new tag <deny-uncovered-http-methods/>, but that will still triggers some msg, although that is INFO instead of WARNING.

        In order to avoid any msg relating to those resources URL, the solution is to add another security constraint that denies any method except GET for any user. This means even the 'admin' user cannot POST to those resources. Since those resources are just images, css files, the only method needed is 'GET'. So, highly restricting the method to GET is fine. This is a suggestion from Ron & Shing Wai.

        I will send the web.xml for review to the security team, Web Container team and Ron Monzillo for review before checking in.

        • What is the impact on the customer of the bug?
          No functional impact, but user may worry that the console is not secure.
        • How likely is it that a customer will see the bug and how serious is the bug?
          They will see this WARNING everytime when server start and console launched.
        • Is it a regression? Does it meet other bug fix criteria (security, performance, etc.)?
          No.
        • What CTS failures are caused by this bug?
          CTS doesn't test console.
        • What is the cost/risk of fixing the bug?
          Change is in web.xml, doesn't affect any feature. Add one more 'set' of security constraint to avoid the WARNING.
        • Is there an impact on documentation or message strings?
          No,
        • Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
          Ensure that no WARNING is given out when launch console.
        • Which is the targeted build of 4.0 for this fix?
          build 84.
        Show
        Anissa Lam added a comment - These WARNING are the result of adding support for the handling of uncovered HTTP methods. There is logging requirement in the Servlet 3.1 specification to indicate where uncovered methods exist in the application. We can upgrade the console to user Servlet 3.1 and then add the new tag <deny-uncovered-http-methods/>, but that will still triggers some msg, although that is INFO instead of WARNING. In order to avoid any msg relating to those resources URL, the solution is to add another security constraint that denies any method except GET for any user. This means even the 'admin' user cannot POST to those resources. Since those resources are just images, css files, the only method needed is 'GET'. So, highly restricting the method to GET is fine. This is a suggestion from Ron & Shing Wai. I will send the web.xml for review to the security team, Web Container team and Ron Monzillo for review before checking in. What is the impact on the customer of the bug? No functional impact, but user may worry that the console is not secure. How likely is it that a customer will see the bug and how serious is the bug? They will see this WARNING everytime when server start and console launched. Is it a regression? Does it meet other bug fix criteria (security, performance, etc.)? No. What CTS failures are caused by this bug? CTS doesn't test console. What is the cost/risk of fixing the bug? Change is in web.xml, doesn't affect any feature. Add one more 'set' of security constraint to avoid the WARNING. Is there an impact on documentation or message strings? No, Which tests should QA (re)run to verify the fix did not destabilize GlassFish? Ensure that no WARNING is given out when launch console. Which is the targeted build of 4.0 for this fix? build 84.
        Hide
        Anissa Lam added a comment -

        Log Message:
        ------------
        GLASSFISH-20135. Add extra security constraint so that WARNING or INFO will not be triggered when the console launch, due to Servlet 3.1 spec.
        This extra constraint means the specified URL pattern only allows GET, anyone, not even the admin is allowed to do any other method.
        Reviewed by Craig Perez, Ron Monzillo and Shing Wai.

        Revisions:
        ----------
        61210

        Modified Paths:
        ---------------
        trunk/main/appserver/admingui/war/src/main/webapp/WEB-INF/web.xml

        Show
        Anissa Lam added a comment - Log Message: ------------ GLASSFISH-20135 . Add extra security constraint so that WARNING or INFO will not be triggered when the console launch, due to Servlet 3.1 spec. This extra constraint means the specified URL pattern only allows GET, anyone, not even the admin is allowed to do any other method. Reviewed by Craig Perez, Ron Monzillo and Shing Wai. Revisions: ---------- 61210 Modified Paths: --------------- trunk/main/appserver/admingui/war/src/main/webapp/WEB-INF/web.xml

          People

          • Assignee:
            Anissa Lam
            Reporter:
            Anissa Lam
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: