Tag Archive for 'apache'

Glassfish security vulnerability

Published on January 12, 2008 in glassfish. 8 Comments Tags: , , , , , .

When you deploy IT components like operating systems, application servers, web servers in a Web 2.0 hosting environment, it’s very important to have a hardened configuration before you have your public launch and before your web apps are reachable with HTTP Port 80 and 443 by the internet. In environments without firewalls, e.g. on cheap “root servers”, you’re often online and connected to all internet users hackers after the initial setup of your Web Stack.

IT-Administrators and Web 2.0 Developers are always working under pressure, and there’s lack of time to find all the security vulnerabilies in the used software products, Open Source as well as commercial products. In times, where most of the attacks against Web 2.0 apps are within the HTTP / HTTPS Protocol e.g. SQL-Injection, Cross Site Scripting and so on, its important, that the installation of Web Stack components are secure by default.

An example: A basic rule for a secure web configuration since over a decade is the have directory listings switched off in web servers and app servers.

What about glassfish 2.0 and security, are there any concerns?

Back to the directory listing example.

The Glassfish default is to have directory listings on and you have to modify the

glassfish/domains/domain1/config/default-web.xml

to have a secure glassfish configuration, as also mentioned by hobione.

 

Another thing are the default HTTP headers from glassfish. They’re too noisy by default, they’re tellling everyone in the web, which version of glassfish you’re using:

Server: Sun Java System Application Server 9.1

X-Powered-By:Servlet/2.5

So my suggestion for the glassfish project members is to modify

these defaults to a secure ones, this means

  • Directory Listing “off”
  • HTTP Header at least without any software version information

Project Webstack on YouTube

Published on October 22, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , , , , , .

See and hear more on project Webstack, PHP, Glassfish V2 on Solaris on YouTube.

YouTube Preview Image

Sun Coolstack and Webstack projects

Published on October 12, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

At Pixelpark, we use Solaris 10 as main production plattform for all our customers. All our web hosting customers need basic open source components like apache httpd, tomcat, mysql. Some of them are also using php, some are using mongrels, other glassfish V2 and so on. We always try to use the latest version of these components for security reasons and if we build high performance Web Sites, for performance. Today Solaris 10 U4 is offering outdated versions of apache, mysql and no php. Only Postgresql is up to date with Solaris 10 U4 (GREAT !!). Because we often (daily..) have to install these optimzied and up to date versions we have a couple of choices: Download binary distributions (like coolstack or from blastwave) or build these components on our own.

We hope, that the Sun Webstack project will bring us precompiled, optimized and up to date apache httpd, php, mongrel Versions with security relevant updates, soon. Maybe future Solaris 10 Updates (U5) will bring newer version of these main Web2.0 components that we do not have to compile, test, distribute, patch the components on our own.

Sun Java System Web Server 7.0 Update 1

Published on June 20, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

Sun Java System Web Server 7.0 Update 1 is released. The main new features are:

  • Accelerator Cache
  • Performance and stability improvements
  • Out-of-box Java support for Servlets 2.5, JSP 2.1, JSF 1.2
  • Support for Java SE 5.0 and 6
  • Support for NetBeans IDE 5.0, 5.5, and 5.5.1
  • Administration interface support for FastCGI

More in the Release Notes, you can download it here.

Solaris Express Developer Edition 5/07

Published on June 12, 2007 in Sun Solaris and glassfish. 0 Comments Tags: , , , , , , , .

Solaris Express Developer Edition 5/07 is available now, and there are a lot of new features and packages within this distribution.

A couple of the interesting ones:

  • Glassfish Application Server (have to check the version)
  • Sun Studio 12
  • PostgreSQL 8.2.4
  • Apache 2.2.3 (have to check if mod_ldap is already compiled…)
  • and many more…

Full detailed what’s new pdf.

Hope to have these packages with Solaris 10 for production, soon. With Solaris 10, we’ re still on apache 2.0.x..
Tomcat and mysql bundled with Solaris 10 are also quite a bit too old for web2.0 projects, which we have in production today.

Currenty, I don’t findy any VMware images to download, only the usual setup DVD download.

glassfish in production

Published on June 3, 2007 in Sun Solaris and glassfish. 4 Comments Tags: , , , , , , , , , , , , , .

To run an J2EE application server like glassfish in production brings a lot of additional work after installation. While a simple installation for developers is easy, it seems no so easy today to bring glassfish in production. From my point of view, there are at least the following things to do for a production installation:

  • Add new user and group (e.g. glassfish) to /etc/passwd /and /etc/group
  • install latest jdk
  • install glassfish
  • setup and install start/stop scripts (smf on Solaris10)
  • install glassfish apache 2.2 ajp integration (example1 example2 example3)
  • configure glassfish logfile rotation
  • tune glassfish because default settings are not suitable for production ( a lot of parameters!)
  • harden glassfish because default security settings are not strong and secure enough
  • deploy jdbc configuration (jars + settings)
  • write scripts to integrate glassfish in your monitoring framework
  • write scripts to integrate glassfish in your deployment framework (e.g. Sun N1 SPS)
  • and of of course, this list is not complete

Nowadays, we have at least three (virtual) servers for each customer project. One for development, one for test and ond for production. This means to install and modify glassfish at least three times. But often, we also have hardware based load balancing in projects, that means to have at least two strings of glassfish for dev/test/prod or six installations alltogether!

Looking at the new glassfish V2 feature called application server usage profiles shows, that the three offered profiles (“developer”, “cluster”, “enterprise”) still leaking real production settings. A simple “production” or production-cluster profile would be nice. The production profiles should have tuned values (at least the parameters mentioned in the Sun Java System Application Server 9.1 PerformanceTuning Guide beginning on page 50) which makes it easier to setup glassfish for admins. The mentioned enterprise profile might be not the best for high traffic web 2.0 production web sites.

How do we do this job with other app servers? For a couple of customers, we’re using the Bea Weblogic Application Server. And we’re using the Sun N1 SPS Bea Weblogic module to install and configure Weblogic. N1 SPS also uses the possibility to run the WebLogic Scripting Tool (WLST) , which is a BEA tool for scripting the configuration of BEA WebLogic. WLST is a command-line scripting interface to monitor and manage BEA WebLogic Server instances and domains. The WLST scripting environment is based on the Java scripting interpreter, Jython.

Someting like this (GFST) would be cool to have for glassfish, too.

glassfish and apache

Published on May 27, 2007 in glassfish. 18 Comments Tags: , , , , , , , , , , .

Running a web server in front of a java application server makes sense in almost all production scenarios, where end users from the internet connect directly to your site. The web server offers you much more configuration, security and performance features than the integrated http connector of any java application server. Software developers sometimes argue, that it should work (and of course it does). But if you want to speed up your website and tune your weblayer with optimizing settings like cache-control headers, turn of Etags and so on, a java application server doesn’t allow you to modify this settings.

Therefore, web servers like apache httpd are running in front of the application server and you can configure almost everything you want with apache httpd and apache modules. The connections from apache to the java application server (cluster) are configured through additional apache modules. Commercial Vendors like BEA offers you apache modules for Weblogic to connect. For Tomcat we saw a lot of different modules over the last years. These were mod_jk, mod_webapp, mod_jk2 and the return of mod_jk. With apache 2.2, there’s a build in module, called mod_proxy_ajp. The connection from apache to tomcat with the mod_jk or the mod_proxy_ajp is done by the AJP protocol, which is a binary protocol and faster than http. Before apache 2.2 and its mod_proxy_ajp module, some people used mod_proxy as a revers proxy from apache to tomcat. This might be good for small web sites, and if you do not need to pass some additional informations to you app server.

Now to glassfish. Currently, glassfish V1 and V2 ships only with a http connector module. There’s no apache httpd mod_glassfish or something like that. You can connect with httpd’s mod_proxy_reverse.

But regarding some blog entries from Jean-Francois Arcand and Amy Roh, it’s possible to extend glassfish with the libs ( tomcat-ajp.jar modeler-1.1.jar commons-logging-1.0.4.jar) from tomcat and tweak some config files.
But stop. Are there different versions of these jars? Which jar version fits to which glassfish version?

Some people already blogged about their problems to extend glassfish withe the ajp protocol.

Why does the glassfish distribution currently do not bundle the ajp libs and missing configurations in the config files?

In my opinion, it is very very important for the future success of glassfish, to offer build in connectors to apache (with ajp), to Sun JES Web Server (an NSAPI Module?) and MS IIS . These connectors should be well documented and easy to configure for admins and developers.

OpenSolaris Webstack

Published on May 15, 2007 in Sun Solaris. 3 Comments Tags: , , , , , , , , , .

There’s a new OpenSolaris project called Web Stack which is based on the Cool Stack project. Today, OpenSolaris and Solaris is bundeled with some web tier components like apache, mysql, postgresql, but in Solaris 10 with rather outdated versions. Things like php, rails are missing from Solaris 10. Sun also offers Sun CoolThreads Optimized Open Source Software Stack (Cool Stack), but currently, there is no information, wether Sun will release security patches for these packages. Because of this, I would not use coolstack in production.

It would be great to have an up-to-date version of apache, php, mysql and on pre-installed in /usr/sfw/ with each Solaris installation, as we know it from common Linux distros. This could be an important improvement for Solaris in the future.

I hope the web stack project helps to improve Solaris and makes it Web2.0 ready.

Cooltools for Coolthreads are Coolstack

Published on August 23, 2006 in Sun Solaris. 0 Comments Tags: , , , , , , , , , .

There’s a new Software collection, called Coolstack, offered by Sun with Open Source software, compiled with Sun Studio 11, optimized for Solaris/Ultrasparc Platform.

Currently, there are Sun packages with Apache HTTP Server 2.0.58, MySQL 5.0.22, PHP 5.1.4, Perl 5.8.8 and Squid 2.5.STABLE14 Web Proxy Cache. The Software installs to /usr/local/ .

Within each package there’s a README File, which shows you, what options have been used to compile each package.
This could be a good starting point, if you want to compile your own binaries with Sun Studio 11.

I hope that Sun will compile the already in Solaris 10 included Open Source Packages like apache, mysql, perl with these options in future, too. And maybe, Sun will also put PHP into the supported Solaris distro in the future, like all Linux vendors do.

Migrating from Apache Tomcat to Sun Java System Web Server 7.0

Published on June 20, 2006 in Sun Solaris. 0 Comments Tags: , , , .

There’s a very interesting article on Sun Developer Network about the migration of webapps (servlets, jsp) from tomcat to Sun Java System Web Server 7.0. Sun Java System Web Server includes a J2EE Engine, which is based on Glassfish and has out of box support for J2EE 1.4 web tier technologies including Servlet 2.4, JSP 2.0, JSF 1.1, JSTL 1.1 and integrates JWSDP 2.0.