cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: JAX-RS returns header Date twice
Date Tue, 30 Aug 2016 12:28:02 GMT
Hi Allan

I would not be too concerned about Server being a standard header - it 
is of purely informative purpose anyway so if dropping it can improve 
something for the server then it is worth it :-)

Cheers, Sergey
On 30/08/16 04:25, Allan C. wrote:
> Hi Sergey,
>
> I've tested the setup you mentioned, cxf-jetty for the sendServerVersion
> parameter. It is working as expected, thus I believe for my case that runs
> on Karaf, I think the parameter needs to be made available on pax-web
> module.
>
> But after reading through a bit here and there, I realized the Server
> header is actually a standard that is expected from an HTTP service. Thus,
> I've decided to let it be.
>
> My initial intention to hide the Server header was to obfuscate what Server
> I am using for potential attackers. I don't know how much it would deter
> attackers. It might not be a good strategy, but not sure what else I can
> sort of improve on security wise.
>
> Regards,
> Allan C.
>
> On Mon, Jul 18, 2016 at 6:14 PM, Allan C. <allancth@gmail.com> wrote:
>
>> Noted. Will get you posted.
>>
>> Regards,
>> Allan C.
>>
>> On Mon, Jul 18, 2016 at 5:21 PM, Sergey Beryozkin <sberyozkin@gmail.com>
>> wrote:
>>
>>> Hi
>>>
>>> It is confusing indeed. Perhaps, in Karaf, it is only jetty.xml that can
>>> be used to turn off sending Server headers, or may be jetty.xml default
>>> values override whatever is set in httpj.
>>> Please experiment if you get a chance with a standalone CXF Jetty
>>> endpoint outside of Karaf to see if httpj sendServerVersion can be made
>>> effective.
>>>
>>> Cheers, Sergey
>>>
>>>
>>> On 18/07/16 11:56, Allan C. wrote:
>>>
>>>> I see. I am using an absolute HTTP address.
>>>>
>>>> I am confused because if it is an SSL 443 port, the
>>>> "httpj:tlsServerParameters" configuration seems to be working so I
>>>> thought
>>>> it is using the httpj configuration.
>>>>
>>>> Regards,
>>>> Allan C.
>>>>
>>>> On Mon, Jul 18, 2016 at 3:58 PM, Sergey Beryozkin <sberyozkin@gmail.com>
>>>> wrote:
>>>>
>>>> Hi
>>>>>
>>>>> AFAIK the below configuration is only applicable if you use an absolute
>>>>> HTTP address in which case an embedded/standalone Jetty instance is
>>>>> created, if you use a relative address then it is a servlet bound to
>>>>> Jetty-powered HTTP service and hence jetty.xml is effective
>>>>>
>>>>> Cheers, Sergey
>>>>> On 18/07/16 10:39, Allan C. wrote:
>>>>>
>>>>> Hi Sergey,
>>>>>>
>>>>>> I did another test running just jetty9 (configured using jetty.xml)
and
>>>>>> fiddled with both sendServerVersion and sendDateHeader parameters.
It
>>>>>> seems
>>>>>> to be working as expected.
>>>>>>
>>>>>> When I use CXF JAXRS server, the parameter seems to be ignored. Here
>>>>>> is my
>>>>>> CXF jetty configuration part.
>>>>>>       <httpj:engine-factory id="httpjEngine">
>>>>>>           <httpj:engine port="80" sendServerVersion="false">
>>>>>>           <httpj:threadingParameters minThreads="8" maxThreads="16"
/>
>>>>>>           </httpj:engine>
>>>>>>       </httpj:engine-factory>
>>>>>>
>>>>>> Could you maybe give me a hint on which class/jar I should most
>>>>>> probably
>>>>>> look into in more detail?
>>>>>>
>>>>>> JettyHTTPServerEngineConfigType in cxf-rt-transports-http-jetty,
but
>>>>> as I
>>>>> said it is probably not used
>>>>>
>>>>>
>>>>> Cheers, Sergey
>>>>>
>>>>>
>>>>>> Regards,
>>>>>> Allan C.
>>>>>>
>>>>>> On Mon, Jul 18, 2016 at 3:00 PM, Allan C. <allancth@gmail.com>
wrote:
>>>>>>
>>>>>> Noted. Thanks for the info!
>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Allan C.
>>>>>>>
>>>>>>> On Mon, Jul 18, 2016 at 2:35 PM, Sergey Beryozkin <
>>>>>>> sberyozkin@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>>> On 18/07/16 05:58, Allan C. wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have a jax-rs server configured up and running in a
blueprint
>>>>>>>>> container.
>>>>>>>>> All good except a couple of minor tweaks left.
>>>>>>>>>
>>>>>>>>> When I test the service, the HTTP headers "Date" appears
twice. For
>>>>>>>>> instance:
>>>>>>>>>
>>>>>>>>> HTTP/1.1 401 Unauthorized
>>>>>>>>> Date: Mon, 18 Jul 2016 02:50:09 GMT
>>>>>>>>> Date: Mon, 18 Jul 2016 02:50:09 GMT
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As it happens I've been looking into this issue last
week. It only
>>>>>>>> happens on Jetty (not on Tomcat) - with Jetty ignoring the
fact the
>>>>>>>> higher-level application sets Date (JAX-RS runtime must set
Date) and
>>>>>>>> setting its own Date.
>>>>>>>>
>>>>>>>> However, CXF uses HttpServletResponse.addHeader(). This is
usually
>>>>>>>> needed
>>>>>>>> when a header has multiple values but otherwise
>>>>>>>> HttpServletResponse.setHeader() is fine - making this minor
update
>>>>>>>> fixed a
>>>>>>>> duplicate Date header issue on Jetty, CXF 3.1.7 will have
it all
>>>>>>>> sorted.
>>>>>>>>
>>>>>>>> Content-Length: 0
>>>>>>>>
>>>>>>>> Server: Jetty(9.2.15.v20160210)
>>>>>>>>>
>>>>>>>>> Another is although I've set "sendServerVersion="false",
it still
>>>>>>>>> returns
>>>>>>>>> the "Server" header. Any ideas what I've missed? Appreciate
your
>>>>>>>>> response.
>>>>>>>>>
>>>>>>>>> Not sure, but it is entirely a Jetty configuration issue
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Cheers, Sergey
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>>> Allan C.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> --
>>>>> Sergey Beryozkin
>>>>>
>>>>> Talend Community Coders
>>>>> http://coders.talend.com/
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>
>>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Mime
View raw message