Skip to main content

3 small questions about web container

3 replies [Last post]
Anonymous

Hi all,

I have 3 small questions. Ok, maybe the middle one is a medium question.

1)
In this line from our server log, what does the "ABC/ABC" context
mean? Our application is called ABC (hypothetically), but it's
deployed at / so am curious about the format of the context.

[#|2012-06-14T00:42:32.624-0700|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=32;_ThreadName=Thread-2;|JACC
Policy Provider:Failed Permission Check: context ("
PPCDConsole/PPCDConsole ") , permission ("
(javax.security.jacc.WebUserDataPermission
/nice%20ports%2C/Tri%6Eity.txt%2ebak GET) ") |#]

Yes, we're protecting /* with
CONFIDENTIAL, thus the
message.

2)
The above request is one of hundreds or thousands that are obviously
intrusion attempts. If I detect these, is there any way at the
container level to block requests from the IP address (obtained
through HttpServletRequest#getRemoteAddr), or would I have to do that
manually at the servlet/filter/etc level? I know that doesn't do much
for security, but it could cut down on the noise in the logs.

3)
Want me to file a bug for the following? It's in the log right after
the above entry.

[#|2012-06-14T00:42:32.624-0700|SEVERE|glassfish3.1.2|org.apache.catalina.connector.CoyoteAdapter|_ThreadID=32;_ThreadName=Thread-2;|PWC3989:
An exception or error occurred in the container during the request
processing
java.util.MissingResourceException: Can't find resource for bundle
java.util.PropertyResourceBundle, key missing_http_header.host
at java.util.ResourceBundle.getObject(ResourceBundle.java:402)
at java.util.ResourceBundle.getString(ResourceBundle.java:362)
at com.sun.web.security.RealmAdapter.getHostAndPort(RealmAdapter.java:973)
at com.sun.web.security.RealmAdapter.redirect(RealmAdapter.java:1097)
at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:945)
at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:869)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:511)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:679)
|#]

Thanks,
Bobby

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
amyroh
Offline
Joined: 2004-05-06
Points: 0

Hi Bobby,

On 6/14/12 7:35 AM, Bobby Bissett wrote:
> Hi all,
>
> I have 3 small questions. Ok, maybe the middle one is a medium question.
>
> 1)
> In this line from our server log, what does the "ABC/ABC" context
> mean? Our application is called ABC (hypothetically), but it's
> deployed at / so am curious about the format of the context.
>
> [#|2012-06-14T00:42:32.624-0700|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=32;_ThreadName=Thread-2;|JACC
> Policy Provider:Failed Permission Check: context ("
> PPCDConsole/PPCDConsole ") , permission ("
> (javax.security.jacc.WebUserDataPermission
> /nice%20ports%2C/Tri%6Eity.txt%2ebak GET) ") |#]

This is expected. Context ("ABC/ABC") is calculated in
SecurityUtil.getContextID(WebBundleDescriptor wbd) using
"VersioningUtils.getRepositoryName(wbd.getApplication().getRegistrationName())
+ '/' + wbd.getUniqueFriendlyId()"

> Yes, we're protecting /* with
> CONFIDENTIAL, thus the
> message.
>
> 2)
> The above request is one of hundreds or thousands that are obviously
> intrusion attempts. If I detect these, is there any way at the
> container level to block requests from the IP address (obtained
> through HttpServletRequest#getRemoteAddr), or would I have to do that
> manually at the servlet/filter/etc level? I know that doesn't do much
> for security, but it could cut down on the noise in the logs.

You can use RemoteAddrValve/RemoteHostValve at the container level using
either global or virtual-server level context.xml. See
http://docs.oracle.com/cd/E18930_01/html/821-2418/beaft.html#geurd. An
example can be found in $APS_HOME/devtests/web/contextXmlRemoteHostValve.
>
> 3)
> Want me to file a bug for the following? It's in the log right after
> the above entry.

Yes.
>
> [#|2012-06-14T00:42:32.624-0700|SEVERE|glassfish3.1.2|org.apache.catalina.connector.CoyoteAdapter|_ThreadID=32;_ThreadName=Thread-2;|PWC3989:
> An exception or error occurred in the container during the request
> processing
> java.util.MissingResourceException: Can't find resource for bundle
> java.util.PropertyResourceBundle, key missing_http_header.host
> at java.util.ResourceBundle.getObject(ResourceBundle.java:402)
> at java.util.ResourceBundle.getString(ResourceBundle.java:362)
> at com.sun.web.security.RealmAdapter.getHostAndPort(RealmAdapter.java:973)
> at com.sun.web.security.RealmAdapter.redirect(RealmAdapter.java:1097)
> at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:945)
> at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:869)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:511)
> at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
> at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
> at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
> at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
> at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
> at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
> at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
> at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
> at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
> at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
> at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
> at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
> at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
> at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
> at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
> at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
> at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
> at java.lang.Thread.run(Thread.java:679)
> |#]
>
> Thanks,
> Bobby

Bobby Bissett

Hi all,

Sorry for the delay, but thanks everyone on and off list for your
answers about this.

I filed http://java.net/jira/browse/GLASSFISH-18985 for the missing
resource issue. Again, sorry it took me so long to get to it!

Cheers,
Bobby

On Thu, Jun 14, 2012 at 4:28 PM, Amy Roh wrote:
> Hi Bobby,
>
>
> On 6/14/12 7:35 AM, Bobby Bissett wrote:
>>
>> Hi all,
>>
>> I have 3 small questions. Ok, maybe the middle one is a medium question.
>>
>> 1)
>> In this line from our server log, what does the "ABC/ABC" context
>> mean? Our application is called ABC (hypothetically), but it's
>> deployed at / so am curious about the format of the context.
>>
>>
>> [#|2012-06-14T00:42:32.624-0700|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=32;_ThreadName=Thread-2;|JACC
>> Policy Provider:Failed Permission Check: context ("
>> PPCDConsole/PPCDConsole ") , permission ("
>> (javax.security.jacc.WebUserDataPermission
>> /nice%20ports%2C/Tri%6Eity.txt%2ebak GET) ") |#]
>
>
> This is expected. Context ("ABC/ABC") is calculated in
> SecurityUtil.getContextID(WebBundleDescriptor wbd) using
> "VersioningUtils.getRepositoryName(wbd.getApplication().getRegistrationName())
> + '/' + wbd.getUniqueFriendlyId()"
>
>
>> Yes, we're protecting /* with
>> CONFIDENTIAL, thus the
>> message.
>>
>> 2)
>> The above request is one of hundreds or thousands that are obviously
>> intrusion attempts. If I detect these, is there any way at the
>> container level to block requests from the IP address (obtained
>> through HttpServletRequest#getRemoteAddr), or would I have to do that
>> manually at the servlet/filter/etc level? I know that doesn't do much
>> for security, but it could cut down on the noise in the logs.
>
>
> You can use RemoteAddrValve/RemoteHostValve at the container level using
> either global or virtual-server level context.xml. See
> http://docs.oracle.com/cd/E18930_01/html/821-2418/beaft.html#geurd. An
> example can be found in $APS_HOME/devtests/web/contextXmlRemoteHostValve.
>
>>
>> 3)
>> Want me to file a bug for the following? It's in the log right after
>> the above entry.
>
>
> Yes.
>
>>
>>
>> [#|2012-06-14T00:42:32.624-0700|SEVERE|glassfish3.1.2|org.apache.catalina.connector.CoyoteAdapter|_ThreadID=32;_ThreadName=Thread-2;|PWC3989:
>> An exception or error occurred in the container during the request
>> processing
>> java.util.MissingResourceException: Can't find resource for bundle
>> java.util.PropertyResourceBundle, key missing_http_header.host
>> at java.util.ResourceBundle.getObject(ResourceBundle.java:402)
>> at java.util.ResourceBundle.getString(ResourceBundle.java:362)
>> at
>> com.sun.web.security.RealmAdapter.getHostAndPort(RealmAdapter.java:973)
>> at
>> com.sun.web.security.RealmAdapter.redirect(RealmAdapter.java:1097)
>> at
>> com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:945)
>> at
>> com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:869)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:511)
>> at
>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
>> at
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
>> at
>> com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
>> at
>> com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
>> at
>> com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
>> at
>> com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
>> at
>> com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
>> at
>> com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
>> at
>> com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
>> at
>> com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
>> at
>> com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
>> at
>> com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
>> at
>> com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
>> at
>> com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
>> at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
>> at
>> com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
>> at
>> com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
>> at java.lang.Thread.run(Thread.java:679)
>> |#]
>>
>> Thanks,
>> Bobby
>
>
>

swchan2
Offline
Joined: 2005-03-29
Points: 0

On 6/14/12 7:35 AM, Bobby Bissett wrote:
> Hi all,
>
> I have 3 small questions. Ok, maybe the middle one is a medium question.
>
> 1)
> In this line from our server log, what does the "ABC/ABC" context
> mean? Our application is called ABC (hypothetically), but it's
> deployed at / so am curious about the format of the context.
According to my understanding, it is /.
>
> [#|2012-06-14T00:42:32.624-0700|INFO|glassfish3.1.2|javax.enterprise.system.core.security|_ThreadID=32;_ThreadName=Thread-2;|JACC
> Policy Provider:Failed Permission Check: context ("
> PPCDConsole/PPCDConsole ") , permission ("
> (javax.security.jacc.WebUserDataPermission
> /nice%20ports%2C/Tri%6Eity.txt%2ebak GET) ") |#]
>
> Yes, we're protecting /* with
> CONFIDENTIAL, thus the
> message.
>
> 2)
> The above request is one of hundreds or thousands that are obviously
> intrusion attempts. If I detect these, is there any way at the
> container level to block requests from the IP address (obtained
> through HttpServletRequest#getRemoteAddr), or would I have to do that
> manually at the servlet/filter/etc level? I know that doesn't do much
> for security, but it could cut down on the noise in the logs.
You can try to use RemoteAddrValve.
>
> 3)
> Want me to file a bug for the following? It's in the log right after
> the above entry.
>
> [#|2012-06-14T00:42:32.624-0700|SEVERE|glassfish3.1.2|org.apache.catalina.connector.CoyoteAdapter|_ThreadID=32;_ThreadName=Thread-2;|PWC3989:
> An exception or error occurred in the container during the request
> processing
> java.util.MissingResourceException: Can't find resource for bundle
> java.util.PropertyResourceBundle, key missing_http_header.host
> at java.util.ResourceBundle.getObject(ResourceBundle.java:402)
> at java.util.ResourceBundle.getString(ResourceBundle.java:362)
> at com.sun.web.security.RealmAdapter.getHostAndPort(RealmAdapter.java:973)
> at com.sun.web.security.RealmAdapter.redirect(RealmAdapter.java:1097)
> at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:945)
> at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:869)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:511)
> at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
> at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
> at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
> at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
> at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
> at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
> at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
> at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
> at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
> at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
> at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
> at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
> at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
> at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
> at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
> at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
> at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
> at java.lang.Thread.run(Thread.java:679)
> |#]
File an issue to security.
>
> Thanks,
> Bobby