Customized error pages for Glassfish V3

There are 2 main reason you want to create custom-made error pages to catch 404 (and others).

Default 404 Error Page

1. It is more professional to catch an error and guide the user either back to a start page or some kind of error handling (appearing as part of you application and not some default Glassfish page which leaves him pretty much nowhere).
2. You dont reveal any information about the application server and remove the most basic information for any hacker: What server software is running on this host ?

In Glassfish we can make use of 2 levels of error handling. At a global level, for the complete domain, and the application level. The application level error handling overrides the global handling. You can create a 404 error page that leads the user back to the application index and at the global level you create a message that does NOT contain a link to an application (entering a wrong context will show you there is no such application, but dont give you a hint where else to go!)

How to do it ?

Application Level

• Create a webpage in your web folder (eg. 404.html) with your application design template and add a link to the index page if necessary.
• Open the web.xml and add
  

  ...
   <error-page>
   <error-code>404</error-code>
   <location>/404.html</location>
   </error-page>
  </web-app>
  

• or use the assistant in Netbeans
  
  

  web.xml in Netbeans

Glassfish Global Level

• Open you admin console and add a new property
  send-error_1
  code=404 path=/tmp/404.html reason=Resource_not_found
  better: code=404 path=${com.sun.aas.instanceRoot}/docroot/404.html reason=Resource_not_found
  
  

  Glassfish Console

   

• or execute asadmin
  asadmin set server.http-service.virtual-server.server.property.send-error_1=”code=404 path=/tmp/404.html reason=Resource_not_found”
  
• or do it manually in the domain.xml
  

  ...
   <config name="server-config">
   <http-service>
   <access-log />
   <virtual-server id="server" network-listeners="http-listener-2,http-listener-1">
   <property name="send-error_1" value="code=404 path=/tmp/404.html reason=Resource_not_found" />
   </virtual-server>
   <virtual-server id="__asadmin" network-listeners="admin-listener" />
   </http-service>
  ...
  

• Remark: You should place the code=xxx in front the property string (like above sample). There are some forum threads and tutorials putting it at the end (which does not work for me).

Android Market Spam

I totally DO NOT favor Apple’s strategy with their censorship style 110% control of application and content that runs on their proprietary devices like iPad and iPhone ! But it seems with the Android market we are approaching the other end, total freedom and no control which opens eventually the floodgates for spam, trash applications or trojan horses. Here one sample, I observe some trashy girls pics applications showing up regularly in the Software Library section, obviously the guy keep on re-submitting into application areas with little traffic. Its not one but dozens of them, soon there will be so much of this stuff. And can you explain to me why an application that does nothing but showing pictures need to have access to your location, phone calls and Internet connection ?

Android Market Trash

PIcture Display with lots of access rights

New Book on Glassfish Security available

Getting involved more into security requirements of real life production setups running Glassfish, I searched  the web for this topic. So far there was no book available focusing on security concerns, this just changed a few days ago..
I just get my hands on the new book by Masoud Kalali, Glassfish Security by Packt Publishing. Find more info here. Just started reviewing it, will update you soon.

Getting started with Glassfish V3 and SSL

At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https.  Please feel free to comment and feedback, I am not an security expert either (…yet).

Used for this tutorial:

• Glassfish V3
• Java keytool
• Free 90 days SSL certificate from Comodo (link)

Pre-Requirements:

• A  server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
• Basic knowledge of navigating around the Glassfish admin tool

Remarks:

• There are dozens of providers that sell you SSL certificates from 30 to 2000 U$ a year. Companies like Verisign, Thawte and Comodo being the more known ones. I cant give a recommendation nor judge the individual companies.
  Find a list of providers here http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities
• We (as in ‘user’) use security in the web on a daily base (you do online banking, right ?), but trying to understand and appreciate the underlying protocols and technologies throws a steep learning curve at us ! If you want to get started a few helpful links (in case you want to have some clue while talking to a customer):
  • http://en.wikipedia.org/wiki/HTTP_Secure
  • http://en.wikipedia.org/wiki/Transport_Layer_Security
  • http://en.wikipedia.org/wiki/Certificate_authority
  • http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
• I recommend doing this tutorial with a test setup, not a productive environment.
• The tutorial shall help you get running, I do not attempt to explain all the details, you can refer to the links above and dive into any level of details you wish to. There are dozens of options, parameters and settings, this tutorial only attempts to make it running. From there you can experiment with settings, different certificates, etc.

Continue reading →

Getting Started with Netbeans and Shiro – Part 1

Apache Shiro (formerly known as JSecurity and KI) is a security framework that handles authentication, authorization, enterprise session management and cryptography. With the move from sourceforge to Apache the GPL license turned into the Apache license. The current version is still 0.9 (still JSecurity), but you can build yourself a current version until the version is released. Shiro is NOT basd on JAAS.

Pre-Requirements for this tutorial:

• Netbeans (any newer version 6.5.1 + already installed)
• Maven (assuming most people dont use it yet)
• Shiro code base (via svn)
• Ubuntu (applies only to the installation of maven) Continue reading →

JEE5 Security

Any new project or product that is used by more than 1 user and over any kind of network needs the “TripleA” AAA features: Authorization, Authentication, Auditing. That’s a must !

I am reading about the JEE5 Security features to outline a new design, or at least I try to find some comprehensive information about it. It seems one of the most important framework services is still being largely developed handmade according to the needs of specific project requirements and no generic solution is available (I think I need to rephrase this after some more investigation). I could  not find many books or online sources with samples or easy-digestible tutorials, just to share what I found so far. JAAS is part of JRE since version 1.4 and most of the information about is a bit old (2002).

SUN
SUN JAVA SE security (link) (link)
SUN JAAS Tutorial (link)

3rd Party Security Framework (based on JAAS)
JGuard on SourceForge.net (link)
ESAPI  on OWASP (link)

Books
Free JAAS Book (link)
Software Security Technologies (covering security in Java, C, Perl)

Software Security Technologies