Posts Tagged ‘Security’

Prevent hawtio from phoning home

Hawtio is bundled in several applications as a management console. In one project we are using it with JBoss EAP 6. However, when the application server starts hawtio attempts to update itself from Github:

Performing a pull in git repository .hawtio/config on remote URL:
Subsequent pull attempts will use debug logging
Failed to pull from the remote git repo with credentials null due:
407 Proxy Authentication Required. This exception is ignored.

I certainly don’t want applications in production to update themselves dynamically with unforseen effects and neither do I want them to phone home. What to do? Fortunately it is possible to control this, see the documentation. Simply add the following Java options:


Problem solved.

Categories: Java

Handle UnauthorizedSessionRequestException on WAS 8.5.5

WebSphere 8.5.5 normally uses LTPA tokens for authentication and session cookies for tracking HTTP sessions. The two are not connected and they interact in a sometimes very frustrating way. The HTTP session expires when the user has been inactive (i.e. no requests have been received by the server) for a given time. The LTPA token on the other hand has a fixed expiration time regardless of user activity. This means that a user can be logged out while active and while still having a session. Furthermore it is tricky to handle this as any attempt to access the session for a logged out user fails with an UnauthorizedSessionRequestException, complaining that an anonymous user has attempted to access a session owned by someone else. What to do?

There is a configuration option described here and here that makes the session manager invalidate the session and return null instead. This works well as that is what web applications normally do when a user has been logged out, so it plays nicely with other security frameworks.

To enable the option pick Servers-Server Types-WebSphere application servers-servier name-Session management, find Additional Properties and select Custom Properties, then set InvalidateOnUnauthorizedSessionRequestException=true. Save the changes and restart the server. The UnauthorizedSessionRequestException is history!

Categories: Java

Docker pitfalls for Internet-facing hosts

Planning to use Docker on an unprotected Internet-facing host? If so, don’t rush it. It works, but the default installation is probably not what you want.

By default Docker sets up iptables firewall rules for connections between the host and the containers. This is how it works on Ubuntu 14.04 and CentOS 7 and it is probably true for most distributions. The last thing I want on an Internet-facing host is something messing with the firewall!

What to do? A friend at Red Hat recommends overlay networking, for example with flannel as described here for Kubernetes with Fedora. It certainly seems like a much better (safer) option.

In summary, take care and make sure to test the firewall configuration not only when things are stable, but as containers are started and stoppped!

Categories: Linux, Networking

Java EE two-factor authentication with Yubikey

Tonight I’m giving a presentation at JavaForum in Gothenburg on two-factor authentication in Java with Yubikey. The talk will introduce multi-factor authentication in general and Yubikey in particular; then it shows how to add Yubikey support to several types of Java web applications. It starts out with a simple servlet filter and proceeds with JAAS modules, a JASPIC (JSR-196) module and Apache Shiro.

More details can be found here. The code is available on Github.

Categories: Java