We are in the process of creating a training mode for our ColdFusion (9) sites.
The system will allow our users, after logging in, to switch from production mode to training mode by clicking on a link.
When they switch, the data-sources will be switched allowing the data to be safely modified.
We are also going to implement a test SMTP server, using the SubEthaSMTP Java project, in order to capture the emails that are sent from the training mode and display them to the user in a web page.
We can launch the SMTP server as a stand alone process or service without much trouble.
The nicer solution would be to launch server as part of the ColdFuson runtime at the point that the user switches to training mode.
We would create a true Java thread that would persist on a Server level scope for the length of any training sessions and then some arbitrary time out period. If the server times out and a new training session is initiated we would initiate a new SMTP server.
My essential question is, therefore, is it a bad idea to run an ongoing thread in the ColdFusion runtime this way?
I can't see a problem with doing this, although you ought to test to see what resources SubEthaSMTP uses and make sure it's not going to cause you issues. It looks to have minimal dependencies (essentially just SLF4J, which ColdFusion 9 & 10 already provide)
From the example page it looks to be pretty easy to set up and drop into a long-running scope. I think you're right to pick the server scope, as you may have problems using application or anything more volatile, as there'll be a situation where application scope would timeout and be reset, but you'd loose all references to the Mail Server instance.
Please update the post with your findings, as I'd be interested in seeing what you find.
Related
We are using the owasp csrf tool in our application. It is quite an old java8 / Tomcat application but this aspect has worked without a problem for a long time. We have 3 environments -
dev - local machine test
runs on remote servers as production
production
runs on remote servers
We recently changed the ip address of the test server and the OWASP protection no longer seems to trigger on this environment. I don't believe there is anything in the code base to cause this change as it still works on dev. I have checked and there is no hard coded reference to the old ip address in the code.
The token is still being injected into the form on test, and changes between initial set up and 2nd logon & submit.
The owasp_csrf.js file is still active as I put some alerts in there to check and they fire (I noticed on dev our warning message appears before the alerts so I don't think this is where the main part of the token checking is happening).
Everything seems to work as expected except the csrf check doesn't seem to fire.
So, my test is
log in and enter data into a data entry form
log out before submitting
log back in (different user, although this isn't necessary on production)
use back button to get to previous filled in form and submit
on test this allows submission (on dev and production it triggers csrf alert).
I don't think this has been tested on test for a while but but I know it as been in the past. I believe the only significant difference is the IP address change but I can't find anywhere in the code base or Tomcat configs where this looks relevant. (I've double checked the hosts files and rebooted in case any aspect of (linux) server setup had missed the ip change).
Apologies if this is a little vague but I wondered if anyone had any ideas about where the ip address may be relevant to the OWASP csrf set up ?
Production Environment: Tomcat 9 on CentOS 7 x64, mysql/mariadb 5.5x
Testing Environment: Tomcat 9 in Eclipse on Windows 7 x64, mysql 5.5x
I'm a Tomcat newbie looking for the best method to have server-wide variables readable/writable from all Webapps for things like MaintenanceMode(on/off) and MaintenanceMessage, etc.
These are the variable properties I'm looking for:
Readable/writable from all instances of all java servlets on all webapps.
Value persists after OS, Tomcat, or Webapp restart.
I must be able to change the value of it from one webapp and then all other webapps recognize the change quickly, ideally without restarting.
Ideally I wouldn't want to read the variable from disk on each server request. In case server is getting DDOSed or something.
Ideally the solution is OS independent.
If it's a disk file solution please recommend a place for me to store the file.
I'm new to Tomcat so some detail in any answers would be appreciated or links to detail. I'll probably be using a servlet on it's own 'admin' webapp that's only accessible through SSH-tunneling, etc, to set the variables. Then the public webapps would respond to any changes, like showing a maintenance message while I backup databases. I could also possibly change the variables using linux commands if needed.
If I stored the server variables in a database that could be fine but I wouldn't want to read the DB on every single request most likely, and when I change a variable I'd have to once again notify every webapp/servlet that something was changed and to re-read the DB.
Thanks for any help.
I implemented this recently in the form of "system messages", some of which are for maintenance. But the effect is the same. We had some additional "requirements" which helped us form the solution. These may or may not match up to your expectations/desires:
Multiple-server coordination
Immediate synchronization was not necessary
We used our relational database for the actual data storage. A single table with "system messages" and a few other fields such as when the messages became effective (not_before DATETIME) and when the messages became ineffective (not_after DATETIME).
On startup, the application reads the system messages table to find the currently-valid messages and stores them in application scope, including their validity dates. Whenever we want to show them on the screen, we check each item in memory and evict any that have expired. This is pretty fast.
Every X minutes (e.g. from cron), we make a request to a special servlet (on each server) that re-loads the system messages from the database. We protect that servlet by only allowing requests from certain IPs, so DOS is not an issue.
Not only can we add a system message from any server in the cluster, but we can also add one by writing directly to the database. That may be advantageous if you don't always want to use your application to generate these events.
You can change the value for X to anything as low as 1 (minute) if you are using cron. If you use some other kind of system, you can probably get updated even more often. I would seriously reconsider your requirement of "immediate" recognition because that requires a system that has much worse performance.
If you can guarantee that only your application can generate these changes, and you have a list of all other servers in the cluster somewhere, you could theoretically ping them all with the new message (or notify them that a new message exists and it's time to update their message-list), but that kind of thing is better-done with an orchestration tool such as Kubernetes, and we are getting a little out of scope IMO.
We have multiple java web applications and processes that are deployed on a server. we would like to find a mean to easily monitor these applications and check their status remotely. by motoring we mean the following :
Check if the websites are up, send notifications by email otherwise.
Easily access or display logs in real-time that are located in different places on our servers. Send emails when exceptions occurred and are logged
Issue commands and run scripts that are located on our servers. the os of the server is linux. commands could be like restart tomcat...
? not sure if there are other ideas about monitoring
My question is that is there any application that is already available that provide such functionalities or some of them? if not do you know what API can be used to build such applications (in JAVA).
UPDATE:
The tool should be free
Thanks in advance for any help!
For monitoring Java applications as well as website availability, issuing custom commands in your servers and in general, monitor applications go for a general-purpose monitoring solution, like Pandora FMS. I'll try to answer your questions in order:
Check if the websites are up, send notifications by email otherwise.
Doing a network check to TCP port 80 and parsing a 200 OK response.
Easily access or display logs in real-time that are located in different places on our servers. Send emails when exceptions occurred and are logged
Easy thing to do with the log retrieval feature. Check it out in the wiki.
Issue commands and run scripts that are located on our servers. the os of the server is linux. commands could be like restart tomcat...
I'd suggest using Pandora Agents in this case. Quite powerful, yet very low resource consumption. They allow to do post-actions if your app is down, your CPU is high, or in general terms, anything you can measure happens. Check out the server monitoring more deeply: http://pandorafms.com/monitoring-solutions/server-monitoring/
On Linux, you an use monit. You can use it to any monitor services such as apache as well as wildfly running behind apache. It is actually easy to configure and it also gives all that you have requested.
If you want to monitor java processes, there is nothing better than MoSKito: http://www.moskito.org.
The only problem is that it covers much more, than you stated as your requirements, you will also get:
health thresholds and notifications
detailed performance metrics of your java code
dashboards with most important information about your app
mobile applications to monitor your app on the run
detection of slow transactions in your application
and more more more ;-)
http://www.moskito.org
http://newest.moskito.org/moskito/ (nightly build of the UI)
Step by Step guide: http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/
First, this is not the first time I ask a question related to this problem, but now that we have talked with the network admin guys and we know we absolutely HAVE to get through that proxy, I will ask again the question but with further details.
So here is the deal. We have an application built for Lotus Notes. That application needs to talk with a web service that is located outside the network of our client, but nothing can get out of the network without going through a proxy server. Since the Agent is running on the server, we need to tell the server to go through the proxy first. That can be achieved in Java using the System's properties (http.proxyHost, etc). That being said, I set all the properties related to the proxy settings in my Java Agent, and then I try getting the XML file from the web service. What I get is a connection time out exception. So, I was wondering why? We did a network analysis with WireShark, and the application is not trying to go through the proxy. Here is what it STRANGELY does.
I built the application and set the proxy host to a dummy address, just for the time I get the real proxy address and my credentials. Let's say proxy.mydomain.com
I get my credentials, so I change the proxy config with the real ones, say webproxy.ca.mydomain.net
Nothing works, so we restart the Domino server and do a clearcache, thinking it might be related to this
We did a network analysis with WireShark and the application queries the DNS for this:
proxy.mydomain.com
proxy.mydomain.com.ca.mydomain.com
proxy.mydomain.com.eu.mydomain.com
proxy.mydomain.com.anotherknowdomain.com
And that goes for a while. BUT, I can see it's still using the dummy address. Where does it get it. It's not in notes.ini, it's not in the server's cache, it's not in my source code, it's not in java.properties, it not in the JVM (since we restarted the machine). Any idea? We're at the end of a project and we need this to work to deliver it and preassure is building!!! I searched the WHOLE WEB!!!
One more thing I would say, when I set my properties in java code, I tryied to print them before to see if it was ok and everything is fine...
For your information, even though it was a web proxy going through HTTP, the JVM setting sockProxyHost was set and preceds on the other. That was our problem...
I have an Apache Derby database running (in networked mode) inside a java swing application, I connect to it through direct JDBC calls via a java client application.
This is all very good and works great however I know have an additional requirement to implement concurrent licenses for this client/server application.
Ideally a user with a single user license should be able to have 1 client app running on a laptop and also a second client app running on a desktop and be able to connect to the server from both.
I don't have the luxury of a web server so I am wondering if my only option is to use the "maxthreads" runtime property in Derby and essentially force the user to have to log off the laptop say if they want to then use the app from their desktop.
If I leave the timeslice property to 0 then will a call to getConnection timeout so that I can display a message to the user explaining that they need to disconnect one of the client apps.
Are connection threads a reliable way of doing this?
Am I missing another solution?
If I understand the question correctly, you have user-locked licenses and want to prevent a single user with a single license from accessing the "server" from more than one instance of the client at a time. Your "server" is simply a database and you don't want to create an application layer on the server side.
I don't really like your initial suggestion of using the thread pool and connection timeout to enforce licensing constraints because both of those things are used for other purposes.
Instead, to solve this I might consider requiring the user to enter their license number into the GUI the first time they use it. This can be saved in the user's home directory for subsequent starts of the GUI. The same would happen if they start the GUI for the first time on another machine. Then, for each transaction the GUI makes with the database, it would first update a licenses table or similar to indicate the user's license is currently taking part in a transaction. Wherever the same license is already in the table, marked as active, or similar, the GUI would reject the transaction and display to the user their license is already in use by another client.
If you like this idea, think it through farther than I have. I can see some errors in logic locking users out permanently :-)
It seems like you want to make the action of "logging in" and "logging out" of the database explicit, so perhaps you may want to have a special table in the database where your application writes a record when you log in or out.
Then your application can query that table to find out if other copies of the application are currently logged in.
You might want to include additional fields in the table to track the date/time when you logged in/out, the hostname and IP address of the client which performed the login/logout, etc.