Environment: Linux 7 & JBoss 7.2
Note: Take backup of JBoss /configuration directives.
1. Locate to standalone.xml file & check for undertow subsystem.
2. Add http-to-https on host-name tag, with corresponded to filters tag rewrite rule (e.g from port 8084/8081 to 8443) along with https.
<!-- hostname configurations -->
<host name="default-host" alias="localhost">
<filter-ref name="http-to-https" predicate="equals(%p,8084) or equals(%p,8081)"/>
</host>
<!-- reference filters configurations -->
<filters>
<rewrite name="http-to-https" target="https://www.test.int:8443%U" redirect="true"/>
</filters>
3. Check for below highlighted configuration.
****************************************************************
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="http-to-https" predicate="equals(%p,8084) or equals(%p,8081)"/>
<filter-ref name="host-checker"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config x-powered-by="false"/>
<session-cookie http-only="true" secure="true"/>
<websockets/>
</servlet-container>
<filters>
<rewrite name="http-to-https" target="https://www.test.int:8443%U" redirect="true"/>
<expression-filter name="host-checker" expression="not(equals(%{i,HOST}, www.test.int:8443)) -> response-code(403)"/>
</filters>
</subsystem>
****************************************************************
4. Restart the JBoss server JVM.
5. To test the host-Header injection using curl command, https:// must be thown in output.
command:
curl -I http://www.test.int:8084/calendar
Thanks :-)
No comments:
Post a Comment