Hi,
Here is brief introduction of using FrontEnd Host/FrontEnd Port combination in a Clustered or a Non-clustered Environment. Setting Frontend Host prevents the Redirection attack to our Production Environments.
Security Scenario:
When a request on a web application is redirected (request.sendRedirect) to another Server/Application/Location, the Host header contained in the request is used by default in the Location header of the response. Because the Host header can be spoofed that is, corrupted to contain a different host name and other parameters, this behavior can be exploited to launch a redirection attack on a third party.
To prevent this we can set the FrontendHost attribute on either the WebserverMBean (If your Server is not part of any Cluster) or ClusterMBean (if u have a Cluster) to specify the host to which all redirected URLs are sent. Now when the Server Sends the HttpResponse to the client…The host specified in the FrontendHost attribute will be used in the Location header of the response instead of the one contained in the original request.
How to configure Frontend for our Cluster?
Login to AdminConsole and then choose the following sequence:
Home –>Summary of Clusters –>Cluster-0 (your ClusterName) –>Configuration (TAB) –> HTTP (Sub Tab)
In this page u will find textBoxes to cnfigure your Frontend host & port details.
What can be set as a Frontend of a Cluster/Server?
1). Any WebServer Like Apache Plugin, SunOne, IIS…etc
2). We can set a DNS Server as a frontend of a Server/Cluster
3). We can set Hardware load balancers like BigIP F5 etc.
What is the Use of FrontEnd for WebServices targeted to Cluster?
If we deploy a WebService to a Clustered Environment. Then the Dynamically Generated WSDL will not contain the <address> of the Original Server from where it is coming to the client …rather the Address of the frontEnd will be generated inside the <address> Tag of the WSDL file.
Example: Suppose if we have set Frontend Host & port of our Cluster where webservice is targeted to FrontHost=10.19.2.121 FrontendPort=80 then the WSDL file will contain the following address …
<service name=”SomeService”>
<port binding=”s0:SomeServiceSoapBinding” name=”SomeServicePort”>
<s1:address location=”http://10.19.2.121:80/Some/SomeService”/>
</port>
</service>
.
.
Thanks
Jay SenSharma
August 20th, 2010 on 11:48 pm
Hi Joy,
Could you please help on this?
Scenario:–
webService running fine on 8.1.6
However the same war file when deployed on a fresh 10.0 installation gives the following issue.
deploy a web service/SOAP service,
when we hit the service, it shows up the display page and gives the link to the WSDL.
However inside the endpoint it is creating a corrupted url as it is appending the port 80 to the end of the url;
Original URL has to be http://xyz.com/TestWS/ChartViewerData
The curren url that is showing up is http://xyz.com:80/TestWS/ChartViewerData
Here a slash ‘/’ is missing from the url.
Customer wants to know as to why this issue is happening after porting the WS from 8.1.6 to 10.0
We feel that the WS could have been migrated incorrectly.
Should we configure the Frontend host and port for this??
or
Should we try to check out the latest plugin for Apache
or
Should we change he port number of the Apache which running on 80 ?
August 22nd, 2010 on 8:04 am
Hi Shivam,
How you upgraded your WebService? I means are u just deployiing your WLS8.1.6 WebService EAR/WAR file in WLS10.0 …OR have u upgraded your WebService as well…(Example: From WLS9.x onwards we use @WebService annotations to define our webservice…we use JWSC task to compile our WebServices …etc.).
As you have mentioned that your Original URL is : “http://xyz.com/TestWS/ChartViewerData” It means your Apache Proxy HostName Must be “xyz.com” and the Port Number will be (80) . So Just to confirm whether it is a Proxy issue or not….Just try to hit the WebLogicServer Directly to access your WSDL….Just for testing like:
http://ManagedServerHostName:port/TestWS/ChartViewerData
Example: http://localhost:7003/TestWS/ChartViewerData ——> Are u able to access the WSDL like this?
Usually we need to configure the Frontend host and Port …when we have a Cluster. Sothat the Dynamic WSDL can be generated…with the Service-address of proxy.
If you are able to access the WSDL directly from the WLS Server …. and if you are facing Issue only while accessing it through the Proxy (Apache) then u must try using the Latest Apache Plugin.
Just for testing we can try changing the Apache port from 80 to something else like 81 …. But i really dont think that Port Should be an issue…
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
January 20th, 2011 on 5:03 am
Hello Jay,
I have configured Front end port and when I try to access application over http protocol it is working fine. But when I try to use https:// it is failing?
Please suggest.
Jees
April 23rd, 2011 on 8:36 am
Can you please upload the image?
April 23rd, 2011 on 9:29 am
Hi testab,
Some of the images are missing in few articles … We will try to upload them soon… but it will take some time as currently those images got destroyed and not present for upload.
Thank you for letting us know about this we share “Bonus Magic Points 20 in your Magic Account” 🙂
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
July 27th, 2011 on 12:55 am
Hi Magic Team,
We are using 10.3.3 WL and it is balanced by load balancer.
For launching application we use (LoadBalancerVIP+ApplicationContext) URL
But we want to use only (LoadBalncerVIP), Which in turn redirects to (….+ApplicationContext) for launching.
So how and where I can configure for redirecting LBVIP—->ApplicationLaunchingURL ?
Is it possible at LB/WeblogicServer/InApplicationCode??
If yes, Can you pls give brief description.
Thanks,
Sunny
September 17th, 2011 on 4:14 am
It probably defeats the purpose of setting the frontend host and port, but for testing direct access to the managed server, is there a way to temporarily prevent the redirects when acessing the managed server URL and Port directly?
I’d like to be able to do it without restarting the cluster.
February 28th, 2012 on 7:50 pm
Hi, Jay there are some comments without any reply from you. Why it is so ?
August 1st, 2012 on 9:19 pm
Hello Jay,
I have single WL server deployment with IIS upfront. After I set up Frontend Host and port I can’t access Administrative Console anymore. Is there a way to resolve this (possibly configure IIS to get to WL Console through IIS)? I tried setup just forwarding * on IIS for all requests with /console/ but it didn’t work properly.
Thanks!
August 3rd, 2012 on 8:00 pm
Hello René,
Thanks for your reply! But here is a situation as I see it:
WL Console tries to redirect you to frontend host and port. So
1. We either need something/set some other other params in Weblogic Console not to redirect that particular app. If this is the option – then how and what?
or
2. We need to configure IIS or other web server to work correctly with Weblogic Console app. If this is the option – then how or what needs to be done on Web Server so it works correctly with WL Console?
Thanks
January 30th, 2013 on 6:54 pm
Hi,
Am having a doubt.
We are having a Clustered production environment.
We are following a method for restarting the managed server as first to disable the FrontEndHTTP configured in channels, then we will go for a restart.
Once the server turns back we will enable it, hence it will start serving the request.
My question is : Is we need to disable all the time or if we go for a direct restart w/o disabling FrontendHTTP it will behave normally when turns into running?
Also i want to know about the heart beats how it is working internally in clustered env.
Thanks in Advance,
Srinvasan