Hi,

Jay SenSharma

Jay SenSharma

Here is  brief introduction of using FrontEnd Host/FrontEnd Port combination in a Clustered or a Non-clustered Environment. Setting Frontend Host prevents the Redirection attack to our Production Environments.

Security Scenario:
When a request on a web application is redirected (request.sendRedirect) to another Server/Application/Location, the Host header contained in the request is used by default in the Location header of the response. Because the Host header can be spoofed  that is, corrupted to contain a different host name and other parameters, this behavior can be exploited to launch a redirection attack on a third party.

To prevent this we can set the FrontendHost attribute on either the WebserverMBean (If your Server is not part of any Cluster) or ClusterMBean (if u have a Cluster) to specify the host to which all redirected URLs are sent. Now when the Server Sends the HttpResponse to the client…The host specified in the FrontendHost attribute will be used in the Location header of the response instead of the one contained in the original request.

How to configure Frontend for our Cluster?

Login to AdminConsole and then choose the following sequence:

Home –>Summary of Clusters –>Cluster-0 (your ClusterName) –>Configuration (TAB) –> HTTP (Sub Tab)

In this page u will find textBoxes to cnfigure your Frontend host & port details.

Configuring FrontEnd Host

Configuring FrontEnd Host

What can be set as a Frontend of a Cluster/Server?

1). Any WebServer Like Apache Plugin, SunOne, IIS…etc
2). We can set a DNS Server as a frontend of a Server/Cluster
3). We can set Hardware load balancers like BigIP F5 etc.

What is the Use of FrontEnd for WebServices targeted to Cluster?

If we deploy a WebService to a Clustered Environment. Then the Dynamically Generated WSDL will not contain the <address> of the Original Server from where it is coming to the client …rather the Address of the frontEnd will be generated inside the <address> Tag of the WSDL file.

Example: Suppose if we have set Frontend Host & port of our Cluster where webservice is targeted to    FrontHost=10.19.2.121   FrontendPort=80 then the WSDL file will contain the following address …

<service name=”SomeService”>
<port binding=”s0:SomeServiceSoapBinding” name=”SomeServicePort”>
<s1:address location=”http://10.19.2.121:80/Some/SomeService”/>
</port>
</service>

.
.
Thanks
Jay SenSharma

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.