Service Virtualization

  • 1.  DevTest WAS configuration

    Posted Aug 02, 2018 04:19 AM

    Hi, 

    I am a professional service of Korea and implementing the DevTest. 

     

    The customer security team asked to take actions for our DevTest Portal.

     

    - WAS configuration

      : reject OPTIONS and TRACE HTTP Method

     

    If we don't have any jetty configuration, we should configure our own WAS to reject OPTION and TRACE HTTP method. How can I configure this for our own WAS?

     

    This is very urgent issue for us. Can you follow up this asap?

     

    Thanks

    Best Regards

    Ji Yeon



  • 2.  Re: DevTest WAS configuration
    Best Answer

    Broadcom Employee
    Posted Aug 02, 2018 12:28 PM

    Hi Ji Yeon,

     

    I looked into this and couldn't find a solution.  I suggest opening a support ticket so the support team can reach out to engineering for guidance.

     

    --Mike



  • 3.  Re: DevTest WAS configuration

    Posted Aug 06, 2018 09:54 PM

    I need WAS or Web configuration.

    Yesterday, I found a way to block some HTTP method.

    I wrote web.xml in this directory. ~/CA/DevTest/webserver/phoenix/phoenix-10.3.0/WEB-INF/web.xml

     

     

    I blocked HTTP method such as OPTIONS, TRACE, PUT, PATCH, and DELETE with web.xml. I will attach jpg file again. And I have two more problems.



  • 4.  Re: DevTest WAS configuration

    Posted Aug 06, 2018 09:58 PM

    I resolved one with web.xml.

    But I have two more issues.

     

    In the Response Header

    A way to test is to call GET or POST with any URI (ex. GET /devtest/test ).

     

    1. There is "Server" information in Response Header.

        : Server: Jetty(9.3.z-SNAPSHOT)

     

    2. There is "error number" like 404 Not Found. \

       : HTTP/1.1 404 Not Found

       : I need the error page redirection like this

        <error-page>

              <error-code>404</error-code>

              <location>/error404.jsp</location>

        </error-page> 

       

    --------------------

    Response headers:

    HTTP/1.1 404 Not Found

    Date: ...

    Content-Security-Policy ...

    X-Content-Type-Options: nesniff

    X-XSS-Protection: ...

    X-Application-Context: ...

    Content-Type: ...

    Transfer-Encoding: ....

    Server: Jetty(9.3.z-SNAPSHOT) ...

    --------------------

     

    According to the customer's security policy, all HTTP response should not show those information. I tried many things, but I couldn't find the resolution.

    Can you help and if you don't know, can you ask these to dev team? This issue is a mandatory item I should change.

     

    Please help me.