Basic Security Configurations on JBOSS EAP 7

Nowadays security is the most important area and that has large scope. Among them application server security is playing major role, which definitely reduces the system vulnerabilities.

JBOSS is one of major Java EE-based application server runtime platform used for building, deploying, and hosting highly-transactional Java applications.

Most of the JBOSS configs can be done via the standalone.xml file, which is locates in {JBOSS_HOME}/standalone/configuration/ file path.

Configurations should be done inside subsystem under xmlns urn:jboss:domain:undertow:10.0.

Let’s discuss server level security configurations

Clickjacking: (X-Frame-Options header missing)

Add required response headers into the <filters> section of your undertow subsystem in standalone.xml. So browser do not allow framing from other domains.

<host name=”default-host” alias=”localhost”>
<filter-ref name=”xFrameOptions”/>
</host>

<filters>
<response-header name=”xFrameOptions” header-name=”X-Frame-Options” header-value=”SAMEORIGIN”/>
</filters>

Cookie(s) without HttpOnly flag set

which allow cookies only for http requests.

<subsystem xmlns=”urn:jboss:domain:undertow:3.1">
…
<servlet-container name=”default”>
<jsp-config/>
<session-cookie http-only=”true” secure=”true” /> <! — added →
<websockets/>
</servlet-container>

Disallow http option value

<http-listener name=”default” socket-binding=”http” disallowed-methods=”OPTIONS” redirect-socket=”https” enable-http2=”true”/>

Adding referrer policy

<host name=”default-host” alias=”localhost”>
<filter-ref name=”Referrer-Policy”/>
</host>

<filters>
<response-header name=”Referrer-Policy” header-name=”Referrer-Policy” header-value=”no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading”/>
</filters>

Add X-Powered-By header value

Which suppressive the exposure of some information like sever details, technologies. Which may leading information to the hackers. So by putting some irrelevant header values, which will misleading the hackers.

<filters>
<response-header name=”x-powered-by-header” header-name=”X-Powered-By” header-value=”bar”/>
</filters>

Set JSP header x-powered-by header false

Remove x-powered-by header for JSP pages.

<servlet-container name=”default”>
<jsp-config x-powered-by=”false”/>
</servlet-container>

Set samesite-cookie value mode as strict

The ‘strict’ value will prevent the cookie send to target link as cross-site context. Default value is ‘lax’ that will maintain user’s logged in session after the user arrived from external link.

<host name=”default-host” alias=”localhost”>
<filter-ref name=”samesite-cookie-filter”/>
</host>

<filters>
<expression-filter name=”samesite-cookie” expression=”samesite-cookie(mode=strict,cookie-pattern=JSESSIONID,case-sensitive=true)”/>
</filters>

Sample configuration is given below

<subsystem xmlns=”urn:jboss:domain:undertow:10.0" default-server=”default-server” default-virtual-host=”default-host” default-servlet-container=”default” default-security-domain=”other” statistics-enabled=”${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}”>
<server name=”default-server”>
<http-listener name=”default” socket-binding=”http” disallowed-methods=”OPTIONS” redirect-socket=”https” enable-http2=”true”/>
<host name=”default-host” alias=”localhost”>
<filter-ref name=”xFrameOptions”/>
<filter-ref name=”Referrer-Policy”/>
<filter-ref name=”samesite-cookie-filter”/>
</host>
</server>
<servlet-container name=”default”>
<jsp-config x-powered-by=”false”/>
<session-cookie http-only=”true”/>
</servlet-container>
<filters>
<response-header name=”xFrameOptions” header-name=”X-Frame-Options” header-value=”SAMEORIGIN”/>
<response-header name=”Referrer-Policy” header-name=”Referrer-Policy” header-value=”no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading”/>
<expression-filter name=”samesite-cookie” expression=”samesite-cookie(mode=strict,cookie-pattern=JSESSIONID,case-sensitive=true)”/>
<response-header name=”x-powered-by-header” header-name=”X-Powered-By” header-value=”bar”/>
</filter>
</filters>
</subsystem>