Re: Can webapps/tomee directory be deleted for a production environment?
Done : https://issues.apache.org/jira/browse/TOMEE-423 On Thu, Sep 20, 2012 at 10:21 PM, Jean-Louis MONTEIRO wrote: > Amazing, we got that discussion on my company as well where we have a lot > of instances. > Yes, that'd be awesome if you could feel a jura for that. > > Jean-Louis > > 2012/9/20 Alex The Rocker > > > Romain: > > > > It would be great to move TomEE's transport out of the tomee management > UI > > web app, as you suggest. > > > > Should I create a JIRA to track this feature request ? > > > > Alex > > > > PS: I'm definitely paranoid and want to remove management web app from > > production environment exposed to Internet (and maybe use secured JMX for > > remote management with strict iptable rules..) > > > > On Sun, Sep 16, 2012 at 10:59 PM, Romain Manni-Bucau > > wrote: > > > > > i dont think (or it is not known today) > > > > > > i personnally would like to keep it a gui + transport webapp. > > > > > > wonder if we shouldnt move transport part BTW. We could do it > > > programmatically and totally skip the webapp (something to think about > > > after next release). > > > > > > *Romain Manni-Bucau* > > > *Twitter: @rmannibucau* > > > *Blog: http://rmannibucau.wordpress.com* > > > > > > > > > > > > > > > 2012/9/16 Alex The Rocker > > > > > > > David: > > > > > > > > Thank you very much for your answer. Is the ability to remove > > > webapps/tomee > > > > directory a durable one? > > > > Won't there be future "mandatory" features requiring this web app? > > > > > > > > Alex > > > > > > > > On Sun, Sep 16, 2012 at 7:29 PM, David Blevins < > > david.blev...@gmail.com > > > > >wrote: > > > > > > > > > > > > > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > Can the webapps/tomee directory be deleted for deploying a web > app > > to > > > > > > production TomEE/TomEE+ server and exposed to Internet? > > > > > > Indeed, when delivering our app with Tomcat, we delete all > default > > > web > > > > > apps > > > > > > as part of a list of Tomcat hardening task list. > > > > > > > > > > > > Is there any TomEE/TomE++ vital content in webapps/tomee > directory > > ? > > > > > > > > > > The only loss of functionality would be the ability to remotely > > execute > > > > > EJBs over HTTP. However this can easily be added to a different > > webapp > > > > > like so: > > > > > > > > > > > > > > > ServerServlet > > > > > > > > > > > > > > > > > > > > org.apache.openejb.server.httpd.ServerServlet > > > > > > > > > > > > > > > > > > > > ServerServlet > > > > > /myejbs/* > > > > > > > > > > > > > > > > > > > > Then you can create an `InitialContext` that points to that webapp > > like > > > > so: > > > > > > > > > > Properties p = new Properties(); > > > > > p.put("java.naming.factory.initial", > > > > > "org.apache.openejb.client.RemoteInitialContextFactory"); > > > > > p.put("java.naming.provider.url", " > > > > > http://127.0.0.1:8080/mywebapp/myejbs";); > > > > > // user and pass optional > > > > > p.put("java.naming.security.principal", "myuser"); > > > > > p.put("java.naming.security.credentials", "mypass"); > > > > > > > > > > InitialContext ctx = new InitialContext(p); > > > > > > > > > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > > > > > > > > > > > > > -David > > > > > > > > > > > > > > > > > > > > > > > > >
Re: Can webapps/tomee directory be deleted for a production environment?
The question is which security for ejbd? Le 20 sept. 2012 22:22, "Jean-Louis MONTEIRO" a écrit : > Amazing, we got that discussion on my company as well where we have a lot > of instances. > Yes, that'd be awesome if you could feel a jura for that. > > Jean-Louis > > 2012/9/20 Alex The Rocker > > > Romain: > > > > It would be great to move TomEE's transport out of the tomee management > UI > > web app, as you suggest. > > > > Should I create a JIRA to track this feature request ? > > > > Alex > > > > PS: I'm definitely paranoid and want to remove management web app from > > production environment exposed to Internet (and maybe use secured JMX for > > remote management with strict iptable rules..) > > > > On Sun, Sep 16, 2012 at 10:59 PM, Romain Manni-Bucau > > wrote: > > > > > i dont think (or it is not known today) > > > > > > i personnally would like to keep it a gui + transport webapp. > > > > > > wonder if we shouldnt move transport part BTW. We could do it > > > programmatically and totally skip the webapp (something to think about > > > after next release). > > > > > > *Romain Manni-Bucau* > > > *Twitter: @rmannibucau* > > > *Blog: http://rmannibucau.wordpress.com* > > > > > > > > > > > > > > > 2012/9/16 Alex The Rocker > > > > > > > David: > > > > > > > > Thank you very much for your answer. Is the ability to remove > > > webapps/tomee > > > > directory a durable one? > > > > Won't there be future "mandatory" features requiring this web app? > > > > > > > > Alex > > > > > > > > On Sun, Sep 16, 2012 at 7:29 PM, David Blevins < > > david.blev...@gmail.com > > > > >wrote: > > > > > > > > > > > > > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > Can the webapps/tomee directory be deleted for deploying a web > app > > to > > > > > > production TomEE/TomEE+ server and exposed to Internet? > > > > > > Indeed, when delivering our app with Tomcat, we delete all > default > > > web > > > > > apps > > > > > > as part of a list of Tomcat hardening task list. > > > > > > > > > > > > Is there any TomEE/TomE++ vital content in webapps/tomee > directory > > ? > > > > > > > > > > The only loss of functionality would be the ability to remotely > > execute > > > > > EJBs over HTTP. However this can easily be added to a different > > webapp > > > > > like so: > > > > > > > > > > > > > > > ServerServlet > > > > > > > > > > > > > > > > > > > > org.apache.openejb.server.httpd.ServerServlet > > > > > > > > > > > > > > > > > > > > ServerServlet > > > > > /myejbs/* > > > > > > > > > > > > > > > > > > > > Then you can create an `InitialContext` that points to that webapp > > like > > > > so: > > > > > > > > > > Properties p = new Properties(); > > > > > p.put("java.naming.factory.initial", > > > > > "org.apache.openejb.client.RemoteInitialContextFactory"); > > > > > p.put("java.naming.provider.url", " > > > > > http://127.0.0.1:8080/mywebapp/myejbs";); > > > > > // user and pass optional > > > > > p.put("java.naming.security.principal", "myuser"); > > > > > p.put("java.naming.security.credentials", "mypass"); > > > > > > > > > > InitialContext ctx = new InitialContext(p); > > > > > > > > > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > > > > > > > > > > > > > -David > > > > > > > > > > > > > > > > > > > > > > > > >
Re: Can webapps/tomee directory be deleted for a production environment?
Amazing, we got that discussion on my company as well where we have a lot of instances. Yes, that'd be awesome if you could feel a jura for that. Jean-Louis 2012/9/20 Alex The Rocker > Romain: > > It would be great to move TomEE's transport out of the tomee management UI > web app, as you suggest. > > Should I create a JIRA to track this feature request ? > > Alex > > PS: I'm definitely paranoid and want to remove management web app from > production environment exposed to Internet (and maybe use secured JMX for > remote management with strict iptable rules..) > > On Sun, Sep 16, 2012 at 10:59 PM, Romain Manni-Bucau > wrote: > > > i dont think (or it is not known today) > > > > i personnally would like to keep it a gui + transport webapp. > > > > wonder if we shouldnt move transport part BTW. We could do it > > programmatically and totally skip the webapp (something to think about > > after next release). > > > > *Romain Manni-Bucau* > > *Twitter: @rmannibucau* > > *Blog: http://rmannibucau.wordpress.com* > > > > > > > > > > 2012/9/16 Alex The Rocker > > > > > David: > > > > > > Thank you very much for your answer. Is the ability to remove > > webapps/tomee > > > directory a durable one? > > > Won't there be future "mandatory" features requiring this web app? > > > > > > Alex > > > > > > On Sun, Sep 16, 2012 at 7:29 PM, David Blevins < > david.blev...@gmail.com > > > >wrote: > > > > > > > > > > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > > > > > > > Hello, > > > > > > > > > > Can the webapps/tomee directory be deleted for deploying a web app > to > > > > > production TomEE/TomEE+ server and exposed to Internet? > > > > > Indeed, when delivering our app with Tomcat, we delete all default > > web > > > > apps > > > > > as part of a list of Tomcat hardening task list. > > > > > > > > > > Is there any TomEE/TomE++ vital content in webapps/tomee directory > ? > > > > > > > > The only loss of functionality would be the ability to remotely > execute > > > > EJBs over HTTP. However this can easily be added to a different > webapp > > > > like so: > > > > > > > > > > > > ServerServlet > > > > > > > > > > > > > > org.apache.openejb.server.httpd.ServerServlet > > > > > > > > > > > > > > > > ServerServlet > > > > /myejbs/* > > > > > > > > > > > > > > > > Then you can create an `InitialContext` that points to that webapp > like > > > so: > > > > > > > > Properties p = new Properties(); > > > > p.put("java.naming.factory.initial", > > > > "org.apache.openejb.client.RemoteInitialContextFactory"); > > > > p.put("java.naming.provider.url", " > > > > http://127.0.0.1:8080/mywebapp/myejbs";); > > > > // user and pass optional > > > > p.put("java.naming.security.principal", "myuser"); > > > > p.put("java.naming.security.credentials", "mypass"); > > > > > > > > InitialContext ctx = new InitialContext(p); > > > > > > > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > > > > > > > > > > -David > > > > > > > > > > > > > > > > > >
Re: Can webapps/tomee directory be deleted for a production environment?
Yes open a jira please *Romain Manni-Bucau* *Twitter: @rmannibucau* *Blog: http://rmannibucau.wordpress.com* *LinkedIn: http://www.linkedin.com/pub/romain-manni-bucau/43/544/956* 2012/9/20 Alex The Rocker > Romain: > > It would be great to move TomEE's transport out of the tomee management UI > web app, as you suggest. > > Should I create a JIRA to track this feature request ? > > Alex > > PS: I'm definitely paranoid and want to remove management web app from > production environment exposed to Internet (and maybe use secured JMX for > remote management with strict iptable rules..) > > On Sun, Sep 16, 2012 at 10:59 PM, Romain Manni-Bucau > wrote: > > > i dont think (or it is not known today) > > > > i personnally would like to keep it a gui + transport webapp. > > > > wonder if we shouldnt move transport part BTW. We could do it > > programmatically and totally skip the webapp (something to think about > > after next release). > > > > *Romain Manni-Bucau* > > *Twitter: @rmannibucau* > > *Blog: http://rmannibucau.wordpress.com* > > > > > > > > > > 2012/9/16 Alex The Rocker > > > > > David: > > > > > > Thank you very much for your answer. Is the ability to remove > > webapps/tomee > > > directory a durable one? > > > Won't there be future "mandatory" features requiring this web app? > > > > > > Alex > > > > > > On Sun, Sep 16, 2012 at 7:29 PM, David Blevins < > david.blev...@gmail.com > > > >wrote: > > > > > > > > > > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > > > > > > > Hello, > > > > > > > > > > Can the webapps/tomee directory be deleted for deploying a web app > to > > > > > production TomEE/TomEE+ server and exposed to Internet? > > > > > Indeed, when delivering our app with Tomcat, we delete all default > > web > > > > apps > > > > > as part of a list of Tomcat hardening task list. > > > > > > > > > > Is there any TomEE/TomE++ vital content in webapps/tomee directory > ? > > > > > > > > The only loss of functionality would be the ability to remotely > execute > > > > EJBs over HTTP. However this can easily be added to a different > webapp > > > > like so: > > > > > > > > > > > > ServerServlet > > > > > > > > > > > > > > org.apache.openejb.server.httpd.ServerServlet > > > > > > > > > > > > > > > > ServerServlet > > > > /myejbs/* > > > > > > > > > > > > > > > > Then you can create an `InitialContext` that points to that webapp > like > > > so: > > > > > > > > Properties p = new Properties(); > > > > p.put("java.naming.factory.initial", > > > > "org.apache.openejb.client.RemoteInitialContextFactory"); > > > > p.put("java.naming.provider.url", " > > > > http://127.0.0.1:8080/mywebapp/myejbs";); > > > > // user and pass optional > > > > p.put("java.naming.security.principal", "myuser"); > > > > p.put("java.naming.security.credentials", "mypass"); > > > > > > > > InitialContext ctx = new InitialContext(p); > > > > > > > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > > > > > > > > > > -David > > > > > > > > > > > > > > > > > >
Re: Can webapps/tomee directory be deleted for a production environment?
Romain: It would be great to move TomEE's transport out of the tomee management UI web app, as you suggest. Should I create a JIRA to track this feature request ? Alex PS: I'm definitely paranoid and want to remove management web app from production environment exposed to Internet (and maybe use secured JMX for remote management with strict iptable rules..) On Sun, Sep 16, 2012 at 10:59 PM, Romain Manni-Bucau wrote: > i dont think (or it is not known today) > > i personnally would like to keep it a gui + transport webapp. > > wonder if we shouldnt move transport part BTW. We could do it > programmatically and totally skip the webapp (something to think about > after next release). > > *Romain Manni-Bucau* > *Twitter: @rmannibucau* > *Blog: http://rmannibucau.wordpress.com* > > > > > 2012/9/16 Alex The Rocker > > > David: > > > > Thank you very much for your answer. Is the ability to remove > webapps/tomee > > directory a durable one? > > Won't there be future "mandatory" features requiring this web app? > > > > Alex > > > > On Sun, Sep 16, 2012 at 7:29 PM, David Blevins > >wrote: > > > > > > > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > > > > > Hello, > > > > > > > > Can the webapps/tomee directory be deleted for deploying a web app to > > > > production TomEE/TomEE+ server and exposed to Internet? > > > > Indeed, when delivering our app with Tomcat, we delete all default > web > > > apps > > > > as part of a list of Tomcat hardening task list. > > > > > > > > Is there any TomEE/TomE++ vital content in webapps/tomee directory ? > > > > > > The only loss of functionality would be the ability to remotely execute > > > EJBs over HTTP. However this can easily be added to a different webapp > > > like so: > > > > > > > > > ServerServlet > > > > > > > > > org.apache.openejb.server.httpd.ServerServlet > > > > > > > > > > > > ServerServlet > > > /myejbs/* > > > > > > > > > > > > Then you can create an `InitialContext` that points to that webapp like > > so: > > > > > > Properties p = new Properties(); > > > p.put("java.naming.factory.initial", > > > "org.apache.openejb.client.RemoteInitialContextFactory"); > > > p.put("java.naming.provider.url", " > > > http://127.0.0.1:8080/mywebapp/myejbs";); > > > // user and pass optional > > > p.put("java.naming.security.principal", "myuser"); > > > p.put("java.naming.security.credentials", "mypass"); > > > > > > InitialContext ctx = new InitialContext(p); > > > > > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > > > > > > > -David > > > > > > > > > > > >
Re: Can webapps/tomee directory be deleted for a production environment?
Alex, You could use the Tomcat RemoteAddrValve to restrict this app to only the localhost. I personally like to have some apps (like the manager interface and the jmx-proxy) available only to sysadmins, using either the above valve or OS firewall rules (such as Linux iptables). Of course I'd also change those apps config to use SSL (sometimes enforcing client certificates) and user authentication (preferably from a LDAP directory such as OpenLDAP). Defense in deep is allways nice to have, and with this I can provide remote support (preferably through OpenVPN or a SSH tunnel) with a certain level of confidence my app servers are not open do hackers. []s, Fernando Lozano Hello, Can the webapps/tomee directory be deleted for deploying a web app to production TomEE/TomEE+ server and exposed to Internet? Indeed, when delivering our app with Tomcat, we delete all default web apps as part of a list of Tomcat hardening task list. Is there any TomEE/TomE++ vital content in webapps/tomee directory ? If the answer is yes, then it means that we cannot just remove webapps/tomee, so then is there a way to make this web app inaccessible to all network adapters in order to prevent its use by attackers? Alex.
Re: Can webapps/tomee directory be deleted for a production environment?
i dont think (or it is not known today) i personnally would like to keep it a gui + transport webapp. wonder if we shouldnt move transport part BTW. We could do it programmatically and totally skip the webapp (something to think about after next release). *Romain Manni-Bucau* *Twitter: @rmannibucau* *Blog: http://rmannibucau.wordpress.com* 2012/9/16 Alex The Rocker > David: > > Thank you very much for your answer. Is the ability to remove webapps/tomee > directory a durable one? > Won't there be future "mandatory" features requiring this web app? > > Alex > > On Sun, Sep 16, 2012 at 7:29 PM, David Blevins >wrote: > > > > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > > > Hello, > > > > > > Can the webapps/tomee directory be deleted for deploying a web app to > > > production TomEE/TomEE+ server and exposed to Internet? > > > Indeed, when delivering our app with Tomcat, we delete all default web > > apps > > > as part of a list of Tomcat hardening task list. > > > > > > Is there any TomEE/TomE++ vital content in webapps/tomee directory ? > > > > The only loss of functionality would be the ability to remotely execute > > EJBs over HTTP. However this can easily be added to a different webapp > > like so: > > > > > > ServerServlet > > > > > org.apache.openejb.server.httpd.ServerServlet > > > > > > > > ServerServlet > > /myejbs/* > > > > > > > > Then you can create an `InitialContext` that points to that webapp like > so: > > > > Properties p = new Properties(); > > p.put("java.naming.factory.initial", > > "org.apache.openejb.client.RemoteInitialContextFactory"); > > p.put("java.naming.provider.url", " > > http://127.0.0.1:8080/mywebapp/myejbs";); > > // user and pass optional > > p.put("java.naming.security.principal", "myuser"); > > p.put("java.naming.security.credentials", "mypass"); > > > > InitialContext ctx = new InitialContext(p); > > > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > > > > -David > > > > > > >
Re: Can webapps/tomee directory be deleted for a production environment?
David: Thank you very much for your answer. Is the ability to remove webapps/tomee directory a durable one? Won't there be future "mandatory" features requiring this web app? Alex On Sun, Sep 16, 2012 at 7:29 PM, David Blevins wrote: > > On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > > > Hello, > > > > Can the webapps/tomee directory be deleted for deploying a web app to > > production TomEE/TomEE+ server and exposed to Internet? > > Indeed, when delivering our app with Tomcat, we delete all default web > apps > > as part of a list of Tomcat hardening task list. > > > > Is there any TomEE/TomE++ vital content in webapps/tomee directory ? > > The only loss of functionality would be the ability to remotely execute > EJBs over HTTP. However this can easily be added to a different webapp > like so: > > > ServerServlet > > org.apache.openejb.server.httpd.ServerServlet > > > > ServerServlet > /myejbs/* > > > > Then you can create an `InitialContext` that points to that webapp like so: > > Properties p = new Properties(); > p.put("java.naming.factory.initial", > "org.apache.openejb.client.RemoteInitialContextFactory"); > p.put("java.naming.provider.url", " > http://127.0.0.1:8080/mywebapp/myejbs";); > // user and pass optional > p.put("java.naming.security.principal", "myuser"); > p.put("java.naming.security.credentials", "mypass"); > > InitialContext ctx = new InitialContext(p); > > MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); > > > -David > > >
Re: Can webapps/tomee directory be deleted for a production environment?
On Sep 16, 2012, at 8:16 AM, Alex The Rocker wrote: > Hello, > > Can the webapps/tomee directory be deleted for deploying a web app to > production TomEE/TomEE+ server and exposed to Internet? > Indeed, when delivering our app with Tomcat, we delete all default web apps > as part of a list of Tomcat hardening task list. > > Is there any TomEE/TomE++ vital content in webapps/tomee directory ? The only loss of functionality would be the ability to remotely execute EJBs over HTTP. However this can easily be added to a different webapp like so: ServerServlet org.apache.openejb.server.httpd.ServerServlet ServerServlet /myejbs/* Then you can create an `InitialContext` that points to that webapp like so: Properties p = new Properties(); p.put("java.naming.factory.initial", "org.apache.openejb.client.RemoteInitialContextFactory"); p.put("java.naming.provider.url", "http://127.0.0.1:8080/mywebapp/myejbs";); // user and pass optional p.put("java.naming.security.principal", "myuser"); p.put("java.naming.security.credentials", "mypass"); InitialContext ctx = new InitialContext(p); MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote"); -David
Can webapps/tomee directory be deleted for a production environment?
Hello, Can the webapps/tomee directory be deleted for deploying a web app to production TomEE/TomEE+ server and exposed to Internet? Indeed, when delivering our app with Tomcat, we delete all default web apps as part of a list of Tomcat hardening task list. Is there any TomEE/TomE++ vital content in webapps/tomee directory ? If the answer is yes, then it means that we cannot just remove webapps/tomee, so then is there a way to make this web app inaccessible to all network adapters in order to prevent its use by attackers? Alex.