Page Comparison

...

Recommended Configuration

...

Jetty Logging

File(s): etc/jetty-rewrite-requestlog.xml, resources/logback.xml, resources/logback-access.xml

The following configuration will cause each response from the IdP to set the Content-Security-Policy and X-Frame-Options headers to help mitigate clickjacking attacks:recommended approach is to use logback for all Jetty logging. The logback and slf4j libraries are needed to support this configuration and must be copied into  JETTY_BASE/lib/logging.

1. From the slf4j distribution, copy in slf4j-api-version.jar
2. From the logback distribution, copy in logback-classic-version.jar, logback-core-version.jar, and logback-access-version.jar

3. Configure Jetty to use logback for request logging by creating JETTY_BASE/etc/jetty-requestlog.xml with the following content:

   Code Block
   language xml title jetty-

...

1. requestlog.xml collapse true

   <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_

...

1. 0.dtd">

...

1. <!-- =============================================================== -->

...

1. <!--

...

1. Configure

...

1. the

...

1. Jetty Request Log -->

...

1. <!-- =============================================================== --> <Configure

...

1. id="

...

1. Server" class="org.eclipse.jetty.

...

1. server.

...

1. Server"> <Set name="RequestLog">

...

1. <New

...

1. id="

...

1. RequestLog"

...

...

1. class="

...

1. ch.qos.logback.access.jetty.RequestLogImpl">

...

1. <Set name="

...

1. fileName"><Property name="jetty.

...

1. base"

...

1. default="

...

1. .

...

1. "

...

1. />/resources/logback-access.xml</Set> </New> </Set>

...

1. <Ref

...

1. refid="

...

1. RequestLog"> <Call name="

...

1. start" /> </Ref> </Configure>

2. Configure logging policy for Jetty internals logging and request logging. Sample logback configuration files are provided for convenience.

   Code Block
   language xml title logback.xml collapse true
   <?xml version="1.0" encoding="UTF-8"?> <configuration scan="true"> <appender

...

1. name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${jetty.base}/logs/jetty.log</File>

...

...

...

1. <rollingPolicy

...

1. class="

...

1. ch.qos.logback.core.rolling.TimeBasedRollingPolicy">

...

1. <FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern> </rollingPolicy>

...

1. <encoder class="

...

1. ch.qos.logback.classic.encoder.PatternLayoutEncoder">

...

1. <charset>UTF-8</

...

1. charset>

...

1. <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>

...

...

1. </encoder> </appender>

...

...

1. <root level="INFO">

...

1. <appender-ref ref="

...

1. jetty" />

...

1. </root> <logger

...

1. name="

...

1. org.springframework" level="OFF" />

...

1. <logger name="ch.qos.logback" level="WARN" /> </configuration>

   Code Block
   language xml title logback-access.xml collapse true
   <configuration>

...

1. <statusListener

...

1. class="

...

1. ch.qos.logback.core.status.OnConsoleStatusListener" /> <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">

...

1. <file>${jetty.base}/logs/access.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">

...

1. <fileNamePattern>${jetty.base}/logs/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern>

...

1. </

...

1. rollingPolicy> <encoder>

...

...

1. <pattern>combined</pattern> </encoder> </appender>

...

...

File(s): etc/jetty-requestlog.xml, resources/logback.xml, resources/logback-access.xml

The recommended approach is to use logback for all Jetty logging. The logback and slf4j libraries are needed to support this configuration and must be copied into  JETTY_BASE/lib/logging.

1. From the slf4j distribution, copy in slf4j-api-version.jar
2. From the logback distribution, copy in logback-classic-version.jar, logback-core-version.jar, and logback-access-version.jar

3. Configure Jetty to use logback for request logging by creating JETTY_BASE/etc/jetty-requestlog.xml with the following content:

   Code Block
   language xml title jetty-requestlog.xml collapse true
   <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> <!-- =============================================================== --> <!-- Configure the Jetty Request Log --> <!-- =============================================================== --> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Set name="RequestLog"> <New id="RequestLog" class="ch.qos.logback.access.jetty.RequestLogImpl"> <Set name="fileName"><Property name="jetty.base" default="." />/resources/logback-access.xml</Set> </New> </Set> <Ref refid="RequestLog"> <Call name="start" /> </Ref> </Configure>

4. Configure logging policy for Jetty internals logging and request logging. Sample logback configuration files are provided for convenience.

   Code Block
   language xml title logback.xml collapse true
   <?xml version="1.0" encoding="UTF-8"?> <configuration scan="true"> <appender name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${jetty.base}/logs/jetty.log</File> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern> </rollingPolicy> <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> <charset>UTF-8</charset> <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern> </encoder> </appender> <root level="INFO"> <appender-ref ref="jetty" /> </root> <logger name="org.springframework" level="OFF" /> <logger name="ch.qos.logback" level="WARN" /> </configuration>

   Code Block
   language xml title logback-access.xml collapse true
   <configuration> <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" /> <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${jetty.base}/logs/access.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${jetty.base}/logs/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern> </rollingPolicy> <encoder> <pattern>combined</pattern> </encoder> </appender> <appender-ref ref="FILE" /> </configuration>

Temporary Files

Jetty will use /tmp as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create JETTY_BASE/tmp, and add the following configuration directive to JETTY_BASE/start.ini:

...

1. <appender-ref ref="FILE" /> </configuration>

Temporary Files

Jetty will use /tmp as a staging area for unpacking the warfile, and if you have cron jobs sweeping that for old files, your IdP can be disrupted. You will probably want to create JETTY_BASE/tmp, and add the following configuration directive to JETTY_BASE/start.ini:

-Djava.io.tmpdir=tmp

Disable Directory Indexing

Jetty has vulnerabilities related to directory indexing (sigh) so we suggest disabling that feature at this point. There are a few different ways this can be done (see https://webtide.com/indexing-listing-vulnerability-in-jetty/), but one method that's fairly self-contained within the IdP footprint is to modify web.xml (i.e. copy the original version from idp.home/dist/webapp/WEB-INF/web.xml to idp.home/edit-webapp/WEB-INF/web.xml) and then rebuild the war file.

  <servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
    <init-param>
      <param-name>dirAllowed</param-name>
      <param-value>false</param-value>
    </init-param>
    <load-on-startup>0</load-on-startup>
  </servlet>

You can place it above the existing <servlet>  elements in the file.

Optional Configuration

Supporting SOAP Endpoints

...

Jetty can be configured to consume the 'x-forwarded-proto' HTTP header to override the connection protocol originating at the load balancer, instead respecting the protocol being used between the client and the load balancer, communicated in the x-forwarded-proto header.  The Proxy / Load Balancer Configuration section of the Jetty documentation provides instruction on the required configuration.

...

Supporting X-Forwarded-For

If your you are running the Jetty engine behind a proxy or load balancer Jetty 9.3 has built-in support for forwarding the client address and other details via headers.

...

<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>

<Call name="addCustomizer">
   <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer" /></Arg>
</Call>

...