Installing the Java Module as a Servlet Filter

  Last updated 2024-10-29

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.

Requirements

  • A Servlet 3.x compliant Java servlet container (e.g., Tomcat 7.0.x.+, Jetty 9+, GlassFish 3.0+).

Supported Application Types

The Next-Gen WAF Java servlet filter module can be deployed to a variety of Servlet 3.0+ Java application servers (e.g., Apache Tomcat, Jetty, Glassfish, Resin).

The module is compatible with application servers deployed on both Linux and Windows servers running the Next-Gen WAF agent.

Agent Configuration

Like other Next-Gen WAF modules, the servlet filter supports both Unix domain sockets and TCP sockets for communication with the Next-Gen WAF agent. By default, the agent uses Unix domain sockets with the address set to unix:/var/run/sigsci.sock. It is possible to override this or specify a TCP socket instead by configuring the rpc-address parameter in the Agent.

Additionally, ensure the agent is configured to use the default RPC version: rpc-version=0. This can be done by verifying the parameter rpc-version is not specified in the agent configuration or if it is specified, ensure that is specified with a value of 0. Below is an example Agent configuration that overrides the default Unix domain socket value:

1
2
3
accesskeyid = "YOUR AGENT ACCESSKEYID"
secretaccesskey = "YOUR AGENT SECRETACCESSKEY"
rpc-address = "127.0.0.1:9999"

Download

Download the Next-Gen WAF Java module manually or access it with Maven.

Access with Maven

For projects using Maven for build or deployment, the latest version of Next-Gen WAF Java modules can be installed by adding XML to the project pom.xml file. For example:

1
2
3
4
5
6
7
8
9
10
11
12
<repositories>
   <repository>
      <id>sigsci-stable</id>
      <url>https://packages.signalsciences.net/release/maven2</url>
   </repository>
</repositories>


<dependency>
   <groupId>com.signalsciences</groupId>
   <artifactId>sigsci-module-java</artifactId>
   <version>LATEST_MODULE_VERSION</version>
</dependency>

Be sure to replace LATEST_MODULE_VERSION with the latest release of the Java module. You can find the latest version in our version file at https://dl.signalsciences.net/sigsci-module-java/VERSION.

Download manually

If you aren't using Maven to build or deploy your Java projects, follow these steps to manually download the Next-Gen WAF Java module:

  1. Download the Java module archive from https://dl.signalsciences.net/sigsci-module-java/sigsci-module-java_latest.tar.gz.

  2. Extract sigsci-module-java_latest.tar.gz.

  3. Deploy the jars using one of the following options:

    • Copy sigsci-module-java-{version}-shaded.jar (an uber jar with all the dependencies bundled) to your application’s classpath (e.g., %CATALINA_HOME%\webbapps\<APP_FOLDER>\WEB-INF\lib).
    • Copy sigsci-module-java-{version}.jar and its dependencies in the lib folder to your application’s classpath (e.g., %CATALINA_HOME%\webbapps\<APP_FOLDER>\WEB-INF\lib). If you already have any of the dependency jar files in your application classpath folder (i.e., for Tomcat in the WEB-INF\lib) then it is not necessary to copy them, even if the version numbers are different. The logging jars are optional based on how slf4j is configured.
    NOTE

    If you want coverage across all web applications in your Application Server instance, the jar files must be placed in the server classpath. For example, in Tomcat that would be %CATALINA_HOME%/lib.

Installation

  1. Determine the appropriate filter-class for your installation:

    • For systems using Jakarta EE (Servlet API 5+):

      <filter-class>com.signalsciences.jakartafilter.SigSciFilter</filter-class>

    • For Java EE:

      <filter-class>com.signalsciences.servlet.filter.SigSciFilter</filter-class>
    NOTE

    Failure to specify the appropriate servlet API may result in errors such as package javax.servlet.x does not exist.

    Example minimal configuration using the Java EE servlet filter class:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    <web-app>
       <filter>
          <filter-name>SigSciFilter</filter-name>
          <filter-class>com.signalsciences.servlet.filter.SigSciFilter</filter-class>
          <async-supported>true</async-supported>
          <init-param>
             <param-name>rpcServerURI</param-name>
             <param-value>unix:/var/run/sigsci.sock</param-value>
          </init-param>
          <init-param>
             <param-name>expectedContentTypes</param-name>
             <param-value>application/x-java-serialized-object</param-value>
          </init-param>
          <init-param>
             <param-name>extendContentTypes</param-name>
             <param-value>true</param-value>
          </init-param>
       </filter>
       <filter-mapping>
          <filter-name>SigSciFilter</filter-name>
          <url-pattern>/*</url-pattern>
       </filter-mapping>
    </web-app>
    NOTE

    The filter supports the use of either Unix domain sockets or TCP sockets for the rpcServerURI parameter. Ensure that the value specified here matches the address specified in your Agent configuration to avoid communication failures. The module configuration below provides more details.

  2. Restart the Application Server.

Module Configuration

OptionDefaultDescription
rpcServerURIRequired, tcp://127.0.0.1:9999The Unix domain socket or TCP connection to communicate with the agent. Use the appropriate prefix to specify either Unix Domain Sockets or a TCP connection: unix:/<file path> or tcp://<host>:<port>
rpcTimeoutRequired, 300msThe timeout in milliseconds that the RPC client waits for a response back from the agent.
maxResponseTimeOptional, no defaultThe maximum time in seconds that the server response time will be evaluated against (i.e. to see if it exceeds this value) to determine if the module should send a post request to the agent.
maxResponseSizeOptional, no defaultThe maximum size in bytes that the server response size will be evaluated against (i.e. to see if it exceeds this value) to determine if the module should send a post request to the agent.
maxPostOptional, no defaultThe maximum POST body size in bytes that can be sent to the Next-Gen WAF agent. For any POST body size exceeding this limit, the module will not send the request to the agent for detection.
asyncStartFixOptional, falseThis can be set to true to workaround missing request body when handling requests asynchronously in servlets.
altResponseCodesOptional, no defaultSpace separated alternative agent response codes used to block the request in addition to 406. For example "403 429 503".
excludeCidrBlockOptional, no defaultA comma-delimited list of CIDR blocks or specific IP addresses to be excluded from filter processing.
excludeIpRangeOptional, no defaultA comma-delimited list of IP ranges or specific IP addresses to be excluded from filter processing.
excludePathOptional, no defaultA comma-delimited list of paths to be excluded from filter processing. If the URL starts with the specified value it will be excluded. Matching is case-insensitive.
excludeHostOptional, no defaultA comma-delimited list of host names to be excluded from filter processing. Matching is case-insensitive.
multipartParsingEnabledOptional, falseA boolean option that should be set to true if the servlet is annotated with MultipartConfig or if the configuration in web.xml contains <multipart-config>.
multipartFileSizeThresholdOptional, no defaultThe maximum number of bytes that can be uploaded and stored on disk. This option must be used in conjunction with the multipartParsingEnabled option.
extendContentTypesOptional, falseThis can be set to true to enable extended content inspection.

Example configuration

The configuration shown here provides an example using all the parameters noted earlier in this guide:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<!-- Signal Sciences Filter -->
   <web-app>
      <filter>
         <filter-name>SigSciFilter</filter-name>
         <filter-class>com.signalsciences.servlet.filter.SigSciFilter</filter-class>
         <async-supported>true</async-supported>
         <init-param>
            <param-name>rpcServerURI</param-name>
            <param-value>unix:/var/run/sigsci.sock</param-value>
         </init-param>
         <init-param>
            <param-name>expectedContentTypes</param-name>
            <param-value>application/x-java-serialized-object</param-value>
         </init-param>
         <init-param>
            <param-name>excludeIpRange</param-name>
            <param-value>192.168.0.1-192.168.0.5,192.169.0.10-192.169.0.12,193.168.0.1,192.168.10.1-192.168.10.5,192.168.10.7</param-value>
         </init-param>
         <init-param>
            <param-name>excludeCidrBlock</param-name>
            <param-value>192.168.14.0/24,193.165.0.0/28,192.168.11.0/24</param-value>
         </init-param>
         <init-param>
            <param-name>excludePath</param-name>
            <param-value>/test/exit,/hello,/bonus</param-value>
         </init-param>
         <init-param>
            <param-name>excludeHost</param-name>
            <param-value>localhost,127.0.0.2</param-value>
         </init-param>
         <init-param>
            <param-name>extendContentTypes</param-name>
            <param-value>true</param-value>
         </init-param>
      </filter>
      <filter-mapping>
         <filter-name>SigSciFilter</filter-name>
         <url-pattern>/*</url-pattern>
         </filter-mapping>
   </web-app>
   <!-- end Signal Sciences Filter -->
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2024