Deploying AcuSensor for JAVA - Linux (Wildfly 26.1.1.Final Standalone + WAR file)

The following article shows you how you can run a Java application in Wildfly and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

🔍 Environment Notes

  • This document was tested running Wildfly on Debian 11 using the default-jdk package
  • This document assumes wildfly is installed in /opt/wildfly, so the variable %JBOSS_HOME% in this document would also mean /opt/wildfly

Step 1: Prepare an Example Application Using Eclipse IDE

PreRequisites

  • Install JAVA
  • Install Eclipse IDE for Enterprise JAVA and Web Developers
  • Install Eclipse Extensions from "Web, XML, Java EE and OSGI Enterprise Development":
  • Eclipse Java EE Developer Tools
  • Eclipse Java Web Developer Tools
  • Eclipse Web Developer Tools
  • JST Server Adapters Extensions (Apache Tomcat)

Create your Application

  • Go to the menu item File → New → Project

  • In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next button

  • Set the Project name field to axexample-java
  • Set the Target runtime field to Apache Tomcat v8.5
  • Set the Dynamic web module version field to 3.1
  • Set the Configuration field to Default Configuration for Apache Tomcat v8.5
  • Click on the Next button

  • In the Java window, leave default settings and click on the Next button

  • In the Web Module window, enable the Generate web.xml option and click the Finish button

  • In the Open Associated Perspective? dialog, click on the No button
  • Expand the axexample-java project
  • Right-click on the src folder
  • Select the New → Other option

  • Highlight the Servlet option
  • Click on the Next > button

  • Set the Java package field to com.mytest.axexample
  • Set the Class name field to axExampleJavaServlet
  • Click on the Finish button
  • Edit the contents of the axExampleJavaServlet.java file to read as follows:

package com.mytest.axexample;

import java.io.IOException;

import java.io.PrintWriter;

import javax.servlet.ServletException;

import javax.servlet.annotation.WebServlet;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

/**

 * Servlet implementation class HelloWorldServlet

 */

@WebServlet("/axExampleJavaServlet")

public class axExampleJavaServlet extends HttpServlet {

        private static final long serialVersionUID = 1L;

       

    /**

     * @see HttpServlet#HttpServlet()

     */

    public axExampleJavaServlet() {

        super();

        // TODO Auto-generated constructor stub

    }

        /**

         * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)

         */

        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                PrintWriter out = response.getWriter();

                out.print("<html><body><h1>Test JAVA Site Example for Wildfly</h1><br>Welcome to the main page.<br></body></html>");

        }

        /**

         * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)

         */

        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                // TODO Auto-generated method stub

                doGet(request, response);

        }

}

  • Expand the axexample-java project, right click on the axexample-java/src/main/webapp folder, and select the New → File option

  • Set the filename to index.html and click on the Finish button
  • Edit the contents of the index.html file to read as follows:

<html>

  <head>

    <title>Test JAVA Site Example for Wildfly</title>

  </head>

  <body>

    <h1>Test JAVA Site Example for Wildfly</h1><br/><br/>

    <a href="axExampleJavaServlet">Click here to invoke servlet</a>

  </body>

</html>

  • Make sure that the changes to both new files are saved
  • Right-click on the axexample-java project, click on the Export… option, search for the WAR file option, and select it

  • Click on the Next > button and select a Destination for your exported WAR file

  • Ensure that the filename for your export file is axexample-java.war
  • Click on the Finish button

Step 2: Prepare AcuSensor for Java

We will deploy the test application to the following URL: http://wildfly-backend-proto.invicti.site:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment)

  • Create a new target for your URL
  • Download AcuSensor for Java from the Acunetix UI and retain the AcuSensor.jar file for the next step

Step 3: Prepare a folder for the AspectJWeaver component

On the Wildfly machine:

Step 4: Deploy AcuSensor and required components

On the Wildfly machine:

  • Create a folder %JBOSS_HOME%/modules/system/layers/base/com/invicti
  • Create a folder %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor
  • Create a folder %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main
  • Copy your AcuSensor.jar file into %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main/acusensor.jar (note lowercase to avoid issues with case sensitivity)
  • Using a text editor, create a file %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main/module.xml
  • Edit the contents of the %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main/module.xml file to read as follows:

<?xml version="1.0" encoding="UTF-8"?>

<module name="com.invicti.sensor" xmlns="urn:jboss:module:1.9">

  <resources>

    <resource-root path="acusensor.jar"/>

    <resource-root path="aspectjrt-1.9.7.jar"/>

  </resources>

  <dependencies>

    <module name="javax.api"/>

    <module name="javax.servlet.api"/>

    <module name="java.logging"/>

    <module name="org.jboss.modules"/>

  </dependencies>

</module>

cp /opt/wildfly/standalone/configuration/standalone.xml /opt/wildfly/standalone/configuration/standalone-invicti.xml

  • Using a text editor, edit the contents of the %JBOSS_HOME%/standalone/configuration/standalone-invicti.xml file by adding the highlighted lines below immediately below the line <subsystem xmlns="urn:jboss:domain:ee:6.0">:

...

...

        </subsystem>

        <subsystem xmlns="urn:jboss:domain:ee:6.0">

            <global-modules>

                <module name="com.invicti.sensor" slot="main"/>

            </global-modules>

            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>

            <concurrent>

...

...

  • Edit the contents of the %JBOSS_HOME%/bin/standalone.conf file and add the following to the bottom of the file:

# *** Acusensor settings

JAVA_OPTS="$JAVA_OPTS -Dacusensor.debug.log=ON"

MODULE_OPTS="-javaagent:/aspectjweaver/aspectjweaver-1.9.7.jar"

Step 5: Deploy your application

  • Copy your axexample-java.war file into the %JBOSS_HOME%/standalone/deployments folder

Step 6: Start your Wildfly server

Option 1 - Launch Wildfly manually

  • From the terminal, launch wildfly specifying the custom config file created earlier:

admin@ip-172-27-240-198:~$ sudo /opt/wildfly/bin/standalone.sh --server-config=standalone-invicti.xml

=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/wildfly

  JAVA: java

  JAVA_OPTS: -javaagent:"/opt/wildfly/jboss-modules.jar"  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dacusensor.debug.log=ON  --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED

=========================================================================

...

Option 2 - Use the systemd service launcher

  • Edit the wildfly main configuration file, typically in /etc/wildfly/wildfly.conf and change the WILDFLY_CONFIG and WILDFLY_MODE lines to read as follows:

# The configuration you want to run

WILDFLY_CONFIG=standalone-invicti.xml

# The mode you want to run

WILDFLY_MODE=standalone

...

  • ...and restart the wildfly service with:

sudo systemctl restart wildfly

Test and scan your web application

Point your browser to your web application to confirm it is running as intended; you will get the following:

Finally, run a scan on your target; the Activity panel will confirm that AcuSensor was detected and used for the scan.

 

« Back to the Acunetix Support Page