Deploying AcuSensor for JAVA - Linux (Wildfly 26.1.1.Final Standalone + WAR file)
The following article shows you how you can run a Java application in Wildfly and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.
🔍 Environment Notes |
|
Step 1: Prepare an Example Application Using Eclipse IDE
PreRequisites
- Install JAVA
- Install Eclipse IDE for Enterprise JAVA and Web Developers
- Install Eclipse Extensions from "Web, XML, Java EE and OSGI Enterprise Development":
- Eclipse Java EE Developer Tools
- Eclipse Java Web Developer Tools
- Eclipse Web Developer Tools
- JST Server Adapters Extensions (Apache Tomcat)
Create your Application
- Go to the menu item File → New → Project
- In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next button
- Set the Project name field to axexample-java
- Set the Target runtime field to Apache Tomcat v8.5
- Set the Dynamic web module version field to 3.1
- Set the Configuration field to Default Configuration for Apache Tomcat v8.5
- Click on the Next button
- In the Java window, leave default settings and click on the Next button
- In the Web Module window, enable the Generate web.xml option and click the Finish button
- In the Open Associated Perspective? dialog, click on the No button
- Expand the axexample-java project
- Right-click on the src folder
- Select the New → Other option
- Highlight the Servlet option
- Click on the Next > button
- Set the Java package field to com.mytest.axexample
- Set the Class name field to axExampleJavaServlet
- Click on the Finish button
- Edit the contents of the axExampleJavaServlet.java file to read as follows:
package com.mytest.axexample; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * Servlet implementation class HelloWorldServlet */ @WebServlet("/axExampleJavaServlet") public class axExampleJavaServlet extends HttpServlet { private static final long serialVersionUID = 1L;
/** * @see HttpServlet#HttpServlet() */ public axExampleJavaServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.print("<html><body><h1>Test JAVA Site Example for Wildfly</h1><br>Welcome to the main page.<br></body></html>"); } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub doGet(request, response); } } |
- Expand the axexample-java project, right click on the axexample-java/src/main/webapp folder, and select the New → File option
- Set the filename to index.html and click on the Finish button
- Edit the contents of the index.html file to read as follows:
<html> <head> <title>Test JAVA Site Example for Wildfly</title> </head> <body> <h1>Test JAVA Site Example for Wildfly</h1><br/><br/> <a href="axExampleJavaServlet">Click here to invoke servlet</a> </body> </html> |
- Make sure that the changes to both new files are saved
- Right-click on the axexample-java project, click on the Export… option, search for the WAR file option, and select it
- Click on the Next > button and select a Destination for your exported WAR file
- Ensure that the filename for your export file is axexample-java.war
- Click on the Finish button
Step 2: Prepare AcuSensor for Java
We will deploy the test application to the following URL: http://wildfly-backend-proto.invicti.site:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment)
- Create a new target for your URL
- Download AcuSensor for Java from the Acunetix UI and retain the AcuSensor.jar file for the next step
Step 3: Prepare a folder for the AspectJWeaver component
On the Wildfly machine:
- Create a root folder /aspectjweaver
- Download AspectJWeaver from https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.7/aspectjweaver-1.9.7.jar
- Copy the downloaded file into /aspectjweaver/aspectjweaver-1.9.7.jar
Step 4: Deploy AcuSensor and required components
On the Wildfly machine:
- Create a folder %JBOSS_HOME%/modules/system/layers/base/com/invicti
- Create a folder %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor
- Create a folder %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main
- Copy your AcuSensor.jar file into %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main/acusensor.jar (note lowercase to avoid issues with case sensitivity)
- Using a text editor, create a file %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main/module.xml
- Edit the contents of the %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main/module.xml file to read as follows:
<?xml version="1.0" encoding="UTF-8"?> <module name="com.invicti.sensor" xmlns="urn:jboss:module:1.9"> <resources> <resource-root path="acusensor.jar"/> <resource-root path="aspectjrt-1.9.7.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.servlet.api"/> <module name="java.logging"/> <module name="org.jboss.modules"/> </dependencies> </module> |
- Download AspectJRT from https://repo1.maven.org/maven2/org/aspectj/aspectjrt/1.9.7/aspectjrt-1.9.7.jar
- Copy the aspectjrt-1.9.7.jar file into %JBOSS_HOME%/modules/system/layers/base/com/invicti/sensor/main
- Prepare a custom configuration for AcuSensor integration:
cp /opt/wildfly/standalone/configuration/standalone.xml /opt/wildfly/standalone/configuration/standalone-invicti.xml |
- Using a text editor, edit the contents of the %JBOSS_HOME%/standalone/configuration/standalone-invicti.xml file by adding the highlighted lines below immediately below the line <subsystem xmlns="urn:jboss:domain:ee:6.0">:
... ... </subsystem> <subsystem xmlns="urn:jboss:domain:ee:6.0"> <global-modules> <module name="com.invicti.sensor" slot="main"/> </global-modules> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <concurrent> ... ... |
- Edit the contents of the %JBOSS_HOME%/bin/standalone.conf file and add the following to the bottom of the file:
# *** Acusensor settings JAVA_OPTS="$JAVA_OPTS -Dacusensor.debug.log=ON" MODULE_OPTS="-javaagent:/aspectjweaver/aspectjweaver-1.9.7.jar" |
Step 5: Deploy your application
- Copy your axexample-java.war file into the %JBOSS_HOME%/standalone/deployments folder
Step 6: Start your Wildfly server
Option 1 - Launch Wildfly manually
- From the terminal, launch wildfly specifying the custom config file created earlier:
admin@ip-172-27-240-198:~$ sudo /opt/wildfly/bin/standalone.sh --server-config=standalone-invicti.xml ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/wildfly JAVA: java JAVA_OPTS: -javaagent:"/opt/wildfly/jboss-modules.jar" -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dacusensor.debug.log=ON --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED ========================================================================= ... |
Option 2 - Use the systemd service launcher
- Edit the wildfly main configuration file, typically in /etc/wildfly/wildfly.conf and change the WILDFLY_CONFIG and WILDFLY_MODE lines to read as follows:
# The configuration you want to run WILDFLY_CONFIG=standalone-invicti.xml # The mode you want to run WILDFLY_MODE=standalone ... |
- ...and restart the wildfly service with:
sudo systemctl restart wildfly |
Test and scan your web application
Point your browser to your web application to confirm it is running as intended; you will get the following:
Finally, run a scan on your target; the Activity panel will confirm that AcuSensor was detected and used for the scan.