Deploying AcuSensor for JAVA - Windows (JBOSS 7.4 Standalone + WAR File)
The following article shows you how you can run a Java application in JBOSS and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.
🔍 Environment Notes |
|
PreRequisites
- Install JAVA
- Install Eclipse IDE for Enterprise JAVA and Web Developers
- Install Eclipse Extensions from "Web, XML, Java EE and OSGI Enterprise Development":
- Eclipse Java EE Developer Tools
- Eclipse Java Web Developer Tools
- Eclipse Web Developer Tools
- JST Server Adapters Extensions (Apache Tomcat)
Step 1: Prepare an Example Application Using Eclipse IDE
- Go to the menu item File → New → Project
- In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next button
- Set the Project name field to axexample-java
- Set the Target runtime field to Apache Tomcat v8.5
- Set the Dynamic web module version field to 3.1
- Set the Configuration field to Default Configuration for Apache Tomcat v8.5
- Click on the Next button
- In the Java window, leave default settings and click on the Next button
- In the Web Module window, enable the Generate web.xml option and click the Finish button
- In the Open Associated Perspective? dialog, click on the No button
- Expand the axexample-java project
- Right-click on the src folder
- Select the New → Other option
- Highlight the Servlet option
- Click on the Next > button
- Set the Java package field to com.mytest.axexample
- Set the Class name field to axExampleJavaServlet
- Click on the Finish button
- Edit the contents of the axExampleJavaServlet.java file to read as follows:
package com.mytest.axexample; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * Servlet implementation class HelloWorldServlet */ @WebServlet("/axExampleJavaServlet") public class axExampleJavaServlet extends HttpServlet { private static final long serialVersionUID = 1L;
/** * @see HttpServlet#HttpServlet() */ public axExampleJavaServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.print("<html><body><h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br>Welcome to the main page.<br></body></html>"); } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub doGet(request, response); } } |
- Expand the axexample-java project, right click on the axexample-java/src/main/webapp folder, and select the New → File option
- Set the filename to index.html and click on the Finish button
- Edit the contents of the index.html file to read as follows:
<head> <title>Test JAVA Site Example for AWS Elastic Beanstalk</title> </head> <body> <h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br/><br/> <a href="axExampleJavaServlet">Click here to invoke servlet</a> </body> </html> |
- Make sure that the changes to both new files are saved
- Right-click on the axexample-java project, click on the Export… option, search for the WAR file option, and select it
- Click on the Next > button and select a Destination for your exported WAR file
- Ensure that the filename for your export file is axexample-java.war
- Click on the Finish button
Step 2: Prepare AcuSensor for Java
We will deploy the test application to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment)
- Create a new target for your URL
- Download AcuSensor for Java from the Acunetix UI and retain the AcuSensor.jar file for the next step
Step 3: Prepare a folder for the AspectJWeaver component
- Create a folder C:\aspectjweaver
- Download AspectJWeaver from https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.7/aspectjweaver-1.9.7.jar
- Copy the downloaded file into C:\aspectjweaver\aspectjweaver-1.9.7.jar
Step 4: Deploy AcuSensor and required components
- Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti
- Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor
- Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
- Copy your AcuSensor.jar file into %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
- Using a text editor, create a file %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main\module.xml
- Edit the contents of the %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main\module.xml file to read as follows:
<?xml version="1.0" encoding="UTF-8"?> <module name="com.invicti.sensor" xmlns="urn:jboss:module:1.9"> <resources> <resource-root path="acusensor.jar"/> <resource-root path="aspectjrt-1.9.7.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.servlet.api"/> <module name="java.logging"/> <module name="org.jboss.modules"/> </dependencies> </module> |
- Download AspectJRT from https://repo1.maven.org/maven2/org/aspectj/aspectjrt/1.9.7/aspectjrt-1.9.7.jar
- Copy the aspectjrt-1.9.7.jar file into %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
- Prepare a custom configuration for AcuSensor integration:
C:\Users\default.user> cd C:\jboss\standalone\configuration C:\jboss\standalone\configuration> copy standalone.xml standalone-invicti.xml 1 file(s) copied. C:\jboss\standalone\configuration> |
- Using a text editor, edit the contents of the %JBOSS_HOME%\standalone\configuration\standalone-invicti.xml file by adding the highlighted lines below immediately below the line <subsystem xmlns="urn:jboss:domain:ee:6.0">:
... ... </subsystem> <subsystem xmlns="urn:jboss:domain:ee:6.0"> <global-modules> <module name="com.invicti.sensor" slot="main"/> </global-modules> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <concurrent> ... ... |
- Edit the contents of the %JBOSS_HOME%\bin\standalone.conf.bat file and add the following to the bottom of the file:
rem *** Acusensor settings set "JAVA_OPTS=%JAVA_OPTS% -Dacusensor.debug.log=ON" set "MODULE_OPTS=-javaagent:C:\aspectjweaver\aspectjweaver-1.9.7.jar" |
Step 5: Deploy your application
- Copy your axexample-java.war file into the %JBOSS_HOME%\standalone\deployments folder
Step 6: Start your JBOSS server
- From the command line, navigate to your %JBOSS_HOME%\bin folder, and launch JBOSS specifying the custom config file created earlier:
C:\Users\default.user> cd C:\jboss\bin C:\jboss\bin>standalone --server-config=standalone-invicti.xml Calling "C:\jboss\bin\standalone.conf.bat" Setting JAVA property to "C:\Program Files\Java\jdk1.8.0_241\\bin\java" =============================================================================== JBoss Bootstrap Environment JBOSS_HOME: "C:\jboss" JAVA: "C:\Program Files\Java\jdk1.8.0_241\\bin\java" JAVA_OPTS: "-javaagent:"C:\jboss\jboss-modules.jar" -Dprogram.name=standalone.bat -Xms1G -Xmx1G -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Dacusensor.debug.log=ON -verbose:gc -Xloggc:"C:\jboss\standalone\log\gc.log" -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading " =============================================================================== ... |
Test and scan your web application
Point your browser to your web application to confirm it is running as intended; you will get the following:
Finally, run a scan on your target; the Activity panel will confirm that AcuSensor was detected and used for the scan.