This article explains why the error java.lang.StringIndexOutOfBoundsException: String index out of range: -1 in the class ServerSideStateHelper in the method getState (313) might be someone trying to hack your application server. It is getting quite technical in here… but bear with me… it’s really interesting. I also break down the actual attack to demonstrate what the attacker was trying to do.
This article demonstrates how inbound request from a webserver (Apache) can be proxied to an application server (WildFly 10) using the Apache JServ Protocol (AJP). For more information on what AJP actually is, take a look at https://en.wikipedia.org/wiki/Apache_JServ_Protocol .
WildFly 10 Configuration
First you have to add an ajp-listener to the undertow subsystem (line 4).
In Java Enterprise, the EJB (Enterprise Java Bean) technology is often used to create a service layer of a J2EE application running in an application Server (like Glassfish or Wildfly). While accessing these EJB instance is relatively easy from inside the same application (using
@EJB annotations for automatic dependency injection), it is sometimes also required to call some methods on the EJBs from outside the application server.
The JavaEE standard provides the “EJB remoting” functionality to do so. In this article I want to show how to access an EJB running in a Wildfly application server from a standalone Java application.