OWASP AppSensor - Deploying Java Back-end API

Question

I want to use the AppSensor framework in order to add Intrusion Detection and Automated Response to my C# web application.

But I'm not sure how to get the AppSensor API running so I can access it from my C# application via RESTful .

Let me first tell you that I'm not too familiair with Java/Maven/Gradle, but I do know how to access a REST API from C#.

I tried to followed the Getting Started page and downloaded the AppSensor project from GitHub via the Git Bash command line: git clone https://github.com/jtmelton/appsensor.git .

Then I navigate to the AppSensor Directory (on my computer) via Git Bash: cd appsensor

After I'm in the AppSensor directory, I install the multi-module parent by: mvn -N install

After it's done installing it tells me that the build is a success and then I decide to run the tests with the command: mvn test

And when that's done Git Bash tells me every test went successful. But now I'm kind of stuck in a scense where I don't know what to do next. I want to 'deploy' my AppSensor API so I can use it in my C# application.

Somewhere on the GitHub documentation is says that mvn spring-boot:run should run/deploy an component. However when I'm in the appsensor-parent directory and run this command it gives me this error:

[ERROR] No plugin found for prefix 'spring-boot' in the current project and in the plugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the repositories [local (C:\Users\dbr\.m2\repository), central (https://repo.maven.apache.org/maven2)] -> [Help 1]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/NoPluginFoundForPrefixException

I did a little research and found out that the command mvn deploy should deploy the components? But when I enter the deploy command it gives me a build error at the first component (appsensor-parent) and stops deploying. It also kindly gives me this error:

[ERROR] Failed to execute goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.3:deploy (injected-nexus-deploy) on project appsensor-parent: Execution injected-nexus-deploy of goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.3:deploy failed: Server credentials with ID "ossrh" not found! -> [Help 1]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException

I have also tried only putting the components I need (AppSensor Core, Analysis Engine, Storage, Configuration, Access Controllers, REST Client, REST Server) into a single folder. And then attempting to deploy it by changing the POM.XML file so that only these components are in the <modules>...</modules> but that also doesn't work for me.

What does work however is the DemoSetup but I have no clue where to find the REST API (through my browser) when running this Demo.

Could anyone help me out by getting the REST API server running so that I can access it through my browser and also with my C# application?

Answer 1

I dug a little deeper into AppSensors GitHub page and found out that I should be able to reach the API, by deploying the AppSensor WS Rest Server from: /example-apps/appsensor-ws-rest-server-boot

I deployed it by inserting the following commands into Git Bash:

cd appsensor
cd sample-apps
cd appsensor-ws-rest-server-boot
mvn spring-boot:run

I was then able to reach the API from my browser by going to http://localhost:8085/api/v1.0/responses

One I was on the page it gave me this notification:

Page requires sending configured client application identification header.

So all seems to be good but when I refresh the page, the entire page becomes white and Git Bash gives me this error:

09:22:15.473 [http-nio-8085-exec-3] ERROR o.g.j.s.ServerRuntime$Responder - An I/O error has occurred while writing a response message entity to the container output stream.
java.lang.IllegalStateException: The output stream has already been closed.
        at org.glassfish.jersey.message.internal.CommittingOutputStream.setStreamProvider(CommittingOutputStream.java:146) ~[jersey-common-2.14.jar:na]
        at org.glassfish.jersey.message.internal.OutboundMessageContext.setStreamProvider(OutboundMessageContext.java:798) ~[jersey-common-2.14.jar:na]
        at org.glassfish.jersey.server.ContainerResponse.setStreamProvider(ContainerResponse.java:372) ~[jersey-server-2.14.jar:na]
        at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:606) [jersey-server-2.14.jar:na]
        at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:377) [jersey-server-2.14.jar:na]
        at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:420) [jersey-server-2.14.jar:na]
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) [jersey-server-2.14.jar:na]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [jersey-common-2.14.jar:na]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [jersey-common-2.14.jar:na]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [jersey-common-2.14.jar:na]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [jersey-common-2.14.jar:na]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [jersey-common-2.14.jar:na]
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:297) [jersey-common-2.14.jar:na]
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:254) [jersey-server-2.14.jar:na]
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1030) [jersey-server-2.14.jar:na]
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:377) [jersey-container-servlet-core-2.14.jar:na]
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:381) [jersey-container-servlet-core-2.14.jar:na]
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:344) [jersey-container-servlet-core-2.14.jar:na]
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:221) [jersey-container-servlet-core-2.14.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-embed-websocket-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.1.7.RELEASE.jar:4.1.7.RELEASE]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.1.7.RELEASE.jar:4.1.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85) [spring-web-4.1.7.RELEASE.jar:4.1.7.RELEASE]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.1.7.RELEASE.jar:4.1.7.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:673) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1526) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1482) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_144]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_144]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.26.jar:8.0.26]
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_144]

However when I use the Google Chromes Advanced REST client extension and navigate to the API it gives me a 200 OK . Which should mean that it does work and the error occurs because its empty?

Answer 2

So after getting some help from the Developers of AppSensor (huge shout out to John Melton), I was able to access the API properly.

All I needed to do was add X-Appsensor-Client-Application-Name2: myclientapp in the Request Header of the Client that was going to use the API.

When you add this to the header of your request it will spit out the information you asked for from the Rest Server. I was even able to implement this into my C# Rest Client and it gave me the right information!