NOTE: This article shows how to include ajetty.xml
file in your ORDS Standalone deployment, so a user-defined response header is provided with eachHTTP
response. I'm also requesting that all or some of what you see below make it into our docs. The following article picks up from where this one left off.
NOTE: A Load Balancer or Reverse Proxy can achieve this same result. If your current ORDS deployment consists of either, you may prefer to add header "rules" there instead.
Should you choose to operate ORDS in Standalone mode, you can rely on the Jetty server to provide this header rule. See the this section of my latest article for configuring the /etc
folder.
Start here
Once you have created the /etc
folder, save the following code block as a XML
file using an easily recognizable file name.
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="insertHandler">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Get id="Rewrite" name="ruleContainer" />
<Call name="addRule">
<Arg>
<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000;includeSubDomains</Set>
</New>
</Arg>
</Call>
</New>
</Arg>
</Call>
</Configure>
In this example, we use jetty-response.xml
as the file name. With this file included in the /etc
directory, ORDS will “pick up” this configuration setting during runtime.1
Some details of this file
This jetty-response.xml
file will enable ORDS Standalone to include the Strict-Transport-Security
header name and its values max-age=3153600;includeSubDomains
in each response to a request.2 In lay terms this XML file establishes a new Jetty response header, named Strict-Transport-Security
, it applies to its responses for all requests (denoted by the *
), and this header’s value is comprised of the following:
max-age=31536000;
includeSubDomains
To illustrate this behavior, consider the following curl command and subsequent response. A request is sent to a resource (in this case /departments_json
) and the subsequent ORDS response includes:
- a
JSON
payload - the typical/standard headers, and
- additional headers indicated in the
jetty-response.xml
file
And that’s it, you’ve yet again customized the Jetty server (that is responsible for ORDS Standalone)!
That’s it for now
Similarly to the Jetty Access Log example, these XML files can be a quick and easy way to introduce additional functionality into your ORDS Stand-Alone deployment. What else can you imagine? Take a look at the Jetty APIs for inspiration. Did you know you can extend ORDS with plugins, too?
And of course, obligatory ORDS resources: Download ORDS | Oracle ORDS forum | ORDS Docs | ORDS playlist
Follow
And don’t forget to follow, like, subscribe, share, taunt, troll, or stalk me!
Footnotes
- What the hell is runtime? Having no formal education in software engineering, my understanding is that runtime has to do with the execution of a program. Runtime relates to the initial and continued execution of the program. In the case of these
XML
files, the instructions therein are not formally part of the Jetty server but are included in the instructions when you issue theords serve
command. Doing so effectively starts up the Jetty web server. Jetty then recognizes there are files in the/etc
folder and includes them when it enters into “runtime” or the “runtime environment.” This Wikipedia post is a great place to start. But I certainly wouldn’t use that as the “official” definition. This stackoverflow thread is extremely helpful as well. ↩︎ Strict-Transport-Security
(about this header) is a response header. This header is used to inform the browser that HTTPS should only be used to access ORDS resource/s. You’ve probably seen*
used in the ORDS documentation. In this case,<Set name="pattern">*</Set>
found in the XML file is used*
as a wildcard (i.e. I interpret this as “apply this rule to everything and anything.”). The<Set name="value">max-age=31536000;includeSubDomains</Set>
line includes the “directives”:max-age=3153600;
andincludeSubDomains
. Examples of subdomains would be something like:en.wikipedia.org
, whereen
(English language) is a subdomain ofwikipedia.org
; more details here. ↩︎