Table of Contents

1 Install Java 8

2 Install WildFly 8.2.0

2.1 Enable SSL
2.2 Database related

3 Setup Spring Tool Suite (STS)

4 Install Maven

5 SpringProject CVS

6 SpringProject Developer Guidelines

7 Datatables

8. Thymeleaf

9. Others:

10. Efileready URL Prefix changes

11. Setting up multiple instances of WildFly Server and controlling from STS

12. JasperSoft Report Designer - JasperStudio 6.1.1

13. Troubleshooting for SSL PKIX error

14. XSSFilter

15. CSRF Protection

1 Install Java 8

2 Install WildFly 8.2.0

Get the ​latest WildFly 8.2.0, from your System Administrator / Local Location ( ITCS
Developers )​,

/common/FromBharat/wildfly-8.2.0.Final.zip

OR

Download latest WildFly 8.2.0 from

http://download.jboss.org/wildfly/8.2.0.Final/wildfly-8.2.0.Final.zip

Unzip it to your preferred directory.

2.1 Enable SSL

To enable SSL, please follow the steps below :

Step 1 : Generate key

If you already have .keystore generated for Tomcat locally , the same can be used for WildFly
also. Else you can newly create using following steps :

$ keytool -genkey -alias ​localjb​ -keyalg RSA -keystore ​jb.keystore

Copy jb.keystore to the folder /wildfly-8.2.0.Final/standalone/configuration

Step 2 : Configure WildFly

Open the file /wildfly-

​ ighlighted​ in
8.2.0.Final/standalone/configuration/standalone.xml, and add the TWO changes h
yellow as below

Change 1 for /wildfly-8.2.0.Final/standalone/configuration/standalone.xml

<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties"
relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties"
relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="UndertowRealm">
<server-identities>
<ssl protocol="TLS">
<keystore path="​jb.keystore​" relative-to="jboss.server.config.dir"
keystore-password="changeit"/>
</ssl>
</server-identities>
</security-realm>

Change 2 for /wildfly-8.2.0.Final/standalone/configuration/standalone.xml

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener name="https" socket-binding="https"
security-realm="UndertowRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>

Step 3 : WildFly setting for Web Services :

To disable the default WebServices provided by WildFly, make the following change in the file
​ ighlighted​ in
/wildfly-8.2.0.Final/standalone/configuration/standalone.xml. Add comments as h
yellow below :

<!--​<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers"
protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP
##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler"
class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>​-->

Step 4 : WildFly setting for E-Filing

1.​ Open the file /wildfly-8.2.0.Final/modules/system/layers/base/sun/jdk/main/module.xml, and
make changes as below ( add two y ​ ellow-highlighted​ lines ) :
<path name="com/sun/security/auth/login"/>
<path name="com/sun/net/ssl"/>
<path name="com/sun/net/ssl/internal/ssl"/>​<path
name="com/sun/security/auth/module"/>

2. In case you face ‘SSLException’ in HMRC VSIPS E-Filing , then you have to add VSIPS
SSL Certificate to the JDK Keystore file.

2.2 Database related

No changes are required in the standalone.xml for Postgres
DataSource. Pls do not follow the earlier steps.
DataSources are configured using the Transaction management Open-source tool A ​ tomikos,
within the web application​. Following is the configuration detail for the Postgres Database
Server ( ​For DB Administrators only, to be done in Server, not for Developers​) :

Enabling Postgres DB for XA support:

Open postgresql.conf file and uncomment this line #max_prepared_transactions
(remove '#' symbol) . It must be (replace 0 with 3) :
max_prepared_transactions = 3
Now save and restart Postgres DB server.

3 Setup Spring Tool Suite (STS)

Download latest Spring Tool Suite from ​http://spring.io/tools

Unzip it to your preferable directory.
In your sts-3.7.1.RELEASE directory, you can edit STS.ini to change the memory setting base
on your hardware. For e.g:
-Xms256m
-Xmx7680m
-XX:MaxPermSize=512m
i) Start the STS, and check if the Install JRE is Java 1.8
- Click on Window -> Preferences -> Java -> Installed JREs

ii) Again under Java, go to Compiler -> Errors/Warnings, and change below setting
Empty statement - Error
Value of local variable is not used - Error
Unused import - Error
 Unnecessary else statement -Warning
Unnecessary cast or instanceof operation - Warning

iii) Download codetemplates.xml file from your Google Drive. Back to STS, Window->
Preferences -> Java -> Code Style -> Code Templates and import the codetemplates.xml

iv) Setup WildFly Server.

Right click in Server Tab, Define New Server , for Select the Server Type , type in the Text Box
the following text ​WildFly 8.2

Set the Home directory to where you unzip your WildFly, JRE set to JDK1.8 and click Finish

v) ​Note :​ ​ After, checkout and build, STS may throw “Error” ( ​“red cross”​ ) for the file
datatypes.dtd. This DTD file is given by HMRC, and used as it is for XML parsing. To avoid the
“red cross” for this error, you may ​Turn-off the DTD validation​ using following step :

Go to ​Window-Preferences-Validation , and then , turn off DTD Validation

4 Install Maven
Please follow the installation instructions available in the Apache Maven website -
http://maven.apache.org/​.

5 SpringProject CVS
Checkout SpringProject from CVS repository.

After you take the latest CVS changes, you will need to update your Local Maven Repository
with few ​Webservice related JARs​, for e.g PAPDIS jar. For this, copy the ws-papdis folder ,
from SpringProject/lib/Local-Maven-Repos

into your machine Local Maven Repository folder , that is

/home/your-name/.m2/repository

so, you should see /home/your-name/.m2/repository/ws-papdis, after doing the copy operation.
In the course of development, there could be more JARs added to the source code, so
periodically do check if you have correctly updated the Local Maven Repository.

In STS, File menu -> Import -> Existing Maven Project, point Root folder to the location
SpringProject​ and follow the wizard instructions from thereon.
GenLife Project :
​ sing STS Menu option,​ ​Import -> Existing Maven Project,
To start work on GenLife project, u
import the sub-projects namely :

base-common
base-payroll
base-aepm
friendly-pensions
genlife

For building ‘genlife’ application​ using STS, right click on ‘genlife’ , Run As > Run
Configuration > Maven Build > Press New Button and set up as below :

Name​ : GENLIFE_BUILD
Base Directory​ : YourLocalCVSPath/SpringProject
Goals​ : clean install -projects genlife -also-make

Efileready Project :
For building ‘efileready’ application​ using STS, right click on ‘efileready’ , Run As > Run
Configuration > Maven Build > Press New Button and set up as below :

Name​ : EFILEREADY_BUILD
Base Directory​ : YourLocalCVSPath/SpringProject
Goals​ : clean install -projects efileready -also-make

Sample Thymeleaf Project :

For working with the standalone sample-thymeleaf project , set the Root folder to the location
SpringProject/sample/sample-thymeleaf . For cleaning the target directory , right click on
sample-thymeleaf , Run As > Maven clean. For building the sample-thymeleaf project, right click
on sample-thymeleaf , Run As > Maven install

6 SpringProject Developer Guidelines

1. Every Service class and DAO class must have an Interface.
2. DAO classes must be “Spring-managed” beans using Spring-DAO.
3. Service classes should not depend on HTTPServletRequest or HTTPServletResponse ,
as these classes can be invoked from different clients not just browsers.
 4. Do not pass erID, buID, eeID etc from Controller to Service layer. Get the required
Session data from the session object UserSession using Autowiring. The UserSession
object can be accessed in Controller and Service layer.
Note : Exception to this point :
In case, the Service method is called in web application as well as a “Queue processing
Thread” program, then ensure that the Service method does not rely on the UserSession
object for params like erID, userID. Instead, include these params explicitly in the method
signature of the Service method, and set the respective param values from the
Controller’s UserSession object.
5. Controllers should be lightweight with less logic.
6. Controllers and Service classes are by default singletons, and should be
stateless​. Do not define instance variables at class level, and use them in multiple
methods. Methods should take data transfer object or wrapper objects as parameters
and do the job. Controllers and Service methods should be maintained stateless by
keeping the temporary variable within the method scope.
7. In case of SELECT procs, related to pagination list query, use WINDOW approach.
Remove the ​unused “ 0 AS rnum, “ item​ from the SELECT list of items.
Also, the old procedure having pagination list query needs to be changed as below, due
to change in the way “DataTables” caters to Pagination :

LIMIT (iPageEnd - iPageStart)+1 OFFSET (iPageStart-1)

to change to

LIMIT iPageEnd OFFSET iPageStart

The parameter iPageEnd in the “Spring” version of procedure holds the total number of
rows to be shown per page . The “iPageEnd” parameter name is retained as it is, for
convenience sake.

8. For Accessing @RequestParam from html page in controller - We have created a simple
com.iss.common.domain.ParameterBean.java under base-common, which contains
commonly used attributes. This can be extended by adding more attributes, if need be.
This bean eases, if were to pass more @RequestParam to the controller. The following
are already defined:
1. batchID
2. taxYear
3. backUrl

9. Steps to migrate “Old DAO “ code to “Spring-DAO”

i)​ Create the Service layer class with @Service annotation. Name the Service implementation
file with suffix “Impl” . For e.g Interface is PayslipService.java, Implementation is
PayslipServiceImpl.java

ii)​ Create the DAO Class with @Repository annotation. Name the DAO implementation file with
suffix “Impl” . For e.g Interface is PayslipDAO.java, Implementation is PayslipDAOImpl.java

iii) ​ Copy the DAO method signature from the “Old DAO” e
​ xcluding the params related to
“Transaction Type” if any.

iv)​ Remove the “throws DAOException” clause .

v) ​ Examine the method and identify if it is a “SELECT” proc returning a resultset, or an

“INSERT/UPDATE/DELETE” type of proc performing a DB write operation.

vi)​ If it is a pure “SELECT” proc , and not performing any “INSERT/UPDATE/DELETE”

operation, add ​@Transactional(readOnly=true) annotation in the Service layer​.
In the DAO layer, use the following style of procedure call :

SimpleJdbcCall jc = getSimpleJdbcCall("SFT_ERPAYSLIP_CSV")
​.returningResultSet​("refcursor", (RowMapper) new PayslipBeanMapper());
SqlParameterSource inparam = new MapSqlParameterSource()
.addValue("iErID", iErID)

Refer Filename for complete code : PayslipDAOImpl.java

vii)​ If it is a “INSERT/UPDATE/DELETE” proc add ​@Transactional(rollbackFor =

Exception.class) in the Service layer.

In the DAO layer, use the following style of procedure call :

SimpleJdbcCall jc = getSimpleJdbcCall("DFT_PAYSLIP_BAT");
SqlParameterSource inparam = new Ma
pSqlParameterSource()
.addValue("iErID", iErID)
.addValue("iBatchID", iBatchID)
.addValue("iFormID", iEFormID);
jc.execute(inparam);

Refer Filename for complete code : PayslipDAOImpl.java

viii)​ In case of an “INSERT along with SELECT” proc ( for e.g returning AUTOGENERATED ID
Key value ) , add ​@Transactional(rollbackFor = Exception.class) in the Service layer.

In the DAO layer, use the following style of procedure call :

SimpleJdbcCall jc = getSimpleJdbcCall("IXCH_EFBATCH")
.returningResultSet("refcursor"​, (RowMapper)new PayslipCSVMapper());

Refer Filename for complete code : EformCsvDAOImpl.java

ix) ​In case, you need to work with the complete ResultSet object ( e.g XML Formation, or
creating complex nested Domain objects ) , you can make use of the
JdbcTemplate.query(String sql, ResultSetExtractor rse, Object args )​ , instead of the
SimpleJdbcCall + RowMapper approach.

In the DAO layer, use the following style of procedure call :

CisSubbieExtractor sExt = new CisSubbieExtractor();
sExt.setCisXmlBean(cisMthlyRtnXmlBean);

StringBuffer sbrC = (StringBuffer)getJdbcTemplate()

.query("SELECT SCIS_SR_MTHLY_RTN(?)"
,(​ResultSetExtractor​)sExt
,iBatchID);

Refer Filename for complete code : CisCsvDAOImpl.java

X)​ Related to DAO Migration for methods using the Gateway Server (GS) or
Authentication Server (AS)
In ​Live Deployment​, the GS resides “in front of” the Operation Server (​OS​) or Resource Server
(​RS​) , i.e the actual web application. At the moment, there is considerable functionality involving
the GS DataSource like Admin Section. In the Struts Source code, the methods using the GS
DataSource can be identified based on the .init statement as shown below :

fpsSignUpDAO.init(​Constants.GATEWAY_DSN​);

In such cases involving GS DataSource note the following , during code migration :

● Use the ​get​Gs​SimpleJdbcCall f​ or the GS DB operation.

● For the DAO methods using g​ etGsSimpleJdbcCall, n ​ ame the method​ ​with prefix gs for
e.g, signUpDAO.​gsUpdateRef
 10. Steps to migrate “Old” JasperReports .xml files
i) Make a copy of the the “Old” .xml JasperReports file , and change the extension to .jrxml
ii) Open .jrxml file in any editor, replace the fontName to “SansSerif”.
iii) Do the required alignments.
iv) I​n pom.xml(one time change) add the code related to compile jrxml files
for example
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>jasperreports-maven-plugin</artifactId>
<version>1.0-beta-2</version>
<configuration>
​ <sourceDirectory>src/main/jasper</sourceDirectory>
​<outputDirectory>${project.build.outputDirectory}/jasper</outputDirectory>
</configuration>
<executions>
<execution>
<phase>compile</phase>
<goals>
<goal>compile-reports</goal>
</goals>
</execution>
</executions>
<dependencies>
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>5.5.1</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.eclipse.m2e</groupId>
<artifactId>lifecycle-mapping</artifactId>
<version>1.0.0</version>
 <configuration>
<lifecycleMappingMetadata>
<pluginExecutions>
<pluginExecution>
<pluginExecutionFilter>
<groupId>org.codehaus.mojo</groupId>
<artifactId>jasperreports-maven-plugin</artifactId>
<versionRange>[1.0-beta-2,)</versionRange>
<goals>
<goal>compile-reports</goal>
</goals>
</pluginExecutionFilter>
<action>
<ignore />
</action>
</pluginExecution>
</pluginExecutions>
</lifecycleMappingMetadata>
</configuration>
</plugin>
</plugins>
</pluginManagement>
v) Do the fresh build , publish the server and start the server.

11. To Display Decimal numbers in html with commas and

decimal points
● The decimal part of float data will be done in java bean using
java.text.DecimalFormat class as inline reference.

● To format the float data further to add commas and currency symbols, will be
done in html pages. For example to show commas in Datatables column code as
follows
sData.toString().replace( ​/\B(?=(\d{3})+(?!\d))/ ​g, ​","​);

● In case to add pound currency symbol with commas in Datatables column code
as follows
'&pound; ' +​sData.toString().replace( ​/\B(?=(\ d{3})+(?!\d))/ ​g, ​","​);
7 Datatables
We need to make the datatables request as POST. For this we need to add the following in
datatables def.

"​fnServerData​": function ( sSource, aoData, fnCallback ) {

//any other required script should be added here. Eg. aoData.push
$.​ajax​( {
"dataType": 'json',
"type": "POST",
"url": ​the actual url with parameters if any​,
"data": aoData,
"success": fnCallback
});
}

sAjaxSource - is not required

for the existing pages which are already coded, follow these steps
1. Add the above “​fnServerData​” to datatable def if not defined. For “​fnServerData​” refer
above.
2. Copy the sAjaxSource data to url under a ​ jax​ def.
3. Delete sAjaxSource.
4. Delete $.getJSON part fully - if exists.

Testing the changes - Assuming using Firefox -

1. Click on Tools->Web Developer->Network
​ OST​ for
2. Navigate to the menu for the List page, which is to be tested - Should show P
both the calls (Page and Data).

The bean class used for listing the data for Datatables should be light (avoid compose
other bean classes). It should contain only those elements/attributes pertaining to the
list page (in some cases few extra attributes are unavoidable).

​ ote,
Creating List bean for a list pages keeps the JSON data structure simple and light. N
before creating check the already existing beans for matching attributes if any​.

8. Thymeleaf
1. To show validation error messages which contains <br/>(new line), and or any special
symbols in the error message string, use the below method
 <span class="help-block" th:each="err : ${#fields.errors('​fieldname')}" ​th:utext​="${err}" />
or
<span class="help-block" th:each="err : ${​fieldname}" th:utext="${err}" ></span>

2. To show validation error message which does not have <br/> (new line) in the error
message, use the below method
<span class="help-block" th:errors="*{​fieldname}"></span>

3. QuickLinks ​- Help - You can find the quick links help files under WEB-INF/thl/quicklinks.
In quicklinks html file the id is prefixed with ‘js’ for a purpose, please follow the same in
case if you are adding a new help link.
sample quicklink:
<div class="col-sm-2 form-control-static"><a href="#" class="help-button" id="​qtn8FL3​"
title="Password">?</a></div>
Please make sure the id is present in the quick link file which you import in ‘​th:replace​’.
<script th:src="@{/resources/js/jquery.qtip.min.js}"></script>
<div ​th:replace​="quicklinks/​filename :: ​filename">quicklinks</div>
<script th:src="@{/resources/js/bc-quicklink.js}"></script>

Please fill in the correct file name and Import only required quick link files. You need add
the above lines after the last ​</script>
/*]]>*/
​</script>
example​:
/*]]>*/
</script>
<script th:src="@{/resources/js/jquery.qtip.min.js}"></script>
​<div th:replace="quicklinks/​forgotloginql​ :: ​forgotloginql​">quicklinks</div>
<script th:src="@{/resources/js/bc-quicklink.js}"></script>
For every additional quicklink html file repeat the above g ​ reen​ code snippet.

9. Others:

Due to the way of our live server setup, request.getRemoteAddr() will not return you the correct
user IP, instead it give you 127.0.0.1

To get a correct user IP, please do below:

String ip = request.getHeader("X-Forwarded-For");
if(ip == null){
ip = request.getRemoteAddr();
}

10. Efileready URL Prefix changes

There is requirement to include Efileready as a part of another Parent project. Hence there is
need, to group the ‘Efileready’ application, under one global pattern as ‘/efr/*’, so that “access
control” can be imposed selectively, based on whether end-user opts to use Efileready service
or not. Now all the existing Efileready Controllers need to extend “EfrBaseController” which
defines the EFR Prefix Constant as “/efr”.

Following are the list of changes :

1. Open the *Controller.java, Add the “extends” clause as below :

public class RtiListController extends EfrBaseController

2. If any class-level url mappings are defined, remove them and move them to method
level.
3. Next, go to the related *.html page, and make the necessary changes to get the URL
prefix.

Please refer RtListController, RtiReportController, EasBatchList.html , EasEmpList.html

to proceed with changes in the modules assigned to you.

4. Open /opt/wildfly-8.2.0.Final/standalone-aps/standalone.xml to specify the port offset 1000

as below :

11. Setting up multiple instances of WildFly Server and

controlling from STS

Steps to create a server instance on Port Number 10090/10443 for "APS/DemoPP"

(able-pension-system) and control it from STS :

The goal is to leave "standalone" unmodified for AEX and work on another Server instance for
DemoPP under folder "standalone-aps". This will allow, AEX and DemoPP to run
simultaneously.

1. Open a terminal, and check if you have defined JBOSS_HOME , in your .bash_profile. If yes,
remove it.
2. Start STS, go to Servers Tab, clean your existing Server ( which is set to 9090 ), and remove
already deployed applications if any. Make sure /opt/wildfly-8.2.0.Final/standalone/deployments
is empty.
3. Open a terminal, change to /opt/wildfly-8.2.0.Final/ folder. Run the following command to
create a copy for DemoPP.

cp -rpv standalone standalone-aps

<socket-binding-group name="standard-sockets" default-interface="public"

port-offset="​${jboss.socket.binding.port-offset:1000}​">

5. In STS, Window / Preferences / Server / Runtime Environments / Add , create a New WildFly
Runtime Environment and call the runtime as "WildFly 8.2 Runtime APS". In the wizard, point
the location of ​configuration file to ../../standard-aps/configuration/standalone.xml​.

6. In the Servers Tab, right click New / Server, Select WildFly 8.0 with the runtime created at
Step 5, and give the Server name as "WildFly 8.2 Runtime APS Server".

7. In the Servers Tab, double click on the server created at Step 6 (or press F3) to open the
parameter editor.

In section "Server Ports", uncheck "Detect from Local Runtime" and specify offset 1000.

Click on the "Deployment" tab to see deployment default settings.

Select "Use a custom deploy folder" and edit the directory fields.

Replace "standalone/deployments" by "standalone-aps/deployments".

Replace "standalone/tmp" by "standalone-aps/tmp".

8. In the server’s parameter editor, go back to the overview, General Information, click “Open
launch configuration”.

First, uncheck “Always update arguments related to the runtime”.

The “Program arguments” should look like the Screenshot , and as given below

-mp "/opt/wildfly-8.2.0.Final/modules" -jaxpmodule javax.xml.jaxp-provider

org.jboss.as.standalone -b localhost
--server-config=../../standalone-aps/configuration/standalone.xml
The VM arguments as below :

"-Dprogram.name=JBossTools: WildFly 8.2 Runtime APS Server" -server -Xms64m -Xmx512m

-XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Djava.net.preferIPv4Stack=true
-Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
"-Dorg.jboss.boot.log.file=/opt/wildfly-8.2.0.Final/​standalone-aps​/log/boot.log"
"-Dlogging.configuration=file:/opt/wildfly-8.2.0.Final/​standalone-aps​/configuration/logging.prope
rties" "-Djboss.home.dir=/opt/wildfly-8.2.0.Final"
"-Djboss.server.base.dir=/opt/wildfly-8.2.0.Final/​standalone-aps​"
-Dorg.jboss.logmanager.nocolor=true

Save the changes made to the Server.

9. Open file ​base-common-as-security-full.xml​, and uncomment Line 237, as below

<sec:port-mapping http="10090" https="10443" />

Do not commit the above change to CVS

Clean / Build able-pension-system, and deploy

Right Click on able-pension-system, Run As > Run on Server > Select "WildFly 8.2 Runtime
APS Server" > Finish

The "APS/DemoPP" (able-pension-system) application should run on 10090/10443 now.

Ref Link :

https://developer.jboss.org/wiki/HowToDefineMultipleJboss7ServerInstancesBasedOnTheStand
aloneFolderUsingEclipseJunoAndJbossTools40

12. JasperSoft Report Designer - JasperStudio 6.1.1

13. Troubleshooting for SSL PKIX error

If you having a SSL error similar to this
Exception handling request to /portal/t_security_check:
org.springframework.web.client.ResourceAccessException: I/O error on GET request for
"https://localhost:9443/portal/as/auth/JNSIRRYVKXFBZFUAUQJNKA":sun.security.validator.Validato
rException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target; nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target

You will need to import your localhost ssl certificate to your java keystore (cacerts)
To do that, first start the app, and in your browser url click on the padlock and export the
certificate. You can save as localhost.crt, then run this keytool command to import it into your
java keystore.
/usr/java/latest/bin/keytool -importcert -alias localhost -file localhost.crt
-keystore /usr/java/latest/jre/lib/security/cacerts
Your java path may be different, please make sure it is the one you use in STS.
14. XSSFilter
All Request parameter values will be screened by XSSFilter, and validated against following
pattern ( complying with OWASP) :

HTTPParameterValuePattern = Pattern.compile("^[:\\p{L}\\p{N}\\w\\.\\-/+=_
!$*?@%,'()&\\n\\t\\r]{0,3000}$"

Any request parameter value with characters not satisfying above pattern will be treated as
'offending' and will be removed by XSSFilter. Characters like " | < > are not allowed, and for
understanding purpose, they are referred as 'Special Characters' henceforth. If any field can
genuinely have 'Special Characters', then the URL and the related request parameter name
must be given in ExcludeFromFilter.properties of that application, so that XSSFilter will not
validate that particular Request parameter value

So say in a Form Page, there are fields like below :

● AddressLine 1 , AddressLine 2... - The valid pattern for these fields allows ‘Special
characters’ , so we can surpass XSSFilter for such fields by giving details in
ExcludeFromFilter.properties
● Surname , Forename - The valid pattern for these fields does not need ‘Special
characters’, so they are not given in ExcludeFromFilter.properties
● Password field values are user choice, and they must given in
ExcludeFromFilter.properties

Pls refer xch-common..ExcludeFromFilter.properties for details.

Further, for fields which are allowed to include ‘Special characters’, it must be ensured that
when they are shown back in View Form page, or Datatables List page, the value is just
displayed as text , and it does not cause any unwanted script execution.
For e.g, check the field by entering value as

<script>alert(1)</script>

15. CSRF Protection

Spring Security’s in-built CSRF feature is enabled along with the transparent integration
provided by Thymeleaf. More details in below links :

https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

http://www.thymeleaf.org/whatsnew21.html#reqdata
For this purpose, every Thymeleaf page having <form> tag must have th:action specifying the
default action for that page.