how to fix the cross site scripting persistent fortify security issue for the below code.
I know we are directly retrieving the output from the DB and sending it to response. which can result in security violations where attackers may inject malicious code to DB which we return it to users.
is there any way to fix the below code?
Optional<Request> request = accountRepository.findById(id)
return ResponseEntity.status(HttpStatus.OK).body(request.get());
Related
I am a Spring Developer trying to figure out how to connect a WordPress WooCommerce Website to my REST Spring boot Service. I haven't worked with WordPress, so there are a lot of unknown unknowns for me there. I am in collaboration with another developer on the WordPress side of things, trying to solve this issue, but we are a little lost.
Are there Best Practices for a WordPress website to access the Spring boot Oauth2 API (including JWT Token delivery Service) ?
CONCRETE DESCRIPTION OF MY SITUATION:
State right now (working):
Someone orders a Product on the WooCommerce website and the order status is set to processing.
The goal:
WordPress WooCommerce Backend calls the Spring boot API to send how many Products were ordered.
WHAT WE FOUND OUT AND WHAT WE TRIED:
Spring boot:
We found out that Spring boot outh2 is the way to go for the REST API ENDPOINT
The only resource I found about this are this once, which are very good and sufficient:
https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
https://www.youtube.com/watch?v=X80nJ5T7YpE
WordPress:
The Problem is, that we find a lot on WordPress Webhooks but not a lot on how to call an API Endpoint with a Token system.
Here are some resources we worked through, which are not sufficient:
https://developer.wordpress.org/plugins/http-api/
https://woocommerce.github.io/woocommerce-rest-api-docs/v3.html?shell#webhooks
https://duckduckgo.com/?q=wordpress+oauth2+rest+call&t=bravened&ia=web
WHAT WE THINK TO KNOW ABOUT THE SERVER TO SERVER COMMUNICATION IN THIS CASE** (Handshake):
In WordPress, I manually safely store a Username and a Password which
Spring Security knows about, on WordPress.
WordPress, an order has been finished.
WordPress calls Spring boot Https Request to /api with Payload:
OrderInformation, Password and Username.
Spring sees that there is no Token or the Token is outdated
Spring searches the Request Payload for Username and Password
Spring generates a signed JWT Token based on Username and Password.
WordPress receives that Token and stores is safely
WordPress HTTPS Request /api with Payload: OrderInformation, Token.
Spring validates the Token, accepts the OrderInformation
Spring does what ever it needs to do with the information and when
everything works out
Spring Oauth2 somehow has to tell Woocomerce that the information
was successfully delivered. Otherwise Woocomerce has to resend the
information. And start form point
WHAT WE HOPE THIS POST SHOULD ACCOMPLISH FOR PEOPLE WITH THE SAME QUESTION:
If someone knows any resource or best practices how to configure WordPress WooCommerce, please let us, who have a lot of unknown unknowns, know what to do next.
We hope this post and its answers can be a gateway and vertex for other people to find the information they need.
Thank you very much in advance
I am not sure about Spring Boot API specifically, but I have done this type of integration with other REST API's.
I would recommend using wordpress action hook. The hook that I would recommend you to use is woocommerce_order_status_changed.
// define the woocommerce_order_status_changed callback
function action_woocommerce_order_status_changed( $this_get_id, $this_status_transition_from, $this_status_transition_to, $instance ) {
// make action magic happen here...
};
// add the action
add_action( 'woocommerce_order_status_changed', 'action_woocommerce_order_status_changed', 10, 4 );
At the place of // make action magic happen here... write the logic where you contact with your API. Run your code when $this_status_transition_to is processing. The $instance should have woocommerce order instance which you can use to push to API.
Some pointers that I would like to give are.
Save the API Token/Credentials in an Enviroment Variable for security.
Would recommend using Guzzle package to make http request. Use composer to install the package.
I am using token-based authentication (via dj-rest-auth 1.1.2) on my Django REST-Framework (DRF v. 3.12.1) project. After an initial view-base login, the server issues a token that the client has to include in the HTTP Authentication header with each request.
What I would like to do is to associate the token authentication with a server-side session, similar to what the Django Session Framework provides. That is, I would like to create a cacheable session object that stores information like user roles, which otherwise would need to be retrieved from the DB with each request.
It seams that there is no ready-made solution for this problem, is there? To my understanding, the Django Session Framework only works with session cookies but not with other tokens. On the other hand, token-based authentication does not create a server-side session, it seems.
My questions:
Is this correct, or am I simply missing some configuration or mis-reading the documentation?
If yes, is there something inherently flawed with my intended approach (which would explain why I cannot find a library that already does it)?
Again if yes, what would be the canonical solution handle complex user roles on each request? Just store them in the DB and let proper caching take care of it?
Thanks for your help!
I'm very new in Spring and never really used java for making web. And I'm making a web with a separated frontend and backend services and I'm trying to make an authentication system using Spring Boot Security. How can I do it? Do I put the security on both the service or just one of them? What's the best way to implement it?
The question is subjective and can have too many interpretations based on context. My understanding is that putting security on both front-end and backend is the best way to implement. After a successful backend authentication you should issue a unique cookie to the browser as it allows users to continue using a site without having to log in to every single page. For each subsequent call, the website recognizes the user from cookie data.
You can use this link for a better understanding of dual authentication mechanism.
I am trying to implement CSRF protection in an existing application. We have Spring MVC on backend and a mix of HTML, CSS and Apache Velocity Templates on frontend.
I have tried configuring the Spring CSRF functionality as shown here - https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html. After reading through this Spring documentation, I get a feel that after configuration, Spring Security would automatically send tokens with all requests but that is not happening in my case - perhaps something is wrong with my configuration.
As an alternative, I am creating an instance of Spring Security's CsrfTokenRepository and calling generateToken and loadToken methods on it in my front controller which intercepts all HTTP requests coming to the server. This way, I am able to deliver a new token for every HTTP request and then send it back on the next one.
The mechanism fails though if I click different links within my page too frequently - by the time a page is rendered and the new token is set in hidden fields, the browser has already sent a request to another page with an old token. It also fails when I open more than one tab since the token received by the latest opened tab wins over tokens from tabs opened before it.
To overcome this issue, I changed the tokens to be generated only per session. However, now I run the risk of tokens being exposed - via get requests or referrer fields for example. Is there a way to improve the performance of per request tokens? or make the approach more secure with per session tokens?
I'm developing a REST JSON API with the Spring MVC Framework. I want to serve a single HTML application to the user and the whole communication between server and client is done with JSON format. So the client single HTML application uses jQuery to send AJAX calls to the server.
My big problem is to find the right way to do integrate a proper security technique. I read a lot about basic, digest or form based authentication via Spring Security, but I don't think this is the right way. I want to get JSON responses if the user isn't logged in and I don't want to send a jsessionid with each request.
Could you please tell me the right way or the best-practice how to authenticate user by performing AJAX requests? Maybe it's OAuth 2-legged? (don't have much clue of OAuth)
If you don't want to store auth information in server-side session (and use JSESSIONID in cookies/urls) you may send auth info with every ajax request using BASIC auth header (created in JS).
I've never used 2-legged oauth, so I won't comment about it.
edit: typo