I am trying to change the request url value in admin route.xml. When i use vendor_module as frontName it`s working fine. but when i try to use module as a frontName in admin route then its not working.
Vendor/ModuleName/etc/adminhtml/route.xml
Before
<router id="admin">
<route id="vendor_module" frontName="vendor_module">
<module name="Vendor_ModuleName" />
</route>
</router>
After
When i use below code as admin route it`s not worked for me. Like when i try access url module/template/edit then its redirect to admin Dashboard page.
<router id="admin">
<route id="vendor_module" frontName="module">
<module name="Vendor_ModuleName" />
</route>
</router>
Note : I want to use this without turn off Admin > Store > Configuration > Advanced > Admin > Security > Add Secret Key to URLs
The id and front name in the route.xml file must be synchronized with each other. If you set it differently it won't know what URL you're using so it will redirect you to the admin's home page.
For field: Add Secret Key to URLs, the main function of this field is secret Key is useful for preventing CSRF (Cross-site request forgery) Attack (The most practical example is in your case). This is a security bug that has been fixed by Magento. If you disable this field, your admin page will be very vulnerable to attack
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
I recommend leaving this option enabled.
Related
Is it possible to change subdomain in redirect URL per customer?
I set the redirect URL in OAuth & Permissions field in my slack app page. Its like https://test.com
Actually, I want to set the redirect URL like https://dev.test.com
"dev" changes per customer.
How can I realize it?
I saw this question and try to do it, but Im not sure how to do it.
Using wildcard subdomain for Rediret URL in Slack OAuth
I use slack button, so I can set state parameter as this. but in the same time, I have to send redirect URL which matchs the redirect URL in OAuth & Permissions field in my slack app page.
<a href="https://slack.com/oauth/v2/authorize?scope=incoming-webhook&client_id=xxxx&state=dev&redirect_uri=https://test.com">
<img alt="Add to Slack" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack#2x.png 2x" />
</a>
No, there is no option for changing sub domains for each user in slack-api as of now.
You have to use a single redirect url for all the users, you can later redirect from https://dev.test.com to your desired user(customer) specific url like https://dev.test.com
I have a Magento website up and running. Suddenly I could not Login to the website and could not add products to the website. On login, it simply redirected back to login page from admin end. And on adding product to cart it kept asking for enabling cookies.
Now I have updated the value of "web/cookie/cookie_domain" in core_config_data to "", and it started working fine, though previously the value was the domain name. Can anyone really suggest/explain why does it behave like this?
Magento also has an issue where if you use the bare domain and a subdomain to try accessing the site, it can set two cookies, one for example.com and one for subdomain.example.com.
You will have issues logging in for either front or admin sessions until you delete all the Magento cookies pertaining to your domain. Setting cookie paths, domains and redirecting all bare domain traffic to www or all www traffic to bare domain is necessary to prevent the issue.
search the web and found solutions.
Disable redirect to enable-cookies CMS page
Go to System –> Configuration –> General –> Web –> Browser Capabilities Detection –> Redirect to CMS-page if cookies are disabled = No
for more info you See this link.I hope solve your problem.
I am using Spring Security for Web application development. I do not want to allow users to do registration while they are already loggedIn in the System.
So suppose, there is url for registration is /registration and for home page is /home.
Now I want to redirect at /home if user tries to hit /registration while session is live. Is it possible using spring-security ? I can check session in controller method and redirect manually...that I know. but is there any config with spring-security? Thanks.
Yes, you can do it with Spring Security only. Add a new security:http element before your existing one as follows:
<security:http pattern="/registration" access-denied-page="/home" entry-point-ref="forbiddenEntryPoint">
<security:intercept-url pattern="/registration" access="ROLE_ANONYMOUS"/>
</security:http>
<bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
The entry point implementation doesn't really matter, because it won't be invoked. It's just mandatory to define it.
System will now monitor URL /registration and when it's hit by a user without ROLE_ANONYMOUS (= an authenticated user) it will serve content from /home instead.
I am using Spring Security 3.1.x and trying to achieve the following scenario:
a page is secured with isFullyAuthenticated()
the current user is only authenticated with Remember Me, so not fully authenticated
the user navigates to this fully authenticated page - this should not be permitted (and it's not)
however, the user should not get the 403 page - instead, the user should be prompted to login via the Login form
after logging in, the user should be allowed to proceed to the page he previously requested, since now he's a fully authenticated user
My Spring Security config is:
<http use-expressions="true">
<intercept-url pattern="/admin/full_auth_only.html" access="isFullyAuthenticated()" />
<form-login login-page="/login.html" default-target-url="/authenticated.html" />
<logout />
<remember-me key="someAppKey" />
</http>
And I tried to add:
<access-denied-handler error-page="/login.html" />
However, the problem is now that, when visiting the page, I am indeed prompted by the Login form, only the URL doesn't correspond to login; instead it's the URL of the fully authenticated page:
http://localhost:8080/spring-security/admin/full_auth_only.html
Which then breaks the authentication process, which fails when trying to access the (invalid) URL:
http://localhost:8080/spring-security/admin/j_spring_security_check
This should have been:
http://localhost:8080/spring-security/j_spring_security_check
Any help on this is appreciated - I think the usecase is very common and so I would prefer using the namespace support instead of going in a custom direction.
Thanks.
Eugen.
I couldn't reproduce your issue with version 3.1.3.RELEASE of Spring Security. Which version do you use?
Authentication requests are intercepted by the AbstractAuthenticationProcessingFilter that checks if the URL of the request ends with a pre-configured value (that defaults to /j_spring_security_check). Any URL with that ending will trigger an authentication attempt. You can see the related code here.
This means that the URL you said is invalid should in fact be processed without problems.
The code linked above hasn't been changed since very early versions (2.x), so there should be some other issues in your case.
If you could share your configuration and some debug level logs, that would help to reveal what's the real problem.
1.Remove any welcome-file-list if you have in web.xml.
2.Make sure always-use-default-target is not set to false in form-login tag or remove it all together.
3.And make sure you have permitted every one to access your login page. something like this <intercept-url pattern="/login.htm" access="permitAll()"/>
That should work.
it sounds like the cookie was not set, and the following requests sent were all treated as the first requests without a session ID, so spring security asked for login every time even though you had logged in.
If you were using google chrome, and tested the application in your local machine using the localhost address, the cookie might not be set. And it is a known issue with Google chrome.
You can try 127.0.0.1 instead to test. Or try another web browser like Internet Explorer.
I have a asp.net site that uses federated security for authenticating the user. Therefore a user navigates to the url which is redirected to a login page and if successful gets routed back to the main application. What I need to do is somehow have the main application allow some code to be ran before being redirected to the login page. This is because the intial request may have some query string parameters that I need to store in the users session as the request back to the main application is dropping them.
Is this possible... any thoughts or examples would be greatly appreciated!
I am not sure whether this may help:
You can turn off the WIF’s built-in redirection of unauthenticated sessions by modifying web.config file:
<microsoft.identityModel>
<service>
......
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false"
......
and once your reconstruct your query string, you can update audienceUri and realm.