When my oidc is not available, I have this error 500 return on my endpoint generated by Quarkus :
<!doctype html>
<html lang="en">
<head>
<title>Internal Server Error - Error handling c1d5a584-89d8-49ba-9df0-822ecb9b47da-3, io.quarkus.oidc.OIDCException:
OIDC server is not available at the 'http://localhost:8080/auth/realms/test' URL. Please make sure it is
correct. Note it has to end with a realm value if you work with Keycloak, for example:
'https://localhost:8180/auth/realms/quarkus'</title>
<meta charset="utf-8">
<style>...
Is it possible to customize this with a chosen error code and no content ?
I have tried with ExceptionMapper without success
The exception mapper would be what you want, but you may need to use the JAX-RS way of implementing the mapper (docs). This lets you set an #Priority on the mapper implementation so that it triggers earlier than a default defined mapper which is likely what's happening with your request.
Related
I am having an issue adding font awesome to my ASP.NET Core MVC (ASP.NET Core 2) application. I am simply trying to add the CSS library called font awesome to my MVC project. I have tried two approaches
1) Adding the font awesome CDN like so
<link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css">
but when I add the CDN I get the CSP errors in Chrome
Refused to load the stylesheet
'http://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css'
because it violates the following Content Security Policy directive:
"default-src 'self'". Note that 'style-src' was not explicitly set, so
'default-src' is used as a fallback.
So I tried adding the correct meta tags. I tried MANY combinations and nothing seemed to work. For example,
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' http://maxcdn.bootstrapcdn.com
'unsafe-inline' 'unsafe-eval';
style-src 'self' http://maxcdn.bootstrapcdn.com
'unsafe-inline' 'unsafe-eval'; " />
I was still getting errors related to CSP in Chrome.
2) The second approach I took was to add the font awesome CSS file in my project. I did this and then added the corresponding reference like so:
<link rel="stylesheet" href="~/css/font-awesome.min.css">
When I did this I got the following errors despite the file being in the correct location and being referenced correctly:
GET http://localhost:5000/fonts/fontawesome-webfont.woff2?v=4.7.0 net::ERR_ABORTED
GET http://localhost:5000/fonts/fontawesome-webfont.woff?v=4.7.0 net::ERR_ABORTED
GET http://localhost:5000/fonts/fontawesome-webfont.ttf?v=4.7.0 404 (Not Found)
I looked into this issue and found that it could be related to the static file handler. I then modified the app.UseStaticFiles() to take an options parameter like this:
StaticFileOptions staticFileOptions = new StaticFileOptions();
FileExtensionContentTypeProvider typeProvider = new FileExtensionContentTypeProvider();
if (!typeProvider.Mappings.ContainsKey(".woff2"))
{
typeProvider.Mappings.Add(".woff2", "application/font-woff2");
}
if (!typeProvider.Mappings.ContainsKey(".woff"))
{
typeProvider.Mappings.Add(".woff", "application/font-woff");
}
if (!typeProvider.Mappings.ContainsKey(".ttf"))
{
typeProvider.Mappings.Add(".ttf", "application/font-ttf");
}
staticFileOptions.ContentTypeProvider = typeProvider;
app.UseStaticFiles(staticFileOptions);
But I still got the error above.
Does anyone know what I am doing wrong? I can add font awesome through its CDN or add the font awesome CSS file in my application if need be.
That policy quoted in the error message in the question has default-src 'self' but the policy shown from your meta element doesn’t. That seems to indicate your document’s being served with a policy in a Content-Security-Policy HTTP header in addition to the one in the meta.
And that other policy is relatively strict in that it has default-src 'self' and no style-src. So while you’re specifying another less-strict policy using that meta, the problem’s that the way CSP works when you specify multiple policies is, the most-strict policy always wins. So your browser’s basically ignoring your meta policy and just using the policy specified in the HTTP header.
The solution is: find the place in the server code which is adding that Content-Security-Policy HTTP header, and either change it so it has the exact policy you want, or else remove that part of the server code altogether, and instead just set the policy using the meta element.
I am trying to configure some API's through CA-API Gateway.
However the CA product seem to be heavily based on UI interaction JSP.
I have seen that they also provide REST interface.
Has anyone set up a complete API using something else than the JAVA based UI?
Ideally I would like to have my complete configurations as code.
The REST api for the API Gateway seems to provide a lot of get and post functionality, but I have not been able to get it working:
Executing a get template towards my CA APIGW instance (https://localhost:9443/restman/1.0/services/template) yields:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
<l7:Name>SERVICE Template</l7:Name>
<l7:Type>SERVICE</l7:Type>
<l7:TimeStamp>2017-06-13T07:30:22.487Z</l7:TimeStamp>
<l7:Link rel="self" uri="https://d7a66e5db02e:9443/restman/1.0/services/template"/>
<l7:Link rel="list" uri="https://d7a66e5db02e:9443/restman/1.0/services"/>
<l7:Resource>
<l7:Service>
<l7:ServiceDetail folderId="FolderID">
<l7:Name>My New Service</l7:Name>
<l7:Enabled>false</l7:Enabled>
</l7:ServiceDetail>
<l7:Resources>
<l7:ResourceSet tag="policy">
<l7:Resource type="policy">Policy XML</l7:Resource>
</l7:ResourceSet>
</l7:Resources>
</l7:Service>
</l7:Resource>
</l7:Item>
From reading the template I expect to be able to create a new published service using post and the following body:
<l7:Service>
<l7:ServiceDetail folderId="0000000000000000ffffffffffffec76">
<l7:Name>MyNewService</l7:Name>
<l7:Enabled>false</l7:Enabled>
</l7:ServiceDetail>
<l7:Resources>
<l7:ResourceSet tag="policy">
<l7:Resource type="policy">Policy XML</l7:Resource>
</l7:ResourceSet>
</l7:Resources>
</l7:Service>
The POST to https://localhost:9443/restman/1.0/services however yields:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>400 Bad Request</title>
</head>
<body>
<h1>Bad Request</h1>
<h3>The request sent by the client was syntactically incorrect.</h3>
</body>
</html>
And there is no apparent way for me to debug what actually fails.
I would expect to be able to trace the error in a log somewhere but can not find any documentation or examples of this.
The following worked for me:
Query the object type you'd like to create, e.g. GET /restman/1.0/services/{ID} or use GET /restman/1.0/services?name={service-name}
To create a new instance, find the right sub-element of the XML response, e.g. for services //Item/Resource/Service
Use this sub-element in your RESTMAN POST request
If you'd like to oupdate an existing service:
Query the existing version number (and ID)
PUT /restman/1.0/services/{ID} with version in the version attribute
If the version does not match, the update will fail.
There is no good alternative to native CA Policy manager application, but you can use REST management API's to make updates and move policy code between different environments.
All policies are written in XML so you can export them to a file and manage them in your normal version control system.
You can use deployment tools like Jenkins https://jenkins.io where you can configure custom plugin to integrate it with API deployments, but you will still have to rely on RESTMAN API's.
Hope that helps!
Im making an ajax call from cq to a webservice, however the ajax call returns the below response
<html>
<head>
<script type="text/javascript">
var u="/system/sling/cqform/defaultlogin.html?resource=%2Ferror%2F500.html&$$login$$=%24%24login%24%24";
if ( window.location.hash) {u = u + window.location.hash;}
document.location = u;
</script>
</head>
<body>
<!-- QUICKSTART_HOMEPAGE - (string used for readyness detection, do not remove) -->
</body>
</html>
May I know what exactly the above response means?
Note: cookies and necessary headers are set to the ajax request for making the call to the webservice.
Also this ajax call is working fine in all the other cq environments,it is having the above issue in only one environment.
Thanks,
Balaji.
The link in script points to login form. So I think, that service can be accessed only by logged-in/some CUG users.
UPD1
To find reason, you should check permissions of your user, also Dispatcher configuration can be a problem there.
I am testing my website which requiring cookies data be set properly, and there is quite a lot cookies data making it annoying to add it manually. I google a little and know that I might export cookies out of Firefox firebug and load it in jMeter HTTP COOKIES MANAGER. However I try many times and fail to see any cookie data imported, there is just nothing changed, I don't know what's going on.
I am using the latest jMeter. Any suggestions?
These are some of my cookie data, exported out of firebug
.qq.com TRUE / FALSE 1755394742 RK xGvq1yp4Tf
.tenpay.com TRUE / FALSE certallnum 1
.tenpay.com TRUE / FALSE certinfo 1|150537011-
.tenpay.com TRUE / FALSE certlist 150537011-
.tenpay.com TRUE / FALSE certuserflag 1
.tenpay.com TRUE / FALSE 1441074265 ctrlServErr undefined
.qq.com TRUE / FALSE 1443526587 lskey 0001000064e173918a7f1bfc52dc25d64a62e88892dfc1128b742e69cdf304aecaf2136b14628f2188588a3a
.qq.com TRUE / FALSE 1443526587 luin o0414077270
.qq.com TRUE / FALSE 2147385600 o_cookie 414077270
And this how I tried to load those cookie data:
JMeter's HTTP Cookie Manager is smart enough to handle cookies on its own.
Looking into response from tenpay.com website I can see the following:
<!DOCTYPE HTML>
<html>
<head>
<meta charset="GB2312">
<meta http-equiv="refresh" content="0;url=https://www.tenpay.com/v2/">
<title>²Æ¸¶Í¨ - »áÖ§¸¶ »áÉú»î</title>
</head>
<body>
</body>
</html>
Pay attention to that line:
<meta http-equiv="refresh" content="0;url=https://www.tenpay.com/v2/">
As per User Manual
JMeter is not a browser. As far as web-services and remote services are concerned, JMeter looks like a browser (or rather, multiple browsers); however JMeter does not perform all the actions supported by browsers. In particular, JMeter does not execute the Javascript found in HTML pages. Nor does it render the HTML pages as a browser does (it's possible to view the response as HTML etc., but the timings are not included in any samples, and only one sample in one thread is ever viewed at a time).
It means that JMeter won't open https://www.tenpay.com/v2/ URL automatically, you'll need to explicitly "tell" JMeter to execute GET request to that URL.
Extract URL from the <meta http-equiv="refresh"... bit with the Regular Expression Extractor like:
Add Regular Expression Extractor as a child of the first request
Configure it as follows:
Reference Name: anything meaningful, i.e. URL
Regular Expression: <meta http-equiv="refresh" content="0;url=(.+?)">
Template: $1$
Add a new HTTP Request sampler after 1st sampler, leave everything intact and put ${URL} in "Path" input so your test plan would look something like:
We have developed an application which is running perfectly fine on desktop and mobile web with verisign certificate (https). We have developed iOS and android cordova application which was working fine with http server. For production they have enabled SSL. The iOS and android hybrid applications are not working fine because of ajax call response. The following response I am receiving for both http and https. Is there any changes required in client side or its all about SSL? Is there any workaround for SSL decoded response? We are using IBM's websphere application server.
Response from http server
[{"SALT":"3FzekTIywrmm9jojnfHn11"}]
Response from https server
<html>
<head>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1"></head><body>
<script type=text/javascript>
function decode_base64(input){
var keyStr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var output="";
var chr1,chr2,chr3;var enc1,enc2,enc3,enc4;var i=0;input=input.replace(/[^A-Za-z0-9+/=]/g,"");
while(i<input.length){
enc1=keyStr.indexOf(input.charAt(i++));
enc2=keyStr.indexOf(input.charAt(i++));
enc3=keyStr.indexOf(input.charAt(i++));
enc4=keyStr.indexOf(input.charAt(i++));
chr1=(enc1<<2)|(enc2>>4);
chr2=((enc2&15)<<4)|(enc3>>2);
chr3=((enc3&3)<<6)|enc4;output=output+String.fromCharCode(chr1);if(enc3!=64){
output=output+String.fromCharCode(chr2)
}
if(enc4!=64){
output=output+String.fromCharCode(chr3)}}return output;
}
document.write(decode_base64("PHNjcmlwdCB0eXBlPXRleHQvamF2YXNjcmlwdD52YXIgdG9fZGVjPWRlY29kZV9iYXNlNjQoImNtUjFWV2hzWkc1MGRTbG5kRzlpZFdodWJ5RXBLSG9oWlc1aWRHeGtiM1V2Ylc1aVlIVm9ibTg4SXk0eGUzRnZMaU02SVh3dElUQXhNVEVvIik7IGRlY19yZXM9IiI7IHZhciB4b3Jfa2V5PTE7IGZvcihpPTA7aTw2MDtpKyspeyBkZWNfcmVzKz1TdHJpbmcuZnJvbUNoYXJDb2RlKHhvcl9rZXledG9fZGVjLmNoYXJDb2RlQXQoaSkpO30gZXZhbChkZWNfcmVzKTs8L3NjcmlwdD4="));
</script>
</body>
</html>
That is quite odd way to return the error message, but your HTTPS server is telling
i18n-values: Missing value for "primaryParagraph"
You can see that by
copy-paste the HTML to text editor,
Name it like foo.html,
Open it on browser,
Open developer tools and see console where it says that.
To answer your question: from point of view of client-side coding there isn't really much difference between HTTP and HTTPS calls. Browser tends to hide those quite effectively, though the performance is in general weaker on HTTPS calls etc.