I have a problem in Spring, currently Im trying to create a custom approval page. I created a resource at /oauth/confirm_access which just shows up in my OAuth flow.
The page itself is stored inside a .jsp file and a near 1:1 copy of the default approval page (for testing purposes).
But when I click the "authorize" button, I will get redirected to the login screen, so Im guessing that my cookie might be invalid for some reason (I used SessionAttribute authorizationRequest).
I looked at the implementation of the WhitelabelApprovalEndpoint and copied this. (replaced the text with my page) and it worked.
However I need to store this page as a .jsp file.
Has anyone encountered the same issue?
Im returning the page like this:
#RequestMapping("/oauth/confirm_access")
public ModelAndView getAccessConfirmation(#ModelAttribute AuthorizationRequest clientAuth, Map<String, Object> model, HttpServletRequest request) throws Exception {
//model specifics
return new ModelAndView("approval", "model", model);
}
Related
I want to display 404 custom error page when a user try to hit unknown resource instead of whitelabel error.
Example : https://www.example.com/blog (this is valid request, as blog page is there)
but if user hits https://www.example.com/blog/unknown-parameter (this is not a valid request)
then, will display custom page not found or 404 page.
So I am new to spring boot and I have no idea how to do it.
I have created a custom error page inside src/main/webapp/views/page-not-found.jsp.
If any one can help, will be appreciable.
You can create a custom error controller
#Controller
#RequestMapping(“/error”)
public class Error Controller {
#GetMapping
String getErrorPage() {
// your code here…
}
}
My application based on spring boot and microservices architecture. There is FrontUI, CartService, AuthService microservices.
FrontUI has
#GetMapping("/search")
public String getSearch(...){
// code
}
#GetMapping("/login")
public String getLogin() {
return "login";
}
When I type http://localhost:8080/search and hit enter everything is ok search page with products are displayed. But when I hit Login button url changes to https://localhost:8080/login and then
This site can’t provide a secure connection
localhost sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
error is displayed.
I tried to remove all data from chrome
I tried to Query HSTS/PKP domain but it found nothing
I think I should configure project with ssl. or not?
Thanks
Actually application was redirecting to https://localhost:8080/login because link <a> was like <a href="https://localhost:8080/login"> and it has no chance other than to redirect to https://localhost:8080/login. And error was displayed because I have not configured my spring project with HTTPS. View this link in order to see how to configure https://www.thomasvitale.com/https-spring-boot-ssl-certificate/
Thanks hope this was useful
Adding an object to a ModelAndView in a Spring controller after forcing a download does not seem to work.
Code at Controller method
ModelAndView view = new ModelAndView("");
view.setViewName("pom-upload");
view.addObject("uploadStatus", "Uploaded pom has been successfully processed!");
response.setHeader("Content-Disposition", "attachment; filename=pom.xml");
IOUtils.copy(inputStreamToDownload, response.getOutputStream());
response.flushBuffer();
return view;
I get the file downloaded successfully.
But when I try to access the "uploadStatus" message in my JSP like
<c:out value="${uploadStatus}"></c:out>
or
div id="status-message" class="alert alert-success" role="alert">${uploadStatus}</div>
I do not get the message from ${uploadStatus}
What could the reason be and how would I fix this?
Ok, it sounds like you want to display a message to the user after they have downloaded a file. A couple options.
User clicks download link. This goes to success page. Success page uses Refresh header or javascript to initiate download. So success comes a little early.
See Detect when browser receives file download for some ideas on detecting when the browser gets the download.
I am using Spring MVC, I need to launch an application by giving the url for authentication, if it is success then set the attribute as success otherwise failure.
I have tried with this
#RequestMapping(value="/authenticate", method = RequestMethod.GET)
public String dataMappings(Model model) throws Exception {
model.addAttribute("status","status Don't Know here");
return "redirect:"+"http://localhost:8292/auth";
}
Here this launches my another http://localhost:8292/auth, but the problem is I need to know authentication success or failure and set the status in set attribute and display in UI.
How do I handle this?
IMO you shouldn't be handling the redirect in your controller. Instead of returning Stringconsider returning ModelAndView. Configure a view resolver and create appropriate views viz. success and failure. Then in the view you should do the redirect. The attributte you want to set should / can be done at controller and will be part of Model
I have a JSF page which is not protected by j_security_check. I perform the following steps:
Open the JSF page in a browser.
Restart the server.
Click a command button on the JSF page to initiate an ajax call.
Firebug shows that a ViewExpiredException is raised, as expected.
Post:
javax.faces.ViewState=8887124636062606698:-1513851009188353364
Response:
<partial-response>
<error>
<error-name>class javax.faces.application.ViewExpiredException</error-name>
<error-message>viewId:/viewer.xhtml - View /viewer.xhtml could not be restored.</error-message>
</error>
</partial-response>
However, once I configure the page to be protected by j_security_check and perform the same steps listed above, strangely (to me) the ViewExpiredException is no longer raised. Instead, the reponse is just a new view state.
Post:
javax.faces.ViewState=-4873187770744721574:8069938124611303615
Response:
<partial-response>
<changes>
<update id="javax.faces.ViewState">234065619769382809:-4498953143834600826</update>
</changes>
</partial-response>
Can someone help me figure this out? I expect it to raise an exception so I can process that exception and show an error page. Now it just responds with a new ViewState, my page just got stuck without any visual feedback.
I was able to reproduce your problem. What is happening here is that the container invokes a RequestDispatcher#forward() to the login page as specified in security constraint. However, if the login page is by itself a JSF page as well, then the FacesServlet will be invoked as well on the forwarded request. As the request is a forward, this will simply create a new view on the forwarded resource (the login page). However, as it's an ajax request and there's no render information (the whole POST request is basically discarded during the security check forward), only the view state will be returned.
Note that if the login page were not a JSF page (e.g. JSP or plain HTML), then the ajax request would have returned the whole HTML output of the page as ajax response which is unparseable by JSF ajax and interpreted as "empty" response.
It is, unfortunately, working "as designed". I suspect that there's some oversight in the JSF spec as to security constraint checks on ajax requests. The cause is after all understandable and fortunately easy to solve. Only, you actually don't want to show an error page here, but instead just the login page in its entirety, exactly as would happen during a non-ajax request. You just have to check if the current request is an ajax request and is been forwarded to the login page, then you need to send a special "redirect" ajax response so that the whole view will be changed.
You can achieve this with a PhaseListener as follows:
public class AjaxLoginListener implements PhaseListener {
#Override
public PhaseId getPhaseId() {
return PhaseId.RESTORE_VIEW;
}
#Override
public void beforePhase(PhaseEvent event) {
// NOOP.
}
#Override
public void afterPhase(PhaseEvent event) {
FacesContext context = event.getFacesContext();
HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
String originalURL = (String) request.getAttribute(RequestDispatcher.FORWARD_REQUEST_URI);
String loginURL = request.getContextPath() + "/login.xhtml";
if (context.getPartialViewContext().isAjaxRequest()
&& originalURL != null
&& loginURL.equals(request.getRequestURI()))
{
try {
context.getExternalContext().invalidateSession();
context.getExternalContext().redirect(originalURL);
} catch (IOException e) {
throw new FacesException(e);
}
}
}
}
Update this solution is since OmniFaces 1.2 been built into the OmniPartialViewContext. So if you happen to use OmniFaces already, then this problem is fully transparently solved and you don't need a custom PhaseListener for this.
The above AjaxLoginListener solution works for me. Interestingly we are using omnifaces 3.11.1 but the OmniPartialViewContext is not working in my scenario. This is because the check for the loginViewId does not match the current viewId since I have an error-page in my web.xml for org.jboss.weld.contexts.NonexistentConversationException. Note that when AjaxLoginListener is fired for me it throws an exception on the call to context.getExternalContext().invalidateSession(); so it never calls the redirect(). So I'm not sure if my scenario is exactly the same as the original one in this thread. Here are the steps I use to recreate my scenario:
Visit an xhtml page with an ajax command button.
Wait for the session to timeout.
Click the ajax command button.
User is redirected to the error-page mapped to the NonexistentConversationException in web.xml
Click a link on that page which requests a secured url
System shows login page - login.
Click the link that takes you to the xhtml page that contained the ajax command button in step 1.
System shows the partial response containing the NonexistentConversationException error-page contents.
Is it possible that the AjaxLoginListener is working because it is mapped to PhaseId.RESTORE_VIEW whereas the OmniPartialViewContext is mapped to PhaseId.RENDER_RESPONSE?