I found the below mentioned code snippet to handle the XSS while providing the input to the application.
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
But my application get the records from the DB which gets populated by the third party. And when I show those records on the web page,it starts executing the HTML content. Is there any way I can restrict that also ?
Thanks in advance
Related
I have a screen which is implemented in JSF2 and I have validations on some of the fields, and when an error appears for a field that has no
<h:message for="fieldName" />
it always appear on the end of the screen with no style
I want to hide the messages summary even if I don't handle those validations
I guess they are just warnings that you see when your project stage is set to Development.
In web.xml file, change:
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
to:
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
and the messages disappear.
It is a feature of JSF 2 that shows you diagnostic messages when you are on Development stage. Actually you should changed that value in web.xml only when you want to put the project in production.
I need to log in with j_spring_security_check using special characters in the username and/or in the password via url
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=üüü
isn't working and
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=%c3%bc%c3%bc%c3%bc
(with "üüü" urlencoded)
isn't working either
Any suggestion? Let me know if you need to see any other configuration.
Thanks
The Java Servlet standard is lamentably poor at supporting Unicode. The default of ISO-8859-1 is useless and there is still no cross-container-compatible means of configuring it to something else.
The filter method in matteosilv's answer works for request bodies. For parameters in the URL, you have to use container-specific options. For example in Tomcat, set URIEncoding on the <Connector> in server.xml; in Glassfish it's <parameter-encoding> in glassfish-web.xml.
(If you have to work in a fully cross-container-compatible manner you end up having to write your own implementation of getParameter(), which is sad indeed. Bad Servlet.)
However in any case it is a bad idea to pass login form fields in GET URL parameters.
This is firstly because a login causes a state-change to occur, so it is not "idempotent". This makes GET an unsuitable method and causes a load of practical problems like potentially logging you in when you navigate a page, or failing to log you in due to caching, and so on.
Secondly there are a range of ways URLs can 'leak', including referrer tracking, logging, proxies and browser history retention. Consequently you should never put any sensitive data such as a password in a URL, including in GET form submissions.
I'd suggest using a POST form submission instead, together with the CharacterEncodingFilter.
Maybe an encodingFilter in the web.xml file could be helpful:
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>
org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
source: Spring security: Form login special characters
The issue was actually solved for me by moving the CharacterEncodingFilter ABOVE the SpringSecurityFilterChain in web.xml.
In my primefaces application, I want to cache all resources, including theme.css, primefaces.css, jquery.js, .... For this purpose, I created a web filter which examines the requests and set up the cache-control response header for that resource. However, I still catch the request for all PrimeFaces resources. Does anyone know how can I cache these resources so that my web app. can have less loading time.
thanks in advance
Put this configuration in web.xml:
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
I'm useing Vaadin and BIRT reporting in my project.I have problem with accessing report with Vaadin,I think its related to my web.xml configuration.Can anyone help me to get out from this problem??
< /servlet-mapping>
<servlet-name>VaadinApplicationServlet</servlet-name>
<url-pattern>/VAADIN/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>VaadinApplicationServlet</servlet-name>
<url-pattern>/MyProject/*</url-pattern>
</servlet-mapping>
If i put url pattern like this.it shows index.jsp page as first page.
< /servlet-mapping>
<servlet-name>VaadinApplicationServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
If I configure the url pattern as "/*" it works fine and load the vaadin UI
but the problem is if I put 2nd configuration I can not load the report to browser,It always redirect to my current vaadin UI page (When I click the button to load the report)
If put first configuration I can access report directly ,But It does not load the vaadin UI.
Can any one help me to solve this problem??
Thank you.
Cheers
The first configuration should be ok, but you have to access your application differently:
Try
http://localhost:8080/[display-name]/MyProject
You should find the display-name right above the first context-param
<display-name>IamTheDisplayName</display-name>
<context-param>
<description>Vaadin production mode</description>
<param-name>productionMode</param-name>
<param-value>false</param-value>
</context-param>
I'm new to Java Enterprise and to Spring but I have a strong grasp of standard Java. I am looking through an existing web application project. The project uses Tomcat/Spring/Hibernate which I understand is fairly common. It also uses DWR for remote method invocations. I'm finding it somewhat difficult to separate responsibilities: what Tomcat is responsible for, what Spring is responsible for, how a request gets from one to the other, and how the major pieces of Spring fit together. I've read a great deal of documentation on Spring, particularly about beans and bean factory and am still in process of reading more. Any advice you guys have would be welcome, but I'll provide some specific questions.
Question 1: Where does the web.xml fit into things (when is it used/called, and where is it called from)?
Code sample 1:
<servlet>
<servlet-name>qrst</servlet-name>
<display-name>qrst Servlet</display-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
What does the above snippet do (or, what does it cause to happen)? At some point in my web app qrst.jsp gets used; is it the DispatcherServlet that calls qrst.jsp using the servlet name? Else what is the significance of the servlet name? What is load on startup?
Code sample 2:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/someLocation/some-servlet.xml
</param-value>
</context-param>
Links or explanation of what the above does? I can see from looking at the XML file that it contains bean definitions and I do understand what beans are and how they are used, but I don't know any other details about this and would like to.
Code sample 3:
<servlet>
<servlet-name>dwr-invoker</servlet-name>
<display-name>DWR</display-name>
<servlet-class>
org.directwebremoting.servlet.DwrServlet
</servlet-class>
<init-param>
<param-name>classes</param-name>
<param-value>
somepackage.someclass
</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
From what I read about beans, I believe those init-param elements are just parameters that get set in the servlet's java class. What's the significance of the servlet name, and what about the load on startup? The web app somehow "knows" when an AJAX (dwr) call is happening versus when the web app is being loaded for the first time (when its loading for the first time it should use qrst.jsp). How does it know this? How does it decide to route the request to DWR instead of to qrst.jsp? Where does it do this?
Thanks.
Servlets are JavaEE's idiom for answering HTTP requests. You program the behavior of your application in a Servlet which will respond to a request.
Tomcat is a Servlet container, which means you deploy your application in Tomcat and it will manage all the communication infrastructure for you: it accepts connections, manages database connections(*) and will call upon your servlets to handle incoming requests.
web.xml is part of any JavaEE application, not Spring. Your code sample 1 declares that your app will use an instance of class org.springframework.web.servlet.DispatcherServlet to handle incoming requests.
Although servlets are the basic foundations for JavaEE development, it is not advised to create your own; instead, with Spring, you create MVC controllers. Then the DispatcherServlet will call upon these controllers to handle the requests. It's just another indirection (but a very powerful one!)
is it the DispatcherServlet that calls qrst.jsp using the servlet name?
Not directly. It's just a coincidence that your servlet and the JSP file have the same name.
What is loaded on startup?
Your code sample 2 instructs the DispatcherServlet to load the beans from file /someLocation/some-servlet.xml. If there are controller beans in this file and according to how you configured the url mapping, beans from this file will answer the incoming requests. See the reference.
I believe those init-param elements are just parameters that get set in the servlet's java class
The init-param elements in web.xml are for the servlet class.
The web app somehow "knows" when an AJAX (dwr) call is happening versus when the web app is being loaded for the first time (when its loading for the first time it should use qrst.jsp). How does it know this?
Missing from the question are either the <servlet-mapping> element (found in web.xml), or the url mappings (found in the spring files). These are responsible for deciding whether an URL should be handled by the dispatcher servlet or the dwr servlet.
For instance, with an servlet mapping like below:
<servlet-mapping>
<servlet-name>qsrt</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dwr</servlet-name>
<url-pattern>*.dwr</url-pattern>
</servlet-mapping>
Then all URLs ending in .do will be answered by the dispatcher servlet, and those ending with .dwr will be handled by the dwr servlet. Here's where the names of the servlets are important.
JSP files are a different story. The container will simply use them to handle a URL ending in *.jsp. Do not create your onw servlet mapping for URLs ending in *.jsp. This will only cause headaches. This is probably unspecified behavior.
Edit:
However, the URL in the browser's address bar always looks the same: it would always invoke the qrst servlet
Then it is possible that your servlet-mapping is so broad (something like: <url-pattern>/*</url-pattern>) that it will handle anything you throw at the server and never give a chance for the other servlets to handle it.
Last but not least, when working with DWR or any Ajax technology, install the HttpFox extension for Firefox so you can monitor the Ajax calls of your application.