Develop Reference

csrf security blocks http requests

I want to use http post to post data from jsp page to my controller .the problem is that when I enable csrf the request wasn't sent but I want to enable csrf can any one help me ?
home.jsp
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%# taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script>
<title>Insert title here</title>
</head>
<body>
hello there !!!<br>
<button type="button" onclick="location.href='${pageContext.request.contextPath}/create';"> start workflow</button> <br>
<button type="button" onclick="location.href='${pageContext.request.contextPath}/workflows';"> View Workflows</button> <br>
<button type="button" onclick="sendDataWithJson();"> View data</button> <br>
login
<p>Parameter from home ${pageContext.request.userPrincipal.name}</p>
</body>
<script type="text/javascript">
function success(data){
alert("success");
}
function error(data){
alert("error");
}
function sendDataWithJson(){
$.ajax({
type: 'POST',
url: '<c:url value="/sendmessage" />',
data: JSON.stringify({"text":"bla bla bla","name":"MED"}),
success:success,
error:error,
contentType: "application/json",
dataType: "json"
});
}
</script>
</html>
springsecurity.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-filter="(uid={0})" user-search-base="ou=users"
group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
group-role-attribute="cn" role-prefix="ROLE_" />
</security:authentication-manager>
<security:ldap-server url="ldap://localhost:8389/o=mojo"
manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/next" access="permitAll" />
<security:intercept-url pattern="/workflows" access="isAuthenticated()"/>
<security:intercept-url pattern="/getmessages" access="isAuthenticated()"/>
<security:intercept-url pattern="/sendmessage" access="permitAll"/>
<security:form-login login-page="/login"
login-processing-url="/login"
authentication-failure-url="/login.html?error=true"
username-parameter="username"
password-parameter="password"
/>
<security:csrf/>
</security:http>
</beans>
controller
#RequestMapping( value = "/sendmessage" , method=RequestMethod.POST , produces="application/json")
#ResponseBody
public Map<String, Object> getData(#RequestBody Map<String, Object> data){
String text=(String) data.get("text");
String name=(String) data.get("name");
System.out.println(text+","+name);
Map<String, Object>rval = new HashMap<String, Object>();
rval.put("success",true);
return rval;
}

You can add the csrf value to html when you are using jsp:
<meta name="_csrf_param" content="${_csrf.parameterName}"/>
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
this will render the crsf value from session.
and now you are using ajax, you should add the csrf token in header, you can extend the jquery:
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});

HTTP Status 404 --- Spring MVC

I run the code on tomcat 8.0.39 and it first shows the login.jsp When I fill the name and password and hit submit it returns the 404 error:login.jsp image
HTTP Status 404 image
My code follows:
web.xml
<!-- webapp/WEB-INF/web.xml -->
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>To do List</display-name>
<welcome-file-list>
<welcome-file>login.do</welcome-file>
</welcome-file-list>
</web-app>
LoginServlet.java
package com.ezmsip;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
#WebServlet(urlPatterns="/login.do")
public class LoginServlet extends HttpServlet {
#Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
request.getRequestDispatcher("WEB-INF/views/login.jsp").forward(request, response);
}
#Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
request.setAttribute("name", request.getParameter("name"));
request.getRequestDispatcher("WEB-INF/views/welcome.jsp").forward(request, response);
}
}
login.jsp
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Hola desde una JSP</title>
</head>
<body>
<form action="/login.do" method="post">
Nombre: <input type="text" name="name" /> Password: <input type="password" name="password" /> <input type="submit" value="Log-in" />
</form>
</body>
</html>
welcome.jsp
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Bienvenido!</title>
</head>
<body>
Bienvenido! ${name}
</body>
</html>
Thanks!

It doesn't complain about login.jsp. It complains about /login.do. Did you deploy this app as the root web app in tomecat? Otherwise, it's under a context path, and you need your action to be something like /myWebApp/login.do.
In any case, the right thing to do is to prepend the context path:
action="${pageContext.request.contextPath}/login.do"
or, using the JSTL:
action="<c:url value='/login.do'/>"

Spring MVC - Uploading File Status 400 - Required MultipartFile parameter 'file' is not present

I'm new in Spring. I have excercise to make a Web app where the file is uploaded and then written to database. I'm making it with Spring MVC and Maven in Netbeans.
I made a fully working basic project based on this tutorial
https://saarapakarinen.wordpress.com/2015/01/11/building-a-basic-spring-3-web-project-netbeans-and-maven/
And tried to expand it for my application, wanted to make file uploading component based of official Spring tutorial
http://docs.spring.io/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-multipart
but its not working, got an error:
HTTP Status 400 - Required MultipartFile parameter 'file' is not present
I've expanded this project with wyslij.jsp (form for upload file)
<%#page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wysylanie pliku</title>
</head>
<body>
<form method="get" action="http://localhost:8084/Hello/application/wyslij" enctype="multipart/form-data">
<input type="file" name="file"/>
<input type="submit"/>
</form>
</body>
</html>
And added Controller for uplading file called UpladController.java
package helloweb;
import java.io.IOException;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.multipart.MultipartFile;
#Controller
public class UploadController
{
#RequestMapping(value = "wyslij", method = RequestMethod.GET)
public String handleFormUpload(#RequestParam("file") MultipartFile file) throws IOException
{
if (!file.isEmpty()) {
byte[] bytes = file.getBytes();
// store the bytes somewhere
return "redirect:tak";
} else
{
return "redirect:nie";
}
}
}
web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- name of the project//-->
<display-name>HelloProject</display-name>
<servlet>
<servlet-name>front-controller</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>front-controller</servlet-name>
<url-pattern>/application/*</url-pattern>
</servlet-mapping>
<!-- max time of the session //-->
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<!-- default page //-->
<welcome-file-list>
<welcome-file>application/wyslij.jsp</welcome-file>
</welcome-file-list>
</web-app>
and front-controller-serlvet.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<!-- configuration to fetch jsp files automatically from WEB-INF/jsp -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<!-- one of the properties available; the maximum file size in bytes -->
<property name="maxUploadSize" value="100000"/>
</bean>
<context:component-scan base-package="helloweb" />
</beans>
Could someone tell, why is an error and explain?
EDIT:
I decided to use form.jsp and HelloController.java made in tutorial and convert it to file upload (they were working more than my code)
form.jsp
<%#page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Form Page</title>
</head>
<body>
<form method="POST" enctype="multipart/form-data" action="http://localhost:8084/Hello/application/form">
<label>file to send: <input type="file" name="file" /></label>
<input type="submit" />
</form>
</body>
</html>
and HelloController.java
package helloweb;
import java.io.IOException;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.multipart.MultipartFile;
#Controller
public class HelloController
{
#RequestMapping(value = "form", method = RequestMethod.POST)
public String login(#RequestParam(value = "file", required = true) MultipartFile file) throws IOException
{
if (!file.isEmpty())
{
byte[] bytes = file.getBytes();
// store the bytes somewhere
return "redirect:tak";
}
else
{
return "redirect:nie";
}
}
#RequestMapping("form")
public String viewLoginPage(Model model)
{
return "form";
}
}
Now I have at least file upload form displayed properly at start page, but after selecting a file and click button, I get antoher error:
HTTP Status 500 - Could not parse multipart servlet request; nested exception is java.lang.IllegalStateException: Unable to process parts as no multi-part configuration has been provided

Chnaged and Controller now is:
#Controller
public class UploadController
{
#RequestMapping(value = "wyslij", method = RequestMethod.POST)
public String handleFormUpload(#RequestParam("file") MultipartFile file) throws IOException
{
if (!file.isEmpty()) {
byte[] bytes = file.getBytes();
// store the bytes somewhere
return "redirect:tak";
} else
{
return "redirect:nie";
}
}
}
and the jsp:
<%#page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wysylanie pliku</title>
</head>
<body>
<form method="post" action="http://localhost:8084/Hello/application/wyslij" enctype="multipart/form-data">
<input type="file" name="file"/>
<input type="submit"/>
</form>
</body>
</html>
tested service with postman
result for GET test:
HTTP Status 405 - Request method 'GET' not supported
type Status report
message Request method 'GET' not supported
description The specified HTTP method is not allowed for the requested resource.
result for POST test:
HTTP Status 400 - Required MultipartFile parameter 'file' is not present
type Status report
message Required MultipartFile parameter 'file' is not present
description The request sent by the client was syntactically incorrect.

You are sending file with multipart/form data encoding which needs Http POST. In your controller change it to post like below.
#RequestMapping(value = "wyslij", method = RequestMethod.POST)
And in your jsp as well.
<form method="post" action="http://localhost:8084/Hello/application/wyslij" enctype="multipart/form-data">
<input type="file" name="file"/>
<input type="submit"/>
</form>

Spring webflow redirection

My flow.xml is
<?xml version="1.0" encoding="UTF-8"?>
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:webflow="http://www.springframework.org/schema/webflow-config"
xsi:schemaLocation="http://www.springframework.org/schema/webflow
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
<view-state id="index" view="/WEB-INF/jsp/index.jsp">
<transition on="phoneEntered" to="s1"/>
</view-state>
<view-state id="s1" view="/WEB-INF/jsp/ac.jsp">
<transition on="buttonPressed" to="next"/>
</view-state>
<end-state id="next" view="/WEB-INF/jsp/next.jsp"/>
</flow>
my index.jsp code is
<%#page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Welcome to Spring Web MVC project</title>
</head>
<body>
<form:form>
<input type="hidden" name="_flowExecutionKey" value="${flowExecutionKey}"/>
<input type="submit" name="_eventId_phoneEntered" value="HIT ME"/>
</form:form>
</body>
</html>
my spring webflow starts well.1st view state renders well but when i click submit button on index.jsp .. nothings happens
when index.jsp renders in web browser the url looks like /orderFlow.htm?execution=e2s1
please help

You need the Spring form tag library defined in your JSP:
<%# taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
You also do not need or want the hidden _flowExecutionKey parameter.

HTTP Status 404 Spring MVC Passing Parameters

I want to start work with Spring MVC, but can not adjust a simple example. I want to just pass one parameter form one jsp to another, but have error:
HTTP Status 404 - /controller/results.jsp type Status report message
/controller/results.jsp description The requested resource
(/controller/results.jsp) is not available. Apache Tomcat/7.0.12
My web.xml code:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/home</url-pattern>
</servlet-mapping>
Servlet-context.xml
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="edu.demidov.controller" />
</beans:beans>
Controller.java
#Controller
public class HomeController extends HttpServlet{
private static final long serialVersionUID = 4825408935018763217L;
private static final Logger logger = LoggerFactory.getLogger(HomeController.class);
EducationDaoInterface educationDaoIntfc;
#RequestMapping(value="/home", method=RequestMethod.GET)
public ModelAndView firstActionPage() {
return new ModelAndView("home");
}
#RequestMapping(value = "/result.jsp", method=RequestMethod.GET)
public String SecondActionPage(#RequestParam String firstname, Model model) throws IOException {
model.addAttribute("myname", firstname);
return "result";
}
Result.jsp
<%# page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
Hello form result.jsp
First name: ${myname}
</body>
</html>
Home.jsp
<%# page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<form name="myform" action="<c:url value="/results.jsp"/>" method="GET">
<input type="text" name="firstname"/>
<input type="submit"/>
</form>
</body>
</html>
Thanks.

You have wrong URL mapping.
There are two solutions.
1.
You can change the url mapping of SecondActionPage function in your controller to following.
#RequestMapping(value = "/result", method=RequestMethod.GET)
And also change the form action in Home.jsp to <c:url value="/results"/>
2.
You can change the url-pattern of your appServlet to /*. That is the standard way to url-pattern in Spring web application.
And then you need to change the request mapping and action in home.jsp as I have suggested in solution 1.
I recommend you solution 2. That is best practice.
Hope this helps you. :)

try this
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
#RequestMapping(value="/home", method=RequestMethod.GET)
public ModelAndView firstActionPage() {
return new ModelAndView("home");
}
#RequestMapping(value = "/result", method=RequestMethod.GET)
public String SecondActionPage(#RequestParam String firstname, Model model) throws IOException {
model.addAttribute("myname", firstname);
return "result";
}
<%# page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<form name="myform" action="/result" method="GET">
<input type="text" name="firstname"/>
<input type="submit"/>
</form>
</body>
</html>

You dont need to provide complete name of jsp file with extension as it will handled by org.springframework.web.servlet.view.InternalResourceViewResolver.
Change your form action to :
<form name="myform" action="result" method="GET"> //check spelling and remove '/' from url
And controller mapping to :
#RequestMapping(value = "/result", method=RequestMethod.GET)
Hope this may help you.

I have got this after all of the tying when I click on submit button from my home jsp to another controller url is:
`http://localhost:8080/controller/result?firstname=Vadim
it seems like I passing everything corectly to my controller but why my result.jsp page doesn't not appears
HTTP Status 404 - /controller/result
type Status report
message /controller/result
description The requested resource (/controller/result) is not
available.
Apache Tomcat/7.0.12