I have an application error page which has a log form. I want user to login using this form but the system throw
"HTTP Status 405 - Request method 'POST' not supported"
I am able to login using my application login screen but when I try to login from the error page it not allow me, following is my form configuration:
login and erro page form
<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>
<label>User Name</label><input type='text' name='j_username' value=''><br/>
<label>Password</label><input type='password' name='j_password' /><br/>
<button type="submit" style="margin-bottom:10px">Login</button><br/>
<button type="reset">Reset</button>
</form>
How should I define multiple forms in spring security??
Your url in the page is wrong, currently it maps to j_spring_security_check in the current directory, whereas j_spring_security_check is only available on the root of your application. So when you are chaning to your error page and try to login again the URL the POST request goes to will be something like /YourApp/error404/j_spring_secrity_check.
Change it to <c:url value="/j_spring_security_check"/> (notice the additional /). This will instruct the url tag to create a URL always pointing to the root of your application.
Related
I have a view in my Laravel application that has a form with the #csrf inside. The problem is that I faced the 419 Page expired exception only sometimes. When I refreshed the page, the login page appeared and after login, a few times the form submission was done successfully but again, 419 occurred.
I saw the other topics. All of them told that the solution is adding the #CSRF directive to the form.
But in my special case, the #CSRF exists.
Help me please.
Update
Here is a part of my source code. It's a simple html form with the #CSRF inside it.
<form method="POST" action="/settingUrl">
#csrf
<input type="text" name="myfield" />
<input type="submit" value="save" />
</form>
I am using Laravel to build my todo app.
In the web.php routes file i have added this route:
Route::put('/tasks/changecat', 'TaskController#changeCat');
and i am calling this route from a form in a .blade.php file like so:
<form action="tasks/changecat" id="change-cat-form" class="d-none" method="POST">
#method('PUT')
#csrf
<input type="text" name="task" id="task-input">
<input type="text" name="category" id="category-input">
</form>
But when i try to submit the form on the browser i get 404 not found
I tried to use postman and i have included the csrf token in the headings, i get a 200 ok but i get redirected to the login page.
what do you think it's causing the problem?
I fixed this when i changed the method to PATCH.
Route::patch('/tasks/changecat', 'TaskController#changeCat');
It turns out that i should use PATCH because i needed to change a part of the resource and not all of it.
Using PATCH will change the 'updated_at' column value automatically too.
I am working on a Go script that makes some API calls to a webserver. I use the net/http library. SSO can be enabled or disabled on this webserver. So my go script works well with a non-SSO webserver. It is able to hit the endpoints. But with SSO, I get a http response like this
`
Note: Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
<form action="https://hostname/idp/SSO.saml2" method="post">
<div>
<input type="hidden" name="SAMLRequest" value="PD94bWwgdmVyc2lvbj......pBdXRoblJlcXVlc3Q+"/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
`
Is there a way in Go lang, to execute the form action and handle all the redirection?
We are implementing the "forget password" feature for our website.
We are usign HTML, JQquery mobile and AJAX .
we have a main file, which has the hyperlink for the forget password using the '' tag.
The password.html has form elements as below:
<form method ="post" id="forget" action="somefile.php" >
<h4>Enter your login email to change your password..</h4>
<label for="email" class="ui-hidden-accessible">Email:</label>
<input type="email" name="email" id="email" value="" placeholder="email" data-theme="a" />
<input type="submit" value="Submit" data-theme="b" />
</div>
</form>
The php file validates the email and sends the response in JSON format , which we are handling through a ajax call.
The problem is after hitting on "submit" in the password.html, we are able to retreive the data from the php file(able to see in network tab of browser) but it does not display on the frontend.
The browser is navigating to the php file (which it should not) and a blank page is being displayed.
Ps: When we directly load the password.html in the browser the behaviour is absoultely fine , but when we are navigating from the main file usign the hyperlink to password.html then this problem occurs.
My Flask app is AJAX-heavy, but does not use any cookies. Is CSRF still a threat or is it safe to deploy the app as of now?
I have already looked at this SO question but my situation is slightly different, since I do not have to worry about user's credentials.
I tried an AJAX call from Chrome DevTools (using $.ajax()) to my server which was running on localhost (Flask development server) and I got an error saying
XMLHttpRequest cannot load http://localhost:5000/_ajax. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome://newtab' is therefore not allowed access.
Does this mean I am safe, or is it possible that a hacker could circumvent this and still make AJAX calls to my server?
CSRF isn't just protection against CORS AJAX. I could make a form on my site, and set the action to http://yoursite.com/account/delete. If a user submits my form, without CSRF on your site, the action would succeed. Or if you have things change on GET requests (shouldn't do that anyway), I could add this to my site:
<img src="http://yoursite.com/account/delete" />
and the action would happen when my page loads.
Check out Flask-WTF or this snippet: http://flask.pocoo.org/snippets/3/
EDIT
From your comment:
Change the action of that page to a POST, and have it be accessed through a form instead of a link. If your link was:
<a href="{{ url_for('my_page') }}">Click Here</>
Your form could be (using Flask-WTF, which you would need):
<form action="{{ url_for('my_page') }}" method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" value="Click Here" />
</form>