I am using JSF2.2 and have servlet filter configured. Part of the code in Filter that work:
HttpServletResponse response = (HttpServletResponse) resp;
if (userSession == null) {
redirectURLRegular = response.encodeRedirectURL("../login.xhtml?param1=noSession");
redirectURLAjax = response.encodeRedirectURL(request.getContextPath()
+ "/faces/login.xhtml?param1=noSession");
else{
chain.doFilter(req, resp);
return;
if (isAJAXRequest(request)) {
StringBuilder sb = new StringBuilder();
sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<partial-response><redirect url=\"").append(redirectURLAjax)
.append("\"></redirect></partial-response>");
response.setHeader("Cache-Control", "no-cache");
response.setCharacterEncoding("UTF-8");
response.setContentType("text/xml");
PrintWriter pw = response.getWriter();
pw.println(sb.toString());
pw.flush();
} else {
response.sendRedirect(redirectURLRegular);
}
If session is null redirect - both regular and AJAX happens. In next page (login.xhtml, requestScoped) I can get parameter value (param1) in bean via
#ManagedProperty("#{param.param1}")
private String param1;
If I add second param "../login.xhtml?param1=noSession¶m2=val2" - regular requests work (redirect happens and see both params) but AJAX request dose not work(no redirect, nothing happens). Here is Firebug report:
XML Parsing Error: not well-formed Location: moz-nullprincipal:{4584d37a-e799-43db-8379-b0451edca95c} Line Number 1, Column 120:
..."/admin/faces/login.xhtml?param1=noSession¶m2=val2"></redirect></partial-r...
...-------------------------------------------------^
How is this caused and how can we set multiple parameters in filter for AJAX calls?
The & is a special character in XML representing the start of an entity like &, <, etc. The XML parser is implicitly looking for the name (amp, lt, etc) and the ending ;. However, you wasn't using it as such and hence the webbrowser's XML parser felt over it when it unexpectedly encountered an =, making it non-well-formed XML.
You need to escape the XML special character & into the entity &.
redirectURLAjax = response.encodeRedirectURL(request.getContextPath()
+ "/faces/login.xhtml?param1=noSession¶m2=val2");
Related
We have a Controller running on tomcat 8.5.32 which receives a POST request with query params
/{path_param}/issue?title=4&description=5
request body is empty
Then controller redirects this request to Spring Boot microservice with tomcat 9.0.27.
At line
CloseableHttpResponse result = httpClient.execute(request);
request.getURI().getQuery() equals&title=1&description=2
But when it arrives to microservice parameters are duplicated (title=[4,4]&description=[5,5]).
This is the code which redirects request to microservice
private static <T, U> T executePostRequest(String url, U body, HttpServletRequest httpServletRequest, Function<String, T> readValueFunction) {
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
URIBuilder uriBuilder = new URIBuilder(url);
httpServletRequest.getParameterMap().forEach((k, v) -> Arrays.stream(v).forEach(e -> uriBuilder.addParameter(k, e)));
HttpPost request = new HttpPost(uriBuilder.build());
CloseableHttpResponse result = httpClient.execute(request);
String json = EntityUtils.toString(result.getEntity(), "UTF-8");
handleResultStatus(result, json);
return readValueFunction.apply(json);
} catch (IOException | URISyntaxException e) {
...
}
}
I found that there was similar issue with jetty and it was fixed but did not find anything related to tomcat - and how it can be fixed.
I saw also this topic whith suggestion how to handle duplicated parameters in spring boot but i am wondering if anyone else experienced same issue and how did you resolve it if yes.
It's not a bug, it's a feature present in every servlet container.
The Servlet API does not require for the request parameters to have unique names. If you send a POST request for http://example.com/app/issue?title=1&description=2 with a body of:
title=3&description=4
then each parameter will have multiple values: title will have values 1 and 3, while description will have values 2 and 4 in that order:
Data from the query string and the post body are aggregated into the request
parameter set. Query string data is presented before post body data. For example, if
a request is made with a query string of a=hello and a post body of a=goodbye&a=
world, the resulting parameter set would be ordered a=(hello, goodbye, world).
(Servlet specification, section 3.1)
If you want to copy just the first value of the parameters use:
httpServletRequest.getParameterMap()//
.forEach((k, v) -> uriBuilder.addParameter(k, v[0]));
The url-string contains a back-slash character that needs to be encoded. The url string is as follows.
String folder = "\\Foo\\Bar\\"; // some folder search path.
String urlString= "http://localhost:8081/certificates/?mypath=%5CFoo%5CBar%5C" // (after encoding)
Here I use Spring RestTemplate to do a GET request. I setup a mock-server to examine the request in detail (mock server setup using Mulesoft, if u must know!).
ResponseEntity<String> responseEntity = api.exchange(urlString, HttpMethod.GET, new HttpEntity<>(new HttpHeaders()), String.class);
Here I use plain vanilla Java URLConnection to perform the request. Attached image with detailed request snapshot.
// 2. Plain vanilla java URLConnection. "result.toString()" has certificate match.
StringBuilder result = new StringBuilder();
URL url = new URL(urlString);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty("X-Venafi-Api-Key", apiKey);
conn.setRequestMethod("GET");
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while ((line = rd.readLine()) != null) {
result.append(line);
}
rd.close();
System.out.println(result.toString());
In the images, you can see that the queryString value is different for these two requests. One of them shows \\ while the other shows %5C, although the parsed parameter value for myPath is still the same.
I am having to deal with an api that seems to work if-and-only-if the queryString looks like the former (i.e. "\\"). Why does the parsed queryString for Spring show "%5C" while this value shows double-backslash for requests originating from plain Java, curl, and even a simple browser?
What baffles me EVEN more, is that just about everything about the two HTTP Requests are IDENTICAL! And yet, why does the queryString/requestUri parse differently for these two requests? Shouldn't it be that a HTTP GET method is completely defined by its header contents and the requestUri? What am I missing to capture in these two GET requests?
Lots of questions. Spent an entire day, but at least I could verify that the way the requestUri/queryString is parsed seems to align with how the remote api-server responds.
Thanks.
Did some digging around the following morning. Turn out, with
ResponseEntity<String> responseEntity = api.exchange(urlString, HttpMethod.GET, new HttpEntity<>(new HttpHeaders()), String.class);
You should NOT have the "urlString" already encoded. The 'exchange' method does that encoding for you under-the-hood.
I am sending an url with certain parameters to my controller, which works generally fine. I am using javascript function encodeURI() to encode the parameter.
But as soon, as there is a linefeed, I receive a 404 error.
This is a working url:
http://localhost:8080/Weasy/virtualtable/execQuery/46/select%20*%20from%20payment
This is a non-working url:
http://localhost:8080/Weasy/virtualtable/execQuery/46/select%20*%20%0Afrom%20payment
And this is my controller method:
#RequestMapping("execQuery/{schema_id}/{query}")
public ModelAndView execQuery(
#PathVariable("schema_id") Integer schemaId
, #PathVariable("query") String query) throws Exception {
SrcSchema schema = this.srcschemaService.getRowById(schemaId);
ModelAndView mav = new ModelAndView("virtualtable/form");
mav.addObject("schema", schema);
mav.addObject("query", query);
try {
int limit = 10;
List<Map<String, Object>> rows = jdbcService.executeQuery(schema.getConnection(), query, limit);
mav.addObject("rows", rows);
mav.addObject("message", "<span class='msg-info'>Result Set reduced to "+limit+" rows</span>");
} catch (Exception ex) {
logger.error("Error executing sql", ex);
mav.addObject("message", "<span class='msg-error'>"+ex.getMessage()+"</span>");
}
return mav;
}
Why does it not work?
I do not think it is your app. I guess it is your web server blocking the request as you are using an odd character. Apache for example denies the access to urls containing %2F (/), %5F (\) or %00 (NULL). As a rule, the ASCII characters between %00 and %1F, named control characters, should not be present at urls, and %0A is one of them.
My advice is you should parse your query and get rid of, not only %0A but also any problematic character, before doing the request.
If you still want to make it works I think you need to include a rewriterule in your .htaccess (I guess you are using Apache), and use a regular expression to remove the line feed and redirect to the same url without that character.
Apache URL Rewriting Guide
I have a login form (login.jsp) with two input fields, username and password.
I am using POST via Ajax to access the login servlet.
I want the user to login, and if the login is successful, be redirected to another page called 'search.jsp'. If unsuccessful, a 'login failed' message is returned as the Ajax responseText to be inserted into a paragraph in the 'login.jsp' page.
I have everything working, my login servlet accesses the database via a separate bean, and an object of that bean is returned with its properties ready to use. So all is good to there.
But, after the username and password pass muster with the database, I'm then using RequestDispatcher to forward to the new landing page (search.jsp).
Here is my doPost()
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username,password;
username = request.getParameter("p");
password = request.getParameter("q");
try {
LoginService ls = new LoginService(username,password);
User user = ls.getUserDetails();
if(user.getUsername()!=null && user.getPassword()!=null){
FormService filler = new FormService();
Form fields = filler.getFields();
request.setAttribute("user",user);
request.setAttribute("fields1",fields);
request.setAttribute("fields2",fields);
request.setAttribute("fields3",fields);
HttpSession session = request.getSession(true);
//set attribute for the session
session.setAttribute("user",user.getUsername());
//Now, the RequestDispatcher.forward() is not forwarding to the new page!
//The whole 'search.jsp' page is being stuffed back into the 'login.jsp' page
RequestDispatcher rd = request.getRequestDispatcher("search.jsp");
rd.forward(request,response);
return;
}
else{
PrintWriter out = response.getWriter();
out.println("login failed!");
return;
}
} catch (Exception e) {
e.printStackTrace();
}
}
But instead of forwarding the request and response to the new jsp page 'search.jsp', the whole search.jsp page is being stuffed back into the the original login.jsp page - in the html element which holds the Ajax responseText in when login fails.
The forward() method in the servlet works when the servlet is called from the form action attribute, but not when the servlet is called the javascript file containing the Ajax code.
But instead of forwarding the request and response to the new jsp page 'search.jsp', the whole search.jsp page is being stuffed back into the the original login.jsp page - in the html element which holds the Ajax responseText in when login fails.
That's indeed the expected behaviour. You're handling the request/response using JavaScript. Your JavaScript code has retrieved the response of search.jsp as responseText and is putting it in the HTML element.
You need to change this approach. You need to let the response return the necessary data which sufficiently informs JavaScript so that it can handle the response properly. A commonly used data format for this is JSON.
Something like
response.setContentType("application/json");
if (user != null) {
// ...
response.getWriter().write("{ 'success': true, 'location': 'search.jsp' }");
} else {
response.getWriter().write("{ 'success': false, 'message': 'Unknown login' }");
}
and in JS:
var responseJson = eval('(' + xhr.responseText + ')');
if (responseJson.success) {
window.location = responseJson.location;
} else {
document.getElementById('message').innerHTML = responseJson.message;
}
If you want to handle this unobtrusively, so that the same servlet is reuseable on normal (non-ajax) HTTP requests (so that your webapp still works when the client has JS disabled!) then you could check if the X-Requested-With header equals to XmlHTTPRequest.
if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With")) {
// Handle ajax response (e.g. return JSON data object).
} else {
// Handle normal response (e.g. forward and/or set message as attribute).
}
See also:
How to use Servlets and Ajax?
Simple calculator with JSP/Servlet and Ajax
I am facing a problem, while encoding the response that I send back for an AJAX request, using GZIP. Can anyone give me some pointers on this please?
There is an AJAX request from the JSP,
An action class (Struts) at the server side handles the request,
The response is prepared as a JSON object,
The JSON string is written to the Response object and sent back,
the JSON string is read from the responseText property of the xmlHttp object back at the jsp
This works fine. However, instead of sending the raw JSON data, if I send back encoded JSON data, then there are issues.
Server Side Code to create GZip'ed JSON :
// jsonStr = JSONObj.toString();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
GZIPOutputStream gzip = new GZIPOutputStream(bos);
gzip.write(jsonStr.getBytes());
gzip.close();
String newStr = new String(bos.toByteArray());
// set the response header and send Encoded JSON response
response.setHeader("Content-Type", "application/json");
response.setHeader("Content-Encoding", "gzip");
response.setHeader("Vary", "Accept-Encoding");
pw = response.getWriter();
pw.write(newStr);
pw.close();
At the JSP :
// marker
alert('Length of the received Response Text : ' + xmlHttp.responseText.length);
// evaluate the JSON
jsonStr = eval('(' + xmlHttp.responseText + ')');
The alert box, on receiving the response, reports length as 0!