I need to log in with j_spring_security_check using special characters in the username and/or in the password via url
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=üüü
isn't working and
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=%c3%bc%c3%bc%c3%bc
(with "üüü" urlencoded)
isn't working either
Any suggestion? Let me know if you need to see any other configuration.
Thanks
The Java Servlet standard is lamentably poor at supporting Unicode. The default of ISO-8859-1 is useless and there is still no cross-container-compatible means of configuring it to something else.
The filter method in matteosilv's answer works for request bodies. For parameters in the URL, you have to use container-specific options. For example in Tomcat, set URIEncoding on the <Connector> in server.xml; in Glassfish it's <parameter-encoding> in glassfish-web.xml.
(If you have to work in a fully cross-container-compatible manner you end up having to write your own implementation of getParameter(), which is sad indeed. Bad Servlet.)
However in any case it is a bad idea to pass login form fields in GET URL parameters.
This is firstly because a login causes a state-change to occur, so it is not "idempotent". This makes GET an unsuitable method and causes a load of practical problems like potentially logging you in when you navigate a page, or failing to log you in due to caching, and so on.
Secondly there are a range of ways URLs can 'leak', including referrer tracking, logging, proxies and browser history retention. Consequently you should never put any sensitive data such as a password in a URL, including in GET form submissions.
I'd suggest using a POST form submission instead, together with the CharacterEncodingFilter.
Maybe an encodingFilter in the web.xml file could be helpful:
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>
org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
source: Spring security: Form login special characters
The issue was actually solved for me by moving the CharacterEncodingFilter ABOVE the SpringSecurityFilterChain in web.xml.
Related
I want to connect servlet using urlconnection in wicket-spring integration, but when i try to hit the url its redirecting to webapplication page, So can anyone tell me how to connect servlet methods by using filters or any other way, so that i can directly hit dopost or doget methods.
The question is not very clear, so I'll try to guess. I suppose that you have a Wicket filter that intercepts and handles all the requests. Also you have some servlet, and you want requests to that servlet to not be intercepted by Wicket filter.
If this is what you want, here is what you can do to achieve this.
Let's say you have Wicket filter mapped to / and the servlet mapped to /my-service. Then you could tell Wicket filter to ignore requests to /my-service url:
<filter>
<filter-name>wicket.filter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>... some application class name ...</param-value>
</init-param>
<init-param>
<param-name>ignorePaths</param-name>
<param-value>/my-service</param-value>
</init-param>
</filter>
If you want several paths to be ignored, you can separate them with commas like this:
<init-param>
<param-name>ignorePaths</param-name>
<param-value>/my-service,/my-other-service</param-value>
</init-param>
With this configuration, Wicket will ignore any requests under /my-service (that is, /my-service, /my-service/blabla and so on) and any request under /my-other-service.
Developed on ADF 11.1.2.4 (JSF2.0 -GF 3.1.2)
Expecting to implement urlrewrite for pretty urls.
Added into web.xml:
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>WARN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
created urlrewrite.xml such as
<rule>
<from casesensitive="false">myTest</from>
<use-context>true</use-context>
<to>/faces/admin/admin.jspx</to>
</rule>
admin.jspx contains TF.
When i deploy project and request hostname:9999/mytest redirects right page(hostname:9999/faces/admin/admin.jspx) and page renders without problem. But my actual goal was that making supply to see never real url. But i can see the real url on browser such as:(...jspx?_adf.ctrl-state=4avl71cil_1) So, what am i missing? By the way; When i type the masked url, it redirects my real page, so it works good. But seems to be the real url on browser address bar. If i only use html pages out of 'faces' context, then urlrewrite works as fully expected.
Thx, brgds
As you have Tucky URL Rewriting filter, ADF comes with its JSF View Handler, and before ADF 12.1.x you won't be able to forward URLs unless you are using Apache Server Rewrites or Oracle HTTP Server, as the ADF internal filter will look for _adf.ctrl-state and if it's not found it'll append it to the URL which will show the actual URL of the page.
You can try to hack those _adf.ctrl-state by extending ServletRequest and when asked about _adf.ctrl-state to provide the last value saved in session, but I assure you it'll be very harmful for the application.
I am working on a website that will allow businesses to store a description. The problem that I am currently running into is when text is copied and pasted from Microsoft word, and a few other places the strings are being returned, but not as the original characters. I do not have the best understanding of how utf8 works, but I thought that was supposed to handle this.
My question is this. Am I incorrect in thinking that utf8 will handle characters from word. If so, what is the proper way to accomplish this?
We have
<?xml version="1.0" encoding="UTF-8"?>
at the top of every page.
Jave backend using spring as our framework
ibatis to handle sql injection
and mysql for the db
The characters are being changed over by the time they make it into the database and are being saved as the different character. I have done a decent amount of searching around and haven't come to a good conclusion why they are being changed. A few example characters being switched are:
From word
– changed to â
From a clients webiste
’ to ’
‘ to ‘
I would like to make it so that they will be able to copy from almost everywhere and it will format correctly. How would you recommend me doing that?
SOLVED!!
The problem ended up being an issue with my web.xml configuration. I was not forcing the web to use spring's utf8 configuration. The solution (if using spring) was as follows:
The problem ended up being a configuration problem with spring. Thank you for the help.
Spring configuration:
`<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>`
This would happen if you take text that has been converted to bytes using UTF8, then read tghe bytes using a single-byte ASCII encoding.
You need to find out where in your code that happens, and fix it to read the bytes as UTF8.
We're migrating from JBOSS 4.x to 5.1, and having problems with the character encodings.
Certain characters in the extended ASCII range were O.K. under the previous JBoss version, but with the new JBoss they cause problems (e.g., incomplete http responses).
The solution seems to be to use UTF-8, but the only way I've found to cause JBoss to send charset=UTF-8 in the Content-Type header is to specify this in the page directive of every JSP page. Otherwise the charset in the http response is specified as ISO-8859-1. I'd like to find a global solution to set the charset to UTF-8.
I've seen several other questions about character encoding with JBoss, but none seem to address the encoding of http responses.
I have tried without success:
in jboss/bin/run.bat, setting set "JAVA_OPTS=-Dfile.encoding=utf-8 %JAVA_OPTS%"
in jboss/server//deploy/jbossweb.sar/server.xml setting
I have used spring encoding filter to set the encoding:
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
If you dont use spring, you will need a servlet filter that sets the encoding.
I am developing services in spring and the services were deployed in JBOSS 7.1.0.
Sample code for request mapping:
#RequestMapping(value=/state, method=RequestMethod.GET)
public ResponseEntity<ListStatesResponseVO> getListOfStates(#RequestParam(required=false) Long id,
#RequestParam(required=false) Long page,
#RequestParam(required=false) Long pagesize);
My problem is when I pass special characters in request parameter, it’s returning me a valid xml response, but as per my understanding it should return “400 BAD REQUEST”.
Sample URI:
http://localhost:8080/location-services/location/api/state?id=$%^$^$#$%^$%
I also added
<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
Inside JBOSS’s standalone.xml.
And also
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<!-- set forceEncoding to true if you want to override encoding of servlet -->
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
Inside web.xml.
But these doesn’t solved the problem.
Is there any solution available for this.
Thanks in advance.
You should not allow your users to enter the values in the query string themselves. It's a bad practice and is very risky for your web application security. To avoid such attacks and restrict your users from url tampering you should implement HDIV framework in your application.
Once you implement that no one can mess with your urls. And if someone tries to do so then "bad request" errors will be shown to them.
Hope this helps you. Cheers.