I am developing services in spring and the services were deployed in JBOSS 7.1.0.
Sample code for request mapping:
#RequestMapping(value=/state, method=RequestMethod.GET)
public ResponseEntity<ListStatesResponseVO> getListOfStates(#RequestParam(required=false) Long id,
#RequestParam(required=false) Long page,
#RequestParam(required=false) Long pagesize);
My problem is when I pass special characters in request parameter, it’s returning me a valid xml response, but as per my understanding it should return “400 BAD REQUEST”.
Sample URI:
http://localhost:8080/location-services/location/api/state?id=$%^$^$#$%^$%
I also added
<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
Inside JBOSS’s standalone.xml.
And also
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<!-- set forceEncoding to true if you want to override encoding of servlet -->
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
Inside web.xml.
But these doesn’t solved the problem.
Is there any solution available for this.
Thanks in advance.
You should not allow your users to enter the values in the query string themselves. It's a bad practice and is very risky for your web application security. To avoid such attacks and restrict your users from url tampering you should implement HDIV framework in your application.
Once you implement that no one can mess with your urls. And if someone tries to do so then "bad request" errors will be shown to them.
Hope this helps you. Cheers.
Related
I want to connect servlet using urlconnection in wicket-spring integration, but when i try to hit the url its redirecting to webapplication page, So can anyone tell me how to connect servlet methods by using filters or any other way, so that i can directly hit dopost or doget methods.
The question is not very clear, so I'll try to guess. I suppose that you have a Wicket filter that intercepts and handles all the requests. Also you have some servlet, and you want requests to that servlet to not be intercepted by Wicket filter.
If this is what you want, here is what you can do to achieve this.
Let's say you have Wicket filter mapped to / and the servlet mapped to /my-service. Then you could tell Wicket filter to ignore requests to /my-service url:
<filter>
<filter-name>wicket.filter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>... some application class name ...</param-value>
</init-param>
<init-param>
<param-name>ignorePaths</param-name>
<param-value>/my-service</param-value>
</init-param>
</filter>
If you want several paths to be ignored, you can separate them with commas like this:
<init-param>
<param-name>ignorePaths</param-name>
<param-value>/my-service,/my-other-service</param-value>
</init-param>
With this configuration, Wicket will ignore any requests under /my-service (that is, /my-service, /my-service/blabla and so on) and any request under /my-other-service.
Can anyone explain any techniques to log HttpRequest and HttpResponse in a file.
We are using Spring MVC/Spring Rest.
What we want is to intercept the request before it is processed and log it.
Same way intercept the response before it is sent and log it.
Thanks a lot in advance.
For logging the request Spring has the AbstractRequestLoggingFilter class (well actually one of the subclasses). This can be used to log the incoming request (before and after processing).
Depending on the configuration this can include the payload, client information and full URL (including erquest parameters). All these three are disabled by default but can be enabled through configuration (see the javadoc for more information).
<filter>
<filter-name>requestLoggingFilter</filter-name>
<filter-class>org.springframework.web.filter.CommonsRequestLoggingFilter</filter-class>
<init-param>
<param-name>includeClientInfo</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>includePayload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>includeQueryString</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>requestLoggingFilter</filter-name>
<servlet-name>dispatcherServlet</servlet-name>
</filter-mapping>
The filter will now log everything using a Commons Logging logger to a logfile.
Accepted answer is already correct, adding annotation based configuration. Add following bean to your config.
#Bean
public CommonsRequestLoggingFilter requestLoggingFilter() {
CommonsRequestLoggingFilter loggingFilter = new CommonsRequestLoggingFilter();
loggingFilter.setIncludeClientInfo(true);
loggingFilter.setIncludeQueryString(true);
loggingFilter.setIncludePayload(true);
return loggingFilter;
}
Developed on ADF 11.1.2.4 (JSF2.0 -GF 3.1.2)
Expecting to implement urlrewrite for pretty urls.
Added into web.xml:
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>WARN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
created urlrewrite.xml such as
<rule>
<from casesensitive="false">myTest</from>
<use-context>true</use-context>
<to>/faces/admin/admin.jspx</to>
</rule>
admin.jspx contains TF.
When i deploy project and request hostname:9999/mytest redirects right page(hostname:9999/faces/admin/admin.jspx) and page renders without problem. But my actual goal was that making supply to see never real url. But i can see the real url on browser such as:(...jspx?_adf.ctrl-state=4avl71cil_1) So, what am i missing? By the way; When i type the masked url, it redirects my real page, so it works good. But seems to be the real url on browser address bar. If i only use html pages out of 'faces' context, then urlrewrite works as fully expected.
Thx, brgds
As you have Tucky URL Rewriting filter, ADF comes with its JSF View Handler, and before ADF 12.1.x you won't be able to forward URLs unless you are using Apache Server Rewrites or Oracle HTTP Server, as the ADF internal filter will look for _adf.ctrl-state and if it's not found it'll append it to the URL which will show the actual URL of the page.
You can try to hack those _adf.ctrl-state by extending ServletRequest and when asked about _adf.ctrl-state to provide the last value saved in session, but I assure you it'll be very harmful for the application.
I need to send some request parameters from browser to Spring MVC controller and process them later like method parameters. The problem is that tomcat I guess didn't put right encoding for URI data which passing through. Instead of 'Имя' I'm having: %D0%9C%D0%91%D0%94%D0%9E%D0%A3+%D0%B4%2F%D1%81%E2%84%969%D1%81.+%D0%95%D0%BB%D0%B8%D0%BE%D0%BD%D0%BA%D0%B0
I use to read about this type of problem which occurs because of tomcat does not have URI encoding preinstalled.
If you mind do I have body encoding in tomcat config web.xml, so Yes I have:
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>tru?</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So I'm curious do I have to set up anything else to container config.? Thank you
You have to set the URIEncoding attribute for the HTTP connector in server.xml file inside your tomcat config dir:
<Connector port="8080" URIEncoding="UTF-8" ... />
Only certain way I found to do this without changing Tomcat configuration is:
put parameter in form
<form onsubmit="encodeParameter(this.param)">
<input type="text" name="param" />
<input type="submit" />
</form>
and then encode it before submitting to server
function encodeParameter(param){
param.value =encodeURIComponent(param.value);
}
now on server you will get correct string.
I need to log in with j_spring_security_check using special characters in the username and/or in the password via url
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=üüü
isn't working and
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=%c3%bc%c3%bc%c3%bc
(with "üüü" urlencoded)
isn't working either
Any suggestion? Let me know if you need to see any other configuration.
Thanks
The Java Servlet standard is lamentably poor at supporting Unicode. The default of ISO-8859-1 is useless and there is still no cross-container-compatible means of configuring it to something else.
The filter method in matteosilv's answer works for request bodies. For parameters in the URL, you have to use container-specific options. For example in Tomcat, set URIEncoding on the <Connector> in server.xml; in Glassfish it's <parameter-encoding> in glassfish-web.xml.
(If you have to work in a fully cross-container-compatible manner you end up having to write your own implementation of getParameter(), which is sad indeed. Bad Servlet.)
However in any case it is a bad idea to pass login form fields in GET URL parameters.
This is firstly because a login causes a state-change to occur, so it is not "idempotent". This makes GET an unsuitable method and causes a load of practical problems like potentially logging you in when you navigate a page, or failing to log you in due to caching, and so on.
Secondly there are a range of ways URLs can 'leak', including referrer tracking, logging, proxies and browser history retention. Consequently you should never put any sensitive data such as a password in a URL, including in GET form submissions.
I'd suggest using a POST form submission instead, together with the CharacterEncodingFilter.
Maybe an encodingFilter in the web.xml file could be helpful:
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>
org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
source: Spring security: Form login special characters
The issue was actually solved for me by moving the CharacterEncodingFilter ABOVE the SpringSecurityFilterChain in web.xml.