At random (1 out of 100 maybe) the login page to a web application seems to not load any resources, including the CSS. When I was finally able to recreate this issue with network traffic monitored I found some very strange behavior. First, the html page contents get loaded after each resource fetch (see pic 1). Second, all the resource fetches have completely empty response bodies (not shown). Third when I click submit, the normal POST action by j_security_check gets run, but it doesn't seem to do anything and one of the javascript files that is supposed to be fetched and run at the beginning of the page load attemps to be saved to the computer instead. The javascript file is fetched near the bottom, called autocomplete.js.jsf. The contents of autocomplete.js.jsf is a simple framebuster security check:
/**
* Prevent FrameBuster attack
*/
if (window.top.location !== window.location) {
window.top.location.href = document.location.href;
}
Below is an attached picture of the login page and the network traffic. Sorry for all the black, but I am basically a contractor and want to avoid any clues of the client if I can.
Below is what the login page is supposed to look like, with normal web traffic.
Project Info:
I am working on Icefaces v3.3 running on a weblogic v12 server.
I have no idea why this is happening. If anybody could shed some light on why the network traffic looks the way it does, and why it affects the page the way it does I would be very grateful.
Related
I have an application in Node/Express that is exhibiting some strange (to me, at least) behavior. I am not sure why this happens, but as soon as I begin typing in the URL, the web page instantly comes up. All the logs start populating data and I have my home screen. This is on a local instance for now as I'm still trying to work out bugs related here. I believe these two may be inter-related, but I can't find any data online; perhaps I'm using the wrong search terms, but the long and the short of it is this:
I'm connected to a VM (CentOS7) and everything is run through AWS. I type in my IP:PORT (e.g. 12.34.56.78:9999). As SOON as I type the '1' in the URL, all the logs fire, running through all the scripts. Since I'm at my home page, I hit 'Enter' and is SUPPOSED to go through a redirect to an authorization page (e.g. 12.34.56.78:9999/auth). At that point we're running into my original post, identified above, but this question is simply an attempt to understand why my web page is being shown before I ever 'finish' the call by hitting the 'Enter' key. Is this normal behavior when an application is being accessed locally?
Because your browser is "smart" and guesses that you want to open that website and will therefore load it before you complete the url. That of course only happens if you have previously visited that site, otherwise the browser does not know the url yet. What logic the browser internally uses for this decision depends mostly on the browser and its settings, wether it factors in how recently you visited it or how often, or ...
If you actually want to browse that website when you finish typing the browser has already loaded the page and can instantly display it instead of now loading it and letting you wait a couple of seconds. If you decide you want to go to 123.com instead the browser simply discards the preloaded page and continues as normal.
I am trying to scrape a oracle adf faces rich client webpage but I am not getting the best of luck, I login automatically using node.js request module but after that I can't get to any other page with request. I get stuck on redirects, the loop script or simply don't get information I expect to.
I am using Wireshark to view every page and the way it handles, I recreate the page to match headers and even size but everytime the framework denies me access.
Before you ask, it's legal and I am not breaking any terms of service. Just trying to make a web api to speed up a process. I have used phantomjs with casperjs but get stuck on ajax calls that don't show on page and php curl but it's much easier with java.
Any suggestions are really really appreciated.
My bad on this one, wireshark was displaying fields as truncated, if you want to see the full field you need to right click the packet and click follow TCP stream, rich clients have very long posts generated by the framework behind the rich client and it appears I was missing about half of them when I did the calls.
All,
I am trying to add Spring Security(3.0.7) to my web application(Spring 3.0.6, Tiles 2.2). The default <form-login/> works as expected, but I can't create a custom one that does. Some issues encountered:
Every time a user clicks on the login link, the login page gets called twice
The UserDetailsService throws an Exception if the user doesn't exist, but the exception never gets picked up anywhere and used. This causes the <form-login/> to reroute to the login-page instead of the authentication-failure-url
I never see error messages when logging in with a bad username (This may be due to the previous issue mentioned above)
After a successful login, sometimes it will open to the correct page, other times it will randomly open up a javascript file that was being referenced inside the page.
I've followed all the tutorials out there and cannot come up with anything working. Does anyone happen to know the class responsible for creating the default login? Perhaps I can look at the source code and mimic what they have.
Has anyone experienced weird behavior like this?
I figured out 2 of my issues. I'm posting them in case anyone else has the same thing happen.
For #1/#4: The site was using tiles, and a default html header block was used throughout the site.
<html>
<head>
<script src="foo.js" type="text/javascript">
</head>
The configuration explicilty blocked this javascript file for users who were not logged in.
<intercept-url pattern="foo.js" access="isAuthenticated()"/>
So when a user came to the home page, the site would load except for foo.js. Since the methods in foo.js never get called before logging in, everything seemed to work fine.
However when someone tried to log in, Spring Security saw foo.js as the first protected page to show, and automatically opened it up.
This also caused the login page to be called twice. Once for the actual login link, and once for the foo.js file.
I'm trying to write a userscript/Chrome extension to capture JSON data being sent while using a web service so that I can reformat it and display selected portion on page. Currently the JSON is sent as the application loads (as I've observed from watching traffic with Fiddler 2). Is my only option to request the JSON again or is capture possible? As I'm not providing a code example, a requested answer is even some guidance on what method / topic to research or if I'm barking up the wrong tree.
No easy way.
If it is for a specific site you might look into intercepting and overwriting part of a code which sends a request. For example if it is sent on a button click you can replace existing click handler with your own implementation.
You can also try to make a proxy for XMLHttpRequest. Not sure if this even possible, never seen a working example. You can look at some attempts here.
For all these tasks you probably would need to run your javascript code out of sandboxed content script to be able to access parent page variables, so you would need to inject <script> tag with your code right into the page from a content script:
I have what I thought was a simple(ish) problem. I'm writing a SCORM package for an external learning resource. It's basically an iframe in a HTML page that the clients install in their LMS (Learning Management System).
The external resource needs to be able to tell the LMS that the user has completed the content. Because the LMS and resource are on different domains, there's obviously a JS security wall stopping me communicating directly. So when the user reaches the end of the content, the external resources sets its URL to have an anchor so the url goes from http://url to http://url#complete
Now I'm trying to get the location from the iframe and I'm failing miserably. I've tried iframe.location and iframe.window.location (.window is nothing too). I can't seem to get a handle on the right thing.
iframe.src shows me the original source URL, but it doesn't change when the iframe updates to the #complete version.
Any tips? Any alternatives? Although I control both pages, unless there's a javascript method to set cross-domain communication, I can't set the http header to allow it because I don't control the LMS server - it just pushes out my static page.
Edit: As an alternative, I'm considering storing the completed event in the session (a cookie would work too, I guess) at the resource end and then making another page that outputs that as a JSONP statement. I think it would be quite easy to do but it's a lot more fuss for something that should be simple. I literally need to flip one switch on the LMS code from the external site.
Use easyXDM, it should make this fairly easy.
Using it you can do cross-domain RPC with no server-side interaction. The readme at github is pretty good.