Cakephp 2.2 and SWFUploader black-holed - security

I am having a typical file upload method (inside a plugin) in my app and I am using for this Uploadify that uses SFWUpload.
I used this for an application that is written in CakePHP 1.3 (and it worked OK). Now I am updating the app to CakePHP 2.2.2. The problem is that when I am trying to upload the file I am getting a Security black-holed error (400 error).
I have disabled the Security for the uploader action inside the beforeFilter() callback but no success.
if($this->request->action == 'add_profile_picture'){
$this->Security->enabled = false;
}
I have also disabled the Auth for that function so I don't have any problems on upload regarding the passing of Session and Flash...
...
$this->Auth->allow('add_profile_picture');
...
If anyone had similar problems and solve it please give me a hint or two.
Thanks

Is this flash uploader using hidden fields via post that are NOT generated by the CakePHP FormHelper? If yes you'll need to whitelist these fields in the security component to make them pass.

From what I can tell, 'enabled' isn't actually a property of the Security component. You can instead use the validatePost attribute to achieve the same.
public function beforeFilter() {
if($this->request->action == 'your_action_name'){
$this->Security->validatePost = false;
}
parent::beforeFilter();
}

Related

Rotativa gets 401.2 code status using windows authentication

I have an MVC 5 project which uses Windows authentication.
In order of adding pdf export support, I try to set up Rotativa lib.
The first try was Controller method
public ActionResult PrintViewToPdf()
{
return new ActionAsPdf("myAction");
}
which results as error 401.2 page in pdf file.
As i undestand (please let me know if there is another solution!!!), there is the only workaround:
public ActionResult PrintViewToPdf()
{
return new ViewAsPdf("myView");
}
In this case, I get a pdf file, but it contents a web page withount javascript scripts completed!
So, the question: is any another solution instead of replace ActionAsPdf to ViewAsPdf? If no, is it a solution to make ViewAsPdf include javascript execution results?

Equivalent Spring #Controller with #RequestMapping("/endpoint"), but using Java EE 8 only

So I'm working on implementing Oath2 authentication to allow my app to access Intuit Quickbooks company resources (items, customers, etc).
Intuit provides working examples using Spring, but I'm developing my app using JavaEE 8 with GlassFish5.
The Spring sample app callback contoller is structured as follows:
#Controller
public class CallbackController {
...
#RequestMapping("/oauth2redirect")
public String callBackFromOAuth(#RequestParam("code") String authCode, #RequestParam("state") String state, #RequestParam(value = "realmId", required = false) String realmId, HttpSession session) {
...
//after successful validation
return "connected";
This is the redirect handler controller; which address it's configured at the intuit portal (in this case, http://localhost:8080/oauth2redirect) that will be called after user approves the app and intuit will send back authorization code to this url.
So I'm a bit stuck finding what's the equivalent Spring callback redirect handler in JavaEE.
Is a #WebServlet or #WebService needed here? But then it wouldn't integrate nicely with JSF to just return the "connected" string so that it redirects to desired page (in this case connected.xhtml).
Not looking for workarounds, but the correct and standard way of implementing this on JavaEE. If you can point me to some sample apps out there or tutorials I would greatly appreciate it.
Thanks a lot in advance!
Here's full source code for callback handler controller and the full sample app.
There is at least not a really good alternative in JSF. Yes, you could 'abuse' JSF but there are other, better standards for this and this is (almost) what Spring also does. If you read the Spring Specs , you'll see the word 'Rest' being used a lot.
Well, there is a real java standard called 'Jax-RS' that is the standardized counterpart of what you do in spring.
This provides a decent analysis of the two So Jax-RS is the way to go.
But a #WebServlet or #WebService integrate perfectly with JSF. You can store any authentication information in the session and use that from JSF. No problem at all.

Web api routing only permits one controller

I created a new Web API project and created the following routing spec (actually I have simplified, looking for the bug):
// Web API configuration and services
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{action}/{id}"
);
When I make a call via ajax with the route:
/api/account/GetSUID/0
everything works fine. When I just use a different controller:
/api/tile/GetTileSet/0
it returns a status of 200 but instead of hitting my controller, it just returns the contents of the default page in jqXHR.responseText! It is as if it is just skipping any API routing like I am requesting the default site page.
I am baffled by this one as I have written literally hundreds of web API functions over the past few years in several other projects. I have never had any issue making calls to multiple controllers. I have looked high and low for what could be happening here and am hoping that someone here might have an idea.
Here is a sample method on the controller:
[HttpGet]
public HttpResponseMessage CheckRequestedID(int id, [FromUri]string Search)
{
if (!BSDIUtil.HasAllAcceptableCharacters(Search))
return Request.CreateResponse(HttpStatusCode.BadRequest);
if (FolderModel.IDAlreadyExists(DAL, Search)) // We can check this because this function is only called when staff members are creating accounts for other people (participants always use their email).
return Request.CreateResponse(HttpStatusCode.OK, false);
else
return Request.CreateResponse(HttpStatusCode.OK, true);
}
This will work if on the account controller but not on the tile controller.
One other thing, I am using the "Community" edition of Visual Studio and Windows 8.1
This is not a problem that is likely to occur often but I have solved it and figured I would post it here in case anyone else has the same issue.
I am using web api in the context of a standard web forms app (although I am only using webforms for my reporting pages). In the web.config for a web forms app, you can declare the paths that the user has access to before authenticating. I was only providing access to the account controller: all others were not permitted due to my authentication mechanism. Once I authenticate (e.g. the forms authentication call) or if I change the location path to include only "api", the problem goes away.
I was facing same problem but in different context. Had many controllers and respective routing templates. Only one controller was responding to requests.
Later i realized my other controller classes were not public!!

Using hooks to trigger a process

I am trying to work out how to use the Hooks and just can't seem to get the syntax correct.
I have built a site using PirahnaCMS that has a blog component and am extending it to call some social plugins and auto post to FB, Twitter etc.
I just can't seem to get the syntax correct though. My app is MVC and I have looked at this section
1.2 ASP.NET MVC
If you're using ASP.NET MVC hooks should be attached in you Global.asax.cs in the Application_Start method, or any other place where you keep you startup code. You attach you hooks with the followin syntax:
protected void Application_Start() {
Piranha.WebPages.Hooks.Menu.RenderItemLink = (ui, str, title, url) => {
str.Append(String.Format("<span>{1}</span>", url, title)) ;
} ;
}
The Hook I believe I want to use is Piranha.WebPages.Hooks.Manager.PostEditModelAfterSave but for the life of me I can't seem to work it out.
All of the hooks are just static delegates that you can attach methods to. In the above example an anonymous method has been assigned to the hook with the syntax:
delegate += (parameters) => { method body }
You could also assign a previously declared method.
delegate += MyMethod
Example skeletons for attaching hooks should be available in the Docs at the official site. If not you can find the hooks in the file:
~/WebPages/Hooks.cs
And all delegates in:
~/Delegates.cs
I hope these URL:s are correct as I'm typing from memory :)
Regards

Render mobile version of login in Secure class Play! Framework

Is it possible to somehow override the login method of the Secure.java class of the Secure-Module in Play! Framework, so that another version of the login form is displayed?
In my case, i want to display a mobile version of the login-form if a mobile browser is detected.
I know i should not change the Secure.java class itself, but i don't really see any other solution to this problem.
As discussed in other posts you have the request in your Play! controller. So in this request you could ask which agent is trying to view your website:
String agentInfo = request.headers.get("user-agent");
The you can determine which template will be rendered for this agent:
if (agentType.isWhatEverHeIs) {
renderTemplate("Application\mobileTemplateForBadPractise.html");
} else {
render();
}
But what I would encourage you to do is responsive webdevelopment. Create your templates as smart as possible, let the template and css and javascript do this and keep your business logic in your controller.
You could use the Twitter Bootstrap to achieve this, but there are many more! Like Skeleton.
You even got the request object inside your templates so that you can optionally render things in your template (or not) based on the agent.
Even simpler, simply create/override the secure/login.html template and use responsive design : media queries. No need to change the controller or check agent or whatever.

Resources