Spring Security - Weird errors - security

All,
I am trying to add Spring Security(3.0.7) to my web application(Spring 3.0.6, Tiles 2.2). The default <form-login/> works as expected, but I can't create a custom one that does. Some issues encountered:
Every time a user clicks on the login link, the login page gets called twice
The UserDetailsService throws an Exception if the user doesn't exist, but the exception never gets picked up anywhere and used. This causes the <form-login/> to reroute to the login-page instead of the authentication-failure-url
I never see error messages when logging in with a bad username (This may be due to the previous issue mentioned above)
After a successful login, sometimes it will open to the correct page, other times it will randomly open up a javascript file that was being referenced inside the page.
I've followed all the tutorials out there and cannot come up with anything working. Does anyone happen to know the class responsible for creating the default login? Perhaps I can look at the source code and mimic what they have.
Has anyone experienced weird behavior like this?

I figured out 2 of my issues. I'm posting them in case anyone else has the same thing happen.
For #1/#4: The site was using tiles, and a default html header block was used throughout the site.
<html>
<head>
<script src="foo.js" type="text/javascript">
</head>
The configuration explicilty blocked this javascript file for users who were not logged in.
<intercept-url pattern="foo.js" access="isAuthenticated()"/>
So when a user came to the home page, the site would load except for foo.js. Since the methods in foo.js never get called before logging in, everything seemed to work fine.
However when someone tried to log in, Spring Security saw foo.js as the first protected page to show, and automatically opened it up.
This also caused the login page to be called twice. Once for the actual login link, and once for the foo.js file.

Related

Refreshing Angular app breaks one component, but only on version hosted on Heroku

I am working on a personal project for my portfolio and I'm completely stuck.
I have an Angular 14 app I've been working on. The stack is PEAN. I currently have a live version of it hosted on Heroku. The issue I'm running into is that in my local development version of the app, everything works as intended, however on the live version on Heroku, If I refresh the page using f5 while on the main backlog page, it does not refresh, and instead shows a blank page with "[ ]" at the top of the page. Every other part of the app functions fine, and it does not fully crash when I run into this issue. If I type a different URL in and go to that page, it works again. If after doing so, I click a link that loads the crashed component, it will reload just fine. It appears that the component only breaks if I refresh the component with f5 (or clicking the refresh button on chrome).
I've been working on this for a long time and I think I've narrowed it down a bit. So far I've:
confirmed that my express server is serving my static HTML files from their folder correctly
added a catch all code block at the bottom of my express file to redirect to index.html
made sure that Heroku was actually executing my server.js file
removed potential offending portions of code, like auth/error interceptors and newly added Google Sign-in
I've also:
checked with various browsers/mobile browsers
checked for console errors (there are none)
checked network tab on refresh. (just shows a 304-OK response)
checked Heroku logs. No errors there either.
The issue can not be recreated locally, and it only happens on refresh of one component, the Backlog component.
If there is any more info I can add please let me know, I'm hoping this is a regularly encountered issue. I can't seem to find anything that specifically deals with my exact issue by searching. Any help is greatly appreciated.
update
The blank page with "[ ]" appears to be my database's response when hit without a user ID to check against, and return data. I've narrowed this down to an HTTP-INTERCEPTOR that injects the user ID into the headers, which the route that would use that info for the DB wouldn't have. This makes my DB return "[]".
The only thing I don't understand is that this happens only when hosted on heroku, and not locally.

Website comes up as soon as I start typing

I have an application in Node/Express that is exhibiting some strange (to me, at least) behavior. I am not sure why this happens, but as soon as I begin typing in the URL, the web page instantly comes up. All the logs start populating data and I have my home screen. This is on a local instance for now as I'm still trying to work out bugs related here. I believe these two may be inter-related, but I can't find any data online; perhaps I'm using the wrong search terms, but the long and the short of it is this:
I'm connected to a VM (CentOS7) and everything is run through AWS. I type in my IP:PORT (e.g. 12.34.56.78:9999). As SOON as I type the '1' in the URL, all the logs fire, running through all the scripts. Since I'm at my home page, I hit 'Enter' and is SUPPOSED to go through a redirect to an authorization page (e.g. 12.34.56.78:9999/auth). At that point we're running into my original post, identified above, but this question is simply an attempt to understand why my web page is being shown before I ever 'finish' the call by hitting the 'Enter' key. Is this normal behavior when an application is being accessed locally?
Because your browser is "smart" and guesses that you want to open that website and will therefore load it before you complete the url. That of course only happens if you have previously visited that site, otherwise the browser does not know the url yet. What logic the browser internally uses for this decision depends mostly on the browser and its settings, wether it factors in how recently you visited it or how often, or ...
If you actually want to browse that website when you finish typing the browser has already loaded the page and can instantly display it instead of now loading it and letting you wait a couple of seconds. If you decide you want to go to 123.com instead the browser simply discards the preloaded page and continues as normal.

Url loaded between every resource. JSF, OracleWebServer

At random (1 out of 100 maybe) the login page to a web application seems to not load any resources, including the CSS. When I was finally able to recreate this issue with network traffic monitored I found some very strange behavior. First, the html page contents get loaded after each resource fetch (see pic 1). Second, all the resource fetches have completely empty response bodies (not shown). Third when I click submit, the normal POST action by j_security_check gets run, but it doesn't seem to do anything and one of the javascript files that is supposed to be fetched and run at the beginning of the page load attemps to be saved to the computer instead. The javascript file is fetched near the bottom, called autocomplete.js.jsf. The contents of autocomplete.js.jsf is a simple framebuster security check:
/**
* Prevent FrameBuster attack
*/
if (window.top.location !== window.location) {
window.top.location.href = document.location.href;
}
Below is an attached picture of the login page and the network traffic. Sorry for all the black, but I am basically a contractor and want to avoid any clues of the client if I can.
Below is what the login page is supposed to look like, with normal web traffic.
Project Info:
I am working on Icefaces v3.3 running on a weblogic v12 server.
I have no idea why this is happening. If anybody could shed some light on why the network traffic looks the way it does, and why it affects the page the way it does I would be very grateful.

Script file file not being loaded through ScriptLink custom action

I am having trouble with script link custom actions. I am building a SharePoint app, and I successfully added a site-scope custom action pointing to a script file in the Style Library, as I want this particular script to be injected to all the pages of my SharePoint site.
While it works in certain situations, the script link injection breaks without apparent reason under certain conditions. For example, when I arrive on my root web, the script will be injected. But, if I go to a certain link within this web (for example Home or Site Contents), the file that is supposed to be injected will simply not be fetched from the Style Library and therefore never be injected, resulting in an uncaught ReferenceError when I try to call one of the script's function. The weirdest part is that a page refresh through Ctrl+F5 will fetch the script file without any problem, regardless of the page's ability to originally fetch the script file when first accessed. It will keep the script until it is accessed through a link again.
I've read up on Sharepoint caching, thinking it may be the cause of my problem, but the trouble is that these articles mostly talk about cache-induced errors when updating a file, while I am only trying to access it.
One thing to note is that, due to limitations, I am adding the script link custom action through code. Here's an example of what this kind of call currently looks like in my app:
context.Load(context.Site.UserCustomActions);
context.ExecuteQuery();
customAction.Name = "MyScriptLink";
customAction.Location = "ScriptLink";
customAction.Sequence = 100;
customAction.ScriptSrc = "~SiteCollection/Style Library/MySite/MyScript.js";
customAction.Update();
context.ExecuteQuery();
So, what's going on here ? Why is my script no injected on certain pages ? Why does a refresh on these exact same pages manage to fetch the file without any problem ?
Found it ! Three words: Minimum Download Strategy. Disable it, it messes with you page redirect behavior within a SharePoint site (either through code or through site settings)
Edit: If you still want MDS enabled on your site, there is a solution

How to avoid users getting 500 Errors when server throw exception

I get the following errors in my server log.
2012-03-06 09:20:43 HTTP JVM: CLFAD0211E: Exception thrown. For more detailed information, please consult error-log-0.xml located in D:/Lotus/Domino/data/domino/workspace/logs
2012-03-06 09:20:43 HTTP JVM: CLFAD0229E: Security exception occurred servicing request for: /demo.nsf/home.xsp - HTTP Code: 500. For more detailed information, please consult error-log-0.xml located in D:/Lotus/Domino/data/domino/workspace/logs
The user only sees this in the webbrowser (source)
<html>
<head>
<title>Error</title></head>
<body text="#000000">
<h1>Error 500</h1>HTTP Web Server: Command Not Handled Exception</body>
</html>
So I can tell by the server log that there is a security exception thrown at the server, probably because I have wrong settings in my java.policy file. but my issue is not what is causing the error, but rather how can I avoid users getting these ugly 500 errors.
I would like the error page I have set in the application to be presented to the user just like any other exception.
possible?
The more try/catch blocks you have in your code, the better (within reason, of course):
try {
// code that might throw an error
} catch (e) {
// examine the error to see if there's a workaround
// if not, log it and inform the user
} finally {
// any code that needs to run whether or not there was an error
}
This way if something fails, it fails gracefully. Just be sure to make it obvious to the user that something went wrong (and, preferably, provide them instructions they can actually follow up on)... failing silently is even worse than an ugly error page if something went wrong and the user thinks everything was fine.
P.S. As Stephan indicates, there are some errors that simply can't be caught. If the XPage wasn't signed by someone with access to run XPages, for instance, it never even gets to the point of trying to run your code... the page itself is invalid, so there's nothing you can do at runtime. Always make sure that your XPages are signed during deployment.
There are a number of errors that "break through" even if you have an error page defined. E.g. when you drag a control onto itself. Security seems another area. All of them are stuff you should handle in development. I haven't seen errors that "typically" happen (true runtime after development completed and tested type of errors) escaping a custom error page. Other than that follow Declan's advice.
I had an issue like this also where my error page was not being displayed and the error 500 page would display instead.
What I discovered is that there was a problem in my error page also and the renderer therefore can't display the error for the original page and you get the server default error page instead.
The best way to check if this is the cause of your particular issue is to start with a simple error page, no theme, no ssjs libraries, no ssjs code on the page etc, just a blank xpage with some static text to indicate that it is the error page.
Once you can confirm that this is the possible cause of the error 500 then you can start building up that error page and add in the dynamic stuff bit by bit till it is the way you need it.
Dmytro Pastovenskyi has a good article http://dpastov.blogspot.com/2012/01/error-pages-in-domino.html about error pages in Domino.
To be on the safe side I have a static html page saying "An error occured". This page is referenced by the HTTPMultiErrorPage setting in the notes.ini on your server.
Then there is a "HTTP response headers" rule addressing special error codes.
The main problem still is, that these are global settings. So there is no easy way to catch all errors specially for your application. But a least the user don't get this annoying white error page.
I have had similar issues with this. Error messages bubbling up from some underlying fault that overrides the defined error page for the application. This is not a nice behavior (from a user perspective) and makes you feel a bit naked. I do understand that it's hard for the application to trap those - but there should at least be a way to customize that message - The default error 500 page is not very useful for a normal user anyway...
The only(?) way to try to avoid that your code throws such error (ssjs/java) is to (as Tim Tripcony already mentioned) always use try/catch statements around the code (as you already know :))
getDocumentByUNID() is a "good" example of a method that will cause the ugly (but standard) error 500 page to be displayed instead of the defined one in the app.
As for any other error types (system/security and such) - I don't think it's possible to redirect those to the (by the user) invoked applications error page because they are not invoked from the application but rather before the application is invoked (I hope I'm wrong).
Make a new XPage called error.xsp (for example). Put there some basic info that something went wrong, apologize for that fact and provide few links how to continue with the work (even though his/her data may be lost forever - history.go(-1) usually does not resolve the problem). In the background you can log the error (usage of OpenLog recommended).
Open Application Properties, XPages tab. Uncheck Display XPages runtime error page. In the combo Error page select your page (error).

Resources