Consider the following test view using Seam's Excel library:
<e:workbook type="csv">
<e:worksheet name="Export" >
<e:cell value="1" row="0" column="0"/>
<e:cell value="2" row="1" column="1"/>
</e:worksheet>
</e:workbook>
I'd like to secure parameters to a more complicated version via HTTPS. The unsecure view generates the file fine. When I change the scheme to "https" in view.page.xml, instead of my csv file, the browser is redirected to http://localhost/seam/docstore/document.seam with the conversation id in the query string. Other pages secured using https (e.g. login) are working fine.
Any suggestions on resolving or better diagnosing the problem?
Thanks!
It could be related to your security constraints settings in web.xml. Take a look here.
If excel is trying to access resources outside of the restricted area you won't be able to generate the file.
Related
I have this hidden form field which rendered from nodejs:
<input type="hidden" name="currentUrl" value={currentUrl} />
This field is for when javascript is disabled and I need to know which page to return to after a form has been posted.
I am using csruf to try and mitigate any problems.
How can I guard against hackers abusing the url?
You should be concerned about open redirection in this case, and that's not a client-side problem. When you send this form to your server, it will redirect to the url provided if I understand correctly. You need to make sure (on the server) that the url points to your application (or an allowed other domain), before redirecting to it. It is a vulnerability if a user can send an arbitrary url where he then gets redirected. One way to validate the url would be to process it with URL and check the host.
Also XSS might be an issue, but I think that should already be mitigated by the template engine that writes {currentUrl}.
I am really new to hybris so I just installed the accelebrates followed the wiki page. But when I access the site using the http link
http://electronics.local:9001/yacceleratorstorefront/
it always redirect to
https://electronics.local:9002/yacceleratorstorefront/electronics/en/
I have suspect the get and the server have return 302 Found with the new redirect URL.
Can anyone help to explain what is the settings and why hybris redirect me to https link like this.
It's the accelerator's default behavior to change it, update the file spring-security-config.xml under your store front extension :
<security:intercept-url pattern="/**" requires-channel="https" />
I was able to accomplish this by deleting every instance of
<security:intercept-url pattern="/**" requires-channel="https" />
or simply the
requires-channel="https"
in the places where interceptor was a bit more complex in the same file spring-security-config.xml mentioned by Benoit.
Then, just restarted the platform(no compilation required).
This works but obviously at the cost of removing all https requirements so this should only be used for demonstration purposes.
This seems possible, but I'm missing something. I'm using plone.app.theming (diazo). I'm trying to pull in pages from a cold fusion site. I can get the first page to load using but the page then has urls that refer to more data pages. The urls are formatted like this "./undergraduates_classes_info.cfm?crse=001A§num=A" (which Plone is more than happy to parse) I've tried a variety of permutations to this and I can't seem to get it to work.
<xsl:param name="ExtUrl" select="'http://exeternalsite'" />
<xsl:template match="a/#href[contains(.,'/undergraduates')]">
<xsl:attribute name="href">
<xsl:value-of select="concat($ExtUrl, .)" />
</xsl:attribute>
</xsl:template>
I also need to pass the url to the command so that i can get the actual data back.
Any help is appreciate -- and maybe I'm approaching this incorrectly?
It's a very bad idea to depend on a remote service before you can finish processing the request. Imagine that site goes down or is slow? Now you're waiting on it to finish or timeout before you serve your page.
A better solution is to use javascript to pull in the contents of the page.
It could look something like this:
$(document).ready(function(){
$('#containerofcontent').load('http://remoteurl #contentselector');
});
Assuming your site is on a different domain, you'll also need to set some special headers on the remote site in order for browsers to allow the ajax request:
Access-Control-Allow-Origin: http://plonesiteurl
That's pretty easy to override headers with any web server though.
You can include content from an external site by specifying the href attribute as documented here: http://docs.diazo.org/en/latest/advanced.html#including-external-content
You will need to enable the "Read network" option in plone.app.theming to allow inclusion of external urls, see: http://pypi.python.org/pypi/plone.app.theming#usage
As others have pointed out, this does have a performance impact, but if you are caching the resulting pages that might be ok. You can avoid that performance cost by caching the fragment and using the SSI or ESI method options documented on the diazo site, but you will need to setup Nginx to run the filter.xsl stylesheet or a diazo proxy.
Unless I am misunderstanding your question (always possible), I think you are misunderstanding p.a.theming. p.a.theming can include theme assets (e.g. templates, images) from a remote site, but it is not intended for nor really capable of proxying in content from a remote site.
I have a tomcat hosted web-app, in one of the jsp pages the webapp displays I am using an iframe to embed an html document.
I need to have the html pages separate to the web-app so that they can be altered without requiring a relaunch of the original web-app or access by editors to the web-app.
It is also essential that html pages are secure and not available directly in any way, i.e. only available within this web-app or by authenticating the user. I also want to avoid making the user login to both the web-app and the page in the iframe.
I am not sure how to approach this, I have an apache server, php, and of course tomcat at my disposal.
I can think of two approaches but am not sure how to implement either:
I pass through the authentication details from the jsp page and store all the usernames etc elsewhere for the .htaccess file to check against (not ideal as this means the upkeep of two username / password files)
I somehow enforce that these pages can only be accessed when they are being shown within this iframe i.e. use the web-app as an authenticator and hold the web pages to be only accessible via it.
Presently I can only think of a rather clunky, double log-in way, using .htaccess on an apache server which will require the user to enter a username and password again before viewing the documents.
Can anyone think of a more elegant solution?
Thanks!
CJ
Easiest approach would be to not serve the HTML pages by a public webserver, but just host them in some fixed path outside the public webcontent. Then you can create an servlet which gets an InputStream of the HTML file by FileInputStream and writes it to the OutputStream of the servlet response as obtained by HttpServletResponse#getOutputStream() the usual Java IO way.
Then, in your JSP just change the <iframe> src to point to that servlet instead, along with the desired HTML file as request parameter or pathinfo.
<iframe src="htmlservlet/file.html" />
This way you can control the authentication at one place, the JSP/Servlet webapp.
I've added a SSL certificate to an existing site, and now in IE I get a mixed content warning. Problem is, I don't know what's the non-secure content IE is warning me about. It's a simple html page, with a few Flash, a few images, a loaded CSS and JS.
How can I find out what's the non-secured content..?
Edit:
I found the culprit: it's the JS AC_RunActiveContent.js used to display Flash movie. So anyone has an idea on how to prevent SSL mixed content when using AC_RunActiveContent.js.?
This means that something is requesting content using the http protocol specifically, or you have an absolute path to an image or other content that begins with http instead of https.
A few tips: Use relative paths everywhere you can. If you must use an absolute path, and it's to a server you own, use https. If you're loading stuff from off your site, you're probably stuck with the mixed-content warning.
This also goes for your scripts, check out the JS, and the CSS template and make sure they're not the guilty parties - if they are change them to use relative paths, or to request items via https instead of http (assuming you're positive that the server they're referencing supports https, if it doesn't you're stuck).
There are a few other details, this might be helpful.
Ok, so here is the solution for my particular problem. It was the codebase value in my code that needed to be https as well (I didn't think it would trigger the warning, as my Flash were displaying correctly, oh well)...
AC_FL_RunContent( 'codebase','https://download.macromedia.com/pub/shoc...
Link to Adobe info on this: Security Information error in Internet Explorer
I use the Firefox console -- it reports the http resources it blocks from fetching on a mixed content page.
Search your source for http: only. Another great tool to help you out is Fiddler with which you can see what's getting downloaded upon requesting your page.