My WAS(on AKS) occured following exception.
Request_url: localhost:8443/nice%20ports%2C/Tri%6Eity.txt%2ebak
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "%2e"
...
I think it's because of azure's port scan.(maybe)
My concerns are as follows.
Ignoring exception seems to make security weak.
Handling exception and logging, it seems that unnecessary logs are accumulating periodically.
What choices do you make in your service? or Any other solution?
Related
I have a rails api using devise-token-auth. Recently I was on really spotty/slow Wifi and I noticed I was getting 401's from my app. My theory is that the refreshing auth token is either being lost and delayed by the bad network. That being said, I'm having a hard time reproducing the bug itself.
Three primary questions:
Could a spotty Wifi/network connection lead to 401s, due to loss or delay of the new auth-token. And if this is the case, is there a way to recover without needing the user to log back in.
How to reproduce such an environment, so I can debug this scenario.
I was able to reproduce it by delaying the server response using a debugger. In my case, this happens when I enable change_headers_on_each_request config, so when the response which carries the new tokens fails the next responses throw 401 code.
I recently sent an issue to the gem explaining this and asking how can I handle this situation on the frontend.
I am working on plugins for a web platform.
I have one Core plugin(core library which is required to be installed and enabled) and one functional plugin.
I want when Core plugin is installed but not enabled then the functional plugin not to work. I've always check whether the Core is enabled and want to return it for all kind of requests - json, xml, html, ...
I want to return to the client response with good error code but not sure which one is the best.
I am thinking about 403 or as most people do 500.
Any suggestions?
Regards,
Boris
The returned code you should use really depends on semantics of the resource state. The answers to these questions should determine appropriate status code:
Why the Core is disabled? Is it an error state (something unexpected, that should not happen under normal conditions) or normal state?
Is the service disabled for all clients or some authorized users could perform the calls?
Should the client treat current state as temporary or permanent?
Here are some suitable error codes (under certain conditions):
403 Forbidden
You should use this code only if some of the users still could call the service successfully.
500 Internal Server Error
This generic error code is far too overloaded. Choose it only if you can't select more specific error code.
503 Service Unavailable
It's a good candidate if current state is temporary and should be fixed soon.
I am facing problems when resource limits are reached with rabbitMQ , I saw the post
Spring AMQP: Register BlockedListener to Connection
There was a suggestion for a Jira issue , any improvement in this direction ?
especially it would have been nice if I can configure a blocking handler from XML side also.
Is there any way before a send I can check the channel status ( blocking ) since I get into an infinite blocked state if I send on a blocking channel since no timeout is available.
Your question isn't clear. There is no JIRA, so no support for that feature out-of-the-box. All you need to do is that workaround provided by Gary.
It is indeed isn't possible to configure BlockedListener via XML configuration, but that isn't too hard to enhance the connectionFactory after injection to some your bean via provided hook.
We will be appreciate if you raise a JIRA and provide the feedback how that should work from the Framework perspective.
We're using Spring AMQP in the style of Spring Remoting with AMQP. I'm setting x-message-ttl on every message so that it expires immediately if it cannot be delivered immediately to a consumer. This works great, however, it leaves the producer waiting for the specified value of replyTimeout before failing with RemoteProxyFailureException (if I recall correctly). Is there any way I can make the producer fail immeditely if the message cannot be delivered (only waiting for the timeout if the message is actually received)?
The loose coupling of the architecture means there's no indication to the producer of the expiry.
There used to be an immediate flag but it was removed in rabbitmq 3.0.
On possible solution would be to configure a DLX/DLQ so the expired message can be consumed by another consumer, which can return an exception to the client.
EDIT:
Simply have the fallback consumer implement the same interface and have it throw an exception.
See this updated test case.
A potentially dangerous Request.Form value was detected from the client (ctl00$body$prop_bodytext="Dit kontoudtog vi...").
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentException: A potentially dangerous Request.Form value was detected from the client (ctl00$body$prop_bodytext="Dit kontoudtog vi...")
Anybody know what is this error?
This has to do with the requestValidation setting in your web.config.
Set the the value of <httpRuntime requestValidationMode="2.0"/> in your web.config.
See this link for more info.
As the other question suggests, a quick fix is to change the validation mode, allowing any values to be submitted.
You should understand that this is likely because of the value being submitted by your controls. ASP.NET detects it as being a possible script injection attack.
This error is an exception that is generated to trap such attacks so disabling it might not be the best tactic. Instead, try and find out what the part of the submitted string value is that is causing the exception. This way you can trap it on form postback.
In the early days of ASP.NET, this kind of attack was left to the developer to trap. However, this led to undesirable security situations which undermined the reputation of ASP.NET.