I am trying to add a header to an existing submission, as the endpoint resides in Azure API management and requires a "Ocp-Apim-Subscription-Key" header.
The submission element looks as follows:
<xf:submission id="OrganisationStructureService-submission" class="fr-service"
ref="instance('fr-service-request-instance')"
resource="https://securextst-api.securex.eu/sssservices/employerservice/api/firm/0000000128/identification"
method="get"
serialization="application/x-www-form-urlencoded"
mediatype="application/x-www-form-urlencoded"
replace="instance"
instance="fr-service-response-instance">
<xf:header>
<xf:name>Ocp-Apim-Subscription-Key</xf:name>
<xf:value>dummykey</xf:value>
</xf:header>
</xf:submission>
When reading other answers like Send HTTP header from Orbeon XForm submission this should work, but I keep getting an 403 saying I didn't fill in the Subscription-key when I use the test dialog.
When doing the exact same request using Postman, it works so the error must be somewhere in my XML.
I feel like I'm missing something basic, but can't say what.
Related
I am developing an Angular2 and integrating it with my ASP.NET MVC application.
To prevent CSRF attacks we have used Anti-Forgery Tokens in ASP.NET MVC helper function, which renders an input type inside the body.
Now I want to read this value and append it to the headers of all my ajax calls in my angular2 app.
I was not able to find a way how to read this value and pass to http wrapper service.
This is how the DOM looks:
<html>
<head></head>
<body>
<input name="__RequestVerificationToken" type="hidden" value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />
<my-app>
</my-app>
</body>
</html>
Thanks.
You can access it with jQuery selector:
<html>
<head></head>
<body>
<input name="__RequestVerificationToken" id="input_element" type="hidden" value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />
<my-app>
</my-app>
</body>
</html>
Component
checkValue(): string {
return $('#input_element').value();
}
This is not the most elegant way to do what you need, but it is the only one, since angular doesnt allow access to anything outside scope.
I actually used this to change css link in my tag located in tag.
But
Also consider the comments, that there is a better way to implement token based communication. You can actually save your token in localStorage after authentication procedure, or any other REST call. Take data from result of that REST call and localStorage.setItem('token', value).
You can create HttpInterceptor, custom one, where you can modify every REST call to have that token. Example of that:
https://medium.com/aviabird/http-interceptor-angular2-way-e57dc2842462
Thanks for your suggestions everyone.
So here is what I did after researching and from all of the above suggestion.
I created a window-ref service that returns me the window object and also has the getToken() method.
Then I inject this service in my http wrapper service.
The window ref service has the getToken() method that will check if the document object is present and if it finds the element with the provided name "__RequestVerificationToken" it will returns its value.
If the element is not present then blank value or null is returned.
While in the HttpWrapper service I check if the returned value from getToken() is blank then don't append the "__RequestVerificationToken" header else append it.
I followed this https://juristr.com/blog/2016/09/ng2-get-window-ref/ link for the window ref service.
I did'nt wanted to make another call to get the token from the server, because this call would obviously wont have any security token attached to its request headers and this would have made this call unsafe. An attacker could have easily called this method and got the token and successively attached it to next calls.
I'm building Portlets using Spring Portlet MVC 3.02 and deploying them on WebSphere Portal V7. I have a form submission where one combo box requires to sent an Spanish character. Something like this:
<form:select id="${ns}imTheField" path="imTheField" cssStyle="width:120px;">
<option value="AtTheEndTheresASpanishCharacterÑ">
AtTheEndTheresASpanishCharacterÑ
</option>
</form:select>
The "Ñ" character looks nice in the Screen. That combo value maps to the command attribute imTheField by Spring Binding process. After form submission and in the handler method, this is what I get when I log that command attribute:
theCommand.getImTheField: AtTheEndTheresASpanishCharacterÃ
Which is not the character that came from the form. This is getting me trouble as when there are errors in form submission I have to show the form again with the previous values, which now I don't have because of that issue.
Any ideas? This is what I get from Chrome debugging at form submission:
Request Headers
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:es
Form Data
imTheField:AtTheEndTheresASpanishCharacterÑ
Response Headers
Content-Language:es
Content-Type:text/html; charset=UTF-8
Note that the field imTheField looks nicely formatted. Maybe is an issue with the Accept-Charset request header?
see: http://floatingcube.blogspot.co.uk/2008/10/special-characters-in-spring-mvc.html
You may need to use a filter as spring is using ISO-8859-1 rather than UTF-8
In grails it is easy to add tokens to prevent form double submission and also the click hijacking.
Just add useToken="true" to the form tag:
<g:form ... useToken="true" >
But, this is not available for formRemote tag. I know that I can do normal form and write js code to transform them into ajax froms with token, but because of that is odd that is not supported by default in the formRemote tag.
Any reason for this, or is just (another) bug in Grails?
I have rich:popupPanel which contains t:dataList under one column of t:dataTable. This dataList has h:commandLink which has f:param inside it. It was working fine for richfaces 3.3 but after migration to richfaces 4, it stopped working. To mention the fact that I was using rich:modalPanel in place of rich:popupPanel over there. I went through quite a few links:
https://community.jboss.org/thread/202583
commandButton/commandLink/ajax action/listener method not invoked or input value not updated
but of no help :(. Am I missing something? Currently, bean is session-scoped and I am using getter to fetch the data model as its not possible for me to put it in constructor.
Please let me know, if someone has idea about it.
PS: Rendered HTML equivalent looks like this. It has request parameter varPath but in backing bean we get it as null.
<a onclick="return myfaces.oam.submitForm('actionForm','actionForm:j_id0',null, [['varPath','/Link']]);" href="#" tabindex="-1" accesskey="">/Link</a>
Figured out that changing the encType of form to "application/x-www-form-urlencoded" from "multipart/form-data" resolves this issue. Strange though! Not sure why it didn't work with multipart encryption.
First of all, it's not an encryption, but an encoding. The difference is pretty huge. "Encrypting" is a way of changing the value in such way which is not predictable without having kind of a security key (cipher key, seed, etc). "Encoding" is a way of changing the value in such way that it's acceptable by the data transfer mechanism and/or that it's recognizeable/parseable by the other side without loss of any data. The values are not made unreadable or something, they are just arranged somewhat specific and differently.
Coming back to your concrete problem, the multipart/formdata encoding is usually only used when you need to be able to send (upload) a file along with the form, using for example <input type="file"> or the RichFaces <rich:fileUpload> component. The standard application/x-www-form-urlencoded form encoding, which basically specifies that the request parameters should be sent URL-encoded in this format
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
name1=value1&name2=value2&name3=value3
isn't suitable for passing file contents around. For that the multipart/form-data encoding should be used which basically look like this:
Content-Type: multipart/form-data;boundary=SOME_BOUNDARY
--SOME_BOUNDARY
content-disposition: form-data;name="name1"
content-type: text/plain;charset=UTF-8
value1
--SOME_BOUNDARY
content-disposition: form-data;name="name2"
content-type: text/plain;charset=UTF-8
value2
--SOME_BOUNDARY
content-disposition: form-data;name="name3"
content-type: text/plain;charset=UTF-8
value3
--SOME_BOUNDARY--
This format allows room for enclosing complete file contents in the request body.
In a JSF 2.0/2.1 web application, multipart/form-data requests are normally processed by a custom Filter. In case of RichFaces 3, this is normally processed by the org.ajax4jsf.Filter which is missing in RichFaces 4.
Note that the application/x-www-form-urlencoded is already the default encoding type of HTML forms. So you don't need to explicitly specify it yourself. Just omit the enctype attribute altogether:
<h:form>
</h:form>
and you should be all set.
Figured out that changing the encType of form to "application/x-www-form-urlencoded" from "multipart/form-data" resolves this issue. Strange though! Not sure why it didn't work with multipart encryption.
Would still like to know the explanation behind this, if anyone knows about this.
Using a4j:commandLink instead of h:commandLink pass parameters correctly which resolved this issue. No need for custom filters just for parameters.
CommandButton should be placed in a form tag. Sounds like you have nested form or you have no form.
I am developing an JSF 2.0 application for IBM Webshere 7.0 and I want to prevent user submitting a form using the GET method for security reason i.e user will not be able to submit a form appending the form values to the Query String.
Is there any simple solution for this or I need to build filter to prevent this ?
When you use JSF <h:form> it does a POST request be default. Even though a Query string is sent, since the submission method is POST, the result is not sent as a query string, that is, it is not added to the action URL of the form. Rather, the string is sent as the body of the HTTP request and the doPost() method of the FacesServlet will be invoked.
See also:
Proper way to call servlet from Facelets?
http://en.wikipedia.org/wiki/Query_string