After upgrading security version to 4.2.4,
we are getting below exception for url which contains semicolon
ex:
https://url/name=somevalue;value=somevalue
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:140) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:120) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
So, we did some configuration to custom implement of httpfirewall
#Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall()
{
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowUrlEncodedSlash(true);
firewall.setAllowSemicolon(true);
return firewall;
}
and
#Override
public void configure(WebSecurity web) throws Exception
{
super.configure(web);
web.httpFirewall(this.httpFirewall);
}
After configured, we are facing same issues.
Then I debugged the in-built class StrictHttpFirewall.getFirewalledRequest(HttpServletRequest request)
Sometimes we are getting nested request like :
firewalledRequest[ firewallwedRequest [ … (request).
and I checked the dofilter() method in filterchainProxy
It’s not clearing SecurityContextHolder, and so FilterChainProxy actually occurs twice in the chain.
Related
I’m trying to connect to a webpage link using a Waveshare Sim7020 module through a Raspberry Pico, using https AT commands, but the connect command returns an error.
My final objective is to send a telegram message from it using a bot link for it like explained in https://core.telegram.org/bots/api#making-requests using this method:
https://api.telegram.org/bot\<token>/METHOD_NAME
This is not working for me, so thinking that maybe this is complex I’m trying to connect to google, bur the problem continues. I have also syncronized the time on the module with a server. I’m wondering that it could be a certificate problem? These are the functions used:
from machine import Pin, ADC
import os
import utime
import binascii
#import ujson
#print sys info
print(os.uname())
#using pin defined
ADC0= ADC(Pin(26))
sensor_temp = ADC(4)
led_pin =25 #onboard led
pwr_en = 14 #pin to control the power of sim7020x
uart_port = 0
uart_baute = 115200
APN = "cmnbiot"
i=0
reading=0
temperature=0
#indicate program started visually
led_onboard = machine.Pin(led_pin, machine.Pin.OUT)
def led_blink():
led_onboard.value(1)
utime.sleep(0.5)
led_onboard.value(0)
utime.sleep(0.5)
led_onboard.value(1)
utime.sleep(0.5)
led_onboard.value(0)
def hexStr_to_str(hex_str):
hex = hex_str.encode('utf-8')
str_bin = binascii.unhexlify(hex)
return str_bin.decode('utf-8')
def str_to_hexStr(string):
str_bin = string.encode('utf-8')
return binascii.hexlify(str_bin).decode('utf-8')
#power on the sim800c
def powerOn(pwr_en):
pwr_key = machine.Pin(pwr_en, machine.Pin.OUT)
pwr_key.value(1)
#power down the sim800c
def powerDown(pwr_en):
pwr_key = machine.Pin(pwr_en, machine.Pin.OUT)
pwr_key.value(0)
#2 sec timeout is arbitrarily chosen
def sendCMD_waitResp(cmd, timeout=2000):
print("CMD: " + cmd)
uart.write((cmd+'\r\n').encode())
waitResp(timeout)
print()
def waitResp(timeout=2000):
prvMills = utime.ticks_ms()
resp = b""
while (utime.ticks_ms()-prvMills)<timeout:
if uart.any():
resp = b"".join([resp, uart.read(1)])
print((resp).decode())
def sendCMD_waitRespLine(cmd, timeout=2000):
print("CMD: " + cmd)
uart.write((cmd+'\r\n').encode())
waitRespLine(timeout)
print()
def waitRespLine(timeout=2000):
prvMills = utime.ticks_ms()
while (utime.ticks_ms()-prvMills)<timeout:
if uart.any():
print((uart.readline()).decode())
#APN Manual configuration
def apnConfig(APN):
sendCMD_waitResp("AT+CFUN=0") #Disable RF
sendCMD_waitResp("AT*MCGDEFCONT=\"IP\",\""+ APN +"\"") #Set the APN manually
sendCMD_waitResp("AT+CFUN=1") #Enable RF
utime.sleep(1)
sendCMD_waitResp("AT+CGATT?") #Inquiry PS service
sendCMD_waitResp("AT+CGREG?")
sendCMD_waitResp("AT+CGCONTRDP") #Attached PS domain and got IP address automatically
Then this are the AT command tests and APN configuration:
#print uart info
uart = machine.UART(uart_port, uart_baute, bits=8, parity=None, stop=1)
print(uart)
#power on the board
powerOn(pwr_en)
#clear bufer in UART
waitResp()
#AT commands test
atCommandTest()
#APN Manual configuration
apnConfig(APN)
Then this is the time syncronization:
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\",\"+01\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
sendCMD_waitResp("AT+CURTC=1")
sendCMD_waitResp("AT+CRESET")
sendCMD_waitResp("AT+CURTC?")
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
sendCMD_waitResp("AT+CURTC=1")
sendCMD_waitResp("AT+CURTC?")
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\",\"+01\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
And this is the connection try out, where on create says OK but on connect says “ERROR”:
sendCMD_waitResp("AT+CHTTPCREATE=\"https://www.google.com/\"")
sendCMD_waitResp("AT+CHTTPCON=0")
sendCMD_waitRespLine("CAT+HTTPSEND=0,0,\"nextlink\"")
waitResp()
sendCMD_waitResp("CAT+HTTPDISCON=0")
sendCMD_waitResp("CAT+HTTPDESTROY=0")
Any ideas on what could be happening?
I am using scriptrunner postfunction and validator to perform 3 transitions back to back. The problem is that I receive an error message saying
[comment:Please, add a comment.] although a comment has actually been adde as you can see in the screenshot
Here is the code I have used, anyone knows how to fix this?
package CombineTransitions
import com.onresolve.scriptrunner.runner.util.UserMessageUtil
import com.atlassian.jira.issue.Issue;
import org.apache.log4j.Logger
import com.atlassian.jira.bc.issue.IssueService
import com.atlassian.jira.issue.Issue;
import CombineTransitions.Configuration_CombineTransitions
import com.atlassian.jira.bc.issue.IssueService.IssueResult
import com.atlassian.jira.bc.issue.IssueService.TransitionValidationResult
import com.atlassian.jira.event.type.EventDispatchOption
import java.util.concurrent.TimeUnit
import java.util.concurrent.ScheduledExecutorService
import java.util.concurrent.Executors
import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.issue.MutableIssue
import com.atlassian.jira.workflow.WorkflowTransitionUtil
import com.opensymphony.workflow.WorkflowContext;
import com.atlassian.jira.workflow.WorkflowTransitionUtilImpl;
import com.atlassian.jira.util.JiraUtils;
import com.atlassian.jira.issue.MutableIssue;
import com.atlassian.jira.util.ErrorCollection
import com.atlassian.jira.workflow.WorkflowException
import com.atlassian.jira.issue.fields.CustomField
import com.onresolve.jira.groovy.user.FormField
import com.atlassian.jira.issue.CustomFieldManager
import com.atlassian.jira.component.ComponentAccessor
import com.opensymphony.workflow.InvalidInputException
import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.issue.MutableIssue;
import com.atlassian.jira.issue.fields.screen.FieldScreenRenderLayoutItem;
import com.atlassian.jira.issue.fields.screen.FieldScreenRenderTab;
import com.atlassian.jira.issue.fields.screen.FieldScreenRenderer;
def log1 = Logger.getLogger("atlassian-jira.log")
def combineTransitionsHashMap= Configuration_CombineTransitions.getCombineTransitionsHashMap()
def issueStatusTypeId = combineTransitionsHashMap["issueStatusTypeId"] as String;
def transitionFromOpentoFixed = combineTransitionsHashMap["transitionFromOpentoFixed"] as Integer;
def transitionFromFixedToTested = combineTransitionsHashMap["transitionFromFixedToTested"] as Integer;
def transitionFromTestedToCompleted = combineTransitionsHashMap["transitionFromTestedToCompleted"] as Integer;
def fixedStatusName = combineTransitionsHashMap["fixedStatusName"] as String;
def testedStatusName = combineTransitionsHashMap["testedStatusName"] as String;
def completedStatusName = combineTransitionsHashMap["completedStatusName"] as String;
def fixedStatusId = combineTransitionsHashMap["fixedStatusId"] as String;
def testedStatusId = combineTransitionsHashMap["testedStatusId"] as String;
def completedStatusId = combineTransitionsHashMap["completedStatusId"] as String;
def errorMessage = combineTransitionsHashMap["errorMessage"] as String;
if (issue.getStatus().getSimpleStatus().getId().equals(issueStatusTypeId)) {
def ok = false
ok=performTransition(transitionFromOpentoFixed, fixedStatusName, fixedStatusId, errorMessage);
log.warn("MOUNA first boolean "+ok +" "+fixedStatusName)
if(ok){
ok= performTransition(transitionFromFixedToTested, testedStatusName, testedStatusId, errorMessage);
log.warn("MOUNA second boolean "+ok +" "+testedStatusName)
if(ok){
ok= performTransition(transitionFromTestedToCompleted, completedStatusName, completedStatusId, errorMessage);
log.warn("MOUNA third boolean "+ok +" "+completedStatusName)
}
}
}
def performTransition(int transitionToBeDone, String destinationStatus, String statusId , String errorMessage) {
log.warn("MOUNA ORIGINAL STATUS "+ issue.getStatus() + "DEST STATUS "+ destinationStatus)
//issue = ComponentAccessor.getIssueManager().getIssueObject(issue.id)
issue = transientVars.get("issue");
def currentUser = ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()
String issueKey = issue.getKey()
IssueService issueService = ComponentAccessor.getIssueService()
def issueInputParameters = issueService.newIssueInputParameters()
issueInputParameters.setComment("Transitioning issue from status "+ issue.getStatus().getName()+" to status "+ destinationStatus );
WorkflowTransitionUtil workflowTransitionUtil = (WorkflowTransitionUtil) JiraUtils.loadComponent(WorkflowTransitionUtilImpl.class)
workflowTransitionUtil.setIssue(issue)
workflowTransitionUtil.setAction(transitionToBeDone)
//workflowTransitionUtil.addAdditionalInput(transientVars.get("comment"))
log.warn("MOUNA "+transientVars)
ErrorCollection errorCollection=workflowTransitionUtil.validate()
if (errorCollection.hasAnyErrors()) {
log.warn("MOUNA here 1 "+errorCollection.getErrorMessages().toString())
throw new InvalidInputException(errorCollection.getErrors().toString())
return false;
}else{
ErrorCollection progressErrorCollection=workflowTransitionUtil.progress()
if(progressErrorCollection.hasAnyErrors()){
log.warn("MOUNA here 2 "+progressErrorCollection.getErrors().toString())
throw new InvalidInputException(progressErrorCollection.getErrors().toString())
return true;
}else{
return true;
}
}
}
//#SuppressWarnings("rawtypes")
// Map getPopulatedFieldValuesHolder(WorkflowTransitionUtil workflowTransitionUtil, MutableIssue issue) throws Exception{
// Map fieldValuesHolder = new HashMap();
// FieldScreenRenderer fieldScreenRenderer = workflowTransitionUtil.getFieldScreenRenderer();
// for (FieldScreenRenderTab fieldScreenRenderTab in fieldScreenRenderer.getFieldScreenRenderTabs())
// for (FieldScreenRenderLayoutItem fieldScreenRenderLayoutItem in fieldScreenRenderTab.getFieldScreenRenderLayoutItems())
// if (fieldScreenRenderLayoutItem.isShow(issue)) {
// fieldScreenRenderLayoutItem.populateFromIssue(fieldValuesHolder, issue);
// log.warn("fieldScreenRenderLayoutItem MOUNA "+fieldScreenRenderLayoutItem.getFieldScreenLayoutItem().getFieldScreenTab().getFieldScreen().getName())
// }
// return fieldValuesHolder;
// }
// String getError(String error){
// return error;
// }
Recently we upgraded from WPS v7.0 to v8.5. We updated the portlets and few parts of the code to have them compatible and working on the new platform (v8.5). However, we found some peculiar behavior regarding which am looking for some information. Here it goes:
Premise: These portlets use cookies for regions in the form of codes e.g oh for Ohio, ny for New York, etc.
Earlier in WPS v7.0, the portlet action URLs that were generated were of the form:
http://<host>:<port>/wps/portal/!ut/p/b1/04_SjzQ0M.... and so on.
Now, on the new platform (v8.5), the URLs are a little bit different of the below form.
http://<host>:<port>/wps/portal/oh/!ut/p/z1/pZBNCsIwE... (in the case of Ohio)
http://<host>:<port>/wps/portal/ny/!ut/p/z1/pZBNCsIwE... (in the case of New York)
Now coming to peculiar part. The URL on the 8.5 contain the cookie value (in this case: oh for Ohio) as a part of the context.
I traced and checked the logs for the ActionURL tag and other URL implementation classes like BasicURLImpl, BaseURLImpl, PortletURLProviderImpl but have not found any clue on how the cookie value is getting to be part of the action url while it is getting generated.
EDIT:
I was able to decode the URL (following this post: WebSphere Portal decode url) and saw that the cookie values are coming up as shared parameters (global) (ref: IBM WebSphere Portal Remote State Service and Fragment Service) which I consider them as public render parameters. Sample excerpt from decode url output here below:
<shared-parameters id="global">
<shared-parameter nsuri="http://www.ibm.com/xmlns/prod/websphere/portal/publicparams" localpart="path-info">
<value>oh</value>
</shared-parameter>
</shared-parameters>
At this point, my opinion is somehow the cookie values are being set as public render parameters but not sure how.
Our goal is not to have the cookie value as a part of the URL. Any clues to settings, configuration or anything that would help in the direction of getting the preferred outcome is appreciated.
Thanks.
After debugging through the actionURL creation, it is observed that the cookie values are being passed as friendly path in the below observed path. As of now, do not have an idea on how these values are being passed as a friendly path.
PortletURLImpl
.provider
.request (PortletRequestWRapper).
.request(ExtendedLocaleRequest).
.request(ExtendedLocaleRequest).
.request(FriendlySelectionHttpServletRequestWrapper)
.friendlyPath= /oh
.contextPath = /wps
.originalPathInfo = /
.pathInfo = /
.servletPath= /portal
.request (MappingURLRequestWrapper)
.contextPath = /wps
.servletPath= /portal
.originalPathInfo = /oh
Finally the issue is now fixed by adding the following property in the WAS admin console:
Under Resource environment providers > WP ConfigService > Custom properties
Add the property
Name: friendly.pathinfo.enabled
Value: false
Description: Whether URL mappings and friendly URLs can contain path information to a content item as part of the URL.
I'm Integrating my rails application with payfort using payfort api merchant page 2.0 I've made a form that collects user data and in my back end I do calculate the signature so the result is like this
`
parametsrs ={
:access_code=>"4XiE5d2D9Yvbbb9YMYPE",
:card_number=>4005550000000001,
:card_security_code=>123,
:expiry_date=>1705,
:language=>"en",
:merchant_identifier=>"MpFMkQYk",
:merchant_reference=>139,
:service_command=>" TOKENIZATION"
:signature => "d0f49bf93d76939dd9f841302f4d6ca87151a54ceffca725b38cdaf9a1a2fdb0"}
`
but whenever I submit this form I got this response invalid extra parameters
can anyone help me with that?
you need to remove rails extra parameters like utf8 , authenticity_token , _method before submitting to payfort
Our customers want to use an MDM (mobile device management) solution (MobileIron) to install client certificates onto corporate iOS devices, in order to limit access to certain corporate web services to corporate devices only.
MobileIron installs the client certificate into Settings > General > Profiles, which is the default location for certificates in iOS, and Safari can respond with this certificate when a corporate web service challenges it for one.
But I need the same thing to happen from within a custom app. When our app gets challenged for a certificate, I need to be able to respond with the certificate from Settings > General > Profiles. I have examples of responding with a certificate which is bundled with our app, and with a certificate which our app stores within its own keychain, but I do not have an example of responding with a certificate installed on the device in Settings > General > Profiles.
Can anyone explain to me more about what the NSURLAuthenticationChallengeSender protocol method -performDefaultHandlingForAuthenticationChallenge: does? Does default handling mean that iOS effectively responds to the challenge on behalf of the app? Can this response include a client certificate stored in Settings > General > Profiles?
Update
If the MDM could install a client certificate into the app keychain, that would be perfect.
Apple tech support pointed me to the following tech note in response:
https://developer.apple.com/library/ios/qa/qa1745/_index.html
To summarise, what we want to do is not supported.
MobileIron's AppConnect 2.1 update solves this problem, no special code required. X.509 certificates can be pushed with the AppConnect Configuration, and the AppConnect framework intercepts any authentication challenges when it can respond with an eligible cert. Certs can be created on-the-fly at first launch, revoked later, customized per-user or per-device, and different URL's can use different certs.
If anyone is using the code snippet on this page, stop, it's not needed. After wrapping your unmodified app, or linking-in the AppConnect framework, add an MI_AC_CLIENT_CERT_1 key to your AppConnect Configuration, pointing to a Certificate Enrollment configuration (i.e. SCEP, Entrust, Symantec PKI, PIV-D, etc.). Add a MI_AC_CLIENT_1_RULE key with a URL (with optional wildcard). There is no step 3. Your app will now automatically use certs for authentication.
Full details are in MobileIron's AppConnect and AppTunnel Guide docs, under "Certificate authentication from AppConnect apps to enterprise services".
I just came back from an onsite at a customer who was using MobileIron and was looking to do just this. MobileIron development support provided us with this snippet of code, which imports a certificate provided by the AppConnect Wrapper through MobileIron's Core Config technology.
It's not pretty, but as it was provided by them I was not allowed to modify it. It works though! You insert this into your AppDelegate.h:
- (NSString *)appConnectConfigChangedTo:(NSDictionary *)newConfig;
And this into your AppDelegate.m, right after the aforemention pragma mark:
#pragma mark UIApplicationDelegate implementation
- (NSString *)appConnectConfigChangedTo:(NSDictionary *)newConfig{
//NSLog(#"New config: %#", newConfig); //unsecure
NSLog(#"New config retrieved"); //confirm we got a new config
NSString *certStr = [newConfig valueForKey:#"kUserCert"]; //Store certificate as String
NSString *certPassword = [newConfig valueForKey:#"kUserCert_MI_CERT_PW"]; //Store certificate password as string
NSData *cert = [[NSData alloc] initWithBase64EncodedString:certStr options:0]; //only for iOS7+, decodes base64 encoded certificate
CFDataRef pkcs12Data = (__bridge CFDataRef)cert; //Extract identity & certificate objects from
CFStringRef password = (__bridge CFStringRef)certPassword; //the cert data Identity
SecIdentityRef myIdentity = nil; //Initialize variable for identity
SecCertificateRef myCertificate = nil; //Initialize variable for certificate
OSStatus status = extractIdentityAndTrust(pkcs12Data, password, &myIdentity, nil); //Use Apple-provided method for extracting Identity and Trust
if (status != errSecSuccess || myIdentity == nil) { NSLog(#"Failed to extract identity and trust: %ld", status);} //Likely due to corruption
else { SecIdentityCopyCertificate(myIdentity, &myCertificate); } //This method is supposed to store the Certificate, but Fiori doesn't see it here
const void *certs[] = { myCertificate }; //Initialize an array for one certificate
CFArrayRef certsArray = CFArrayCreate(NULL, certs, 1, NULL); //Make the array the way Apple wants it to be
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:myIdentity certificates:(__bridge NSArray*)certsArray persistence:NSURLCredentialPersistencePermanent]; //MobileIron's method of Credential storage
NSMutableDictionary *secIdentityParams = [[NSMutableDictionary alloc] init]; //Initialize Dictionary to store identity
[secIdentityParams setObject:(__bridge id)myIdentity forKey:(__bridge id)kSecValueRef]; //Build the secIdentityParams dictionary in the way the next method expects it to be
OSStatus certInstallStatus = SecItemAdd((__bridge CFDictionaryRef) secIdentityParams, NULL); //Add the identity to the keychain for Fiori consumption
if (myIdentity) CFRelease(myIdentity); //Free
if (certsArray) CFRelease(certsArray); //Up
if (myCertificate) CFRelease(myCertificate); //Memory
return nil; //Success
}
// Copied from Apple document on Certificates:
// http://developer.apple.com/library/mac/documentation/security/conceptual/CertKeyTrustProgGuide/CertKeyTrustProgGuide.pdf
OSStatus extractIdentityAndTrust(CFDataRef inP12data, CFStringRef password, SecIdentityRef *identity, SecTrustRef *trust){
OSStatus securityError = errSecSuccess;
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = nil;
securityError = SecPKCS12Import(inP12data, options, &items);
if (securityError == errSecSuccess) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
if (identity && CFDictionaryGetValueIfPresent(myIdentityAndTrust, kSecImportItemIdentity, (const void **)identity)) {
CFRetain(*identity);
}
if (trust && CFDictionaryGetValueIfPresent(myIdentityAndTrust, kSecImportItemTrust, (const void **)trust)) {
CFRetain(*trust);
}
}
if (options) {CFRelease(options);}
if (items) {CFRelease(items);}
return securityError;
}
Once you've built your app, ask the MobileIron administrator to 'wrap' the app so that it can use AppConnect. Once that is done and the wrapped app is deployed to test users via MobileIron, set up a Core Config that take a User Certificate specific for the provisioned user and pushes it to the provisioned devices under the Core Config key "kUserCert".