I was making some changes to security.xml regarding the access like:
<intercept-url pattern="/app/admin/projectform*" access="ROLE_ADMIN,ROLE_ENGAGEMENT_MANAGER"/>
But I am confused how to differentiate between the following two URLs:
/userform?create=Engagement&method=add&from=list
/userform?create=manager&method=add&from=list
They need to be assigned to different roles.
I tried to do something very similar but couldn't. On inspecting the source code I realised spring-security doesn't consider request parameters when applying coarse grain/url authorization.
I ended up creating two separate urls.
I have the same issue. I debugged and found out that Spring failed to parse separated roles with comma actually it throws ParseException at doParseExpession. you can find the exact line [here][1]
It says it missing some data if there is acomma`. I haven't figure why. But, it seems that #Oliver advice is a good one for now. i.e break the rules for two/more lines
Edit
Solution:
seems that in version 4 filter-security-metadata-source expect to get request-matcher AND use-expressions i.e try:
<filter-security-metadata-source request-matcher="ant" use-expressions="false">
<intercept-url pattern="/app/admin/projectform*" access="ROLE_ADMIN,ROLE_ENGAGEMENT_MANAGER"/>
</filter-security-metadata-source>
Related
I have code that i used a year or two ago to create an activation link that is send by email, using a code as a parameter, i tried so many different ways, encoding, using other syntax, adding web.config settings <pages validateRequest="false" />
requestValidationMode="2.0"
, annotations [AllowHtml], literally tried dozen of post on the internet but none of them worked.
So i am overseeing something here, that i am sure but i can't find the solution.
The error i get is:
A potentially dangerous Request.Path value was detected from the client (?)
The format i use is
Url.Action("action","controller", new { Id = guidValue }, Request.Url.Scheme)
My routing is the Default so this should work.
The Url is like this in the address bar once clicked:
http://localhost:52641/Account/Login?ReturnUrl=%2FAccount%2FAccountActivation%2F%3Fid%3Dfc39f53f-6fa7-43d2-b30a-8b4e20f0f237
While it should give me:
http://localhost:52641/Account/AccountActivation?id=fc39f53f-6fa7-43d2-b30a-8b4e20f0f237
What is happening here?
Thank you for any feedback!
I removed the complete built in Authentication (NuGet packages & classes)
from my solution (since i didn't needed them) and this made the above case work as it was. I can't elaborate more on the what's and how's (i am sure other people can) but i think it has to do with routing that comes with the authentication.
I'm working on a web api call that includes parameters with '&'.
I've tried uriEncodingComponent to get the following thinking it was going to fix the issue but I am still running into the same problem. The url I'm trying to reach is here below.
http://localhost:123/api/Apples/GetApples/Red%20%26%20Green/20
I have also tried changing the HTTPRuntime in my application, without any success, to the following:
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="<,>,*,%,:,\,?" />
Any help is greatly appreciated!
The WebAPIConfig had constraints that was not including &. Included modified my regex expression to accept the character.
When I allow a user to enter text using s:textfield, he can enter something like <b>Name</b> or something like \Me/. I want that these should be escaped before I am saving them to the database. When we retrieve them, the escaping is done automatically, but I want it to happen also when we are saving it.
I was trying to return a json output from my action class, but due to a name \a/ stored in my database, wrong json was being formed. This would have been avoided if the name had been escaped before being saved into the database.
You can use StringEscapeUtils. You can call escapeJavascript(textfield) in your action and then store it into the database.
#Daud, The problem you explained is called Cross site scripting or XSS.
And I think you should use Filters to clean the request parameters. This is the most sophisticated way. You can call these filters for the actions which are posting some parameters via request.
Visit my blog to see how to avoid XSS threat using Filter approach.
I also faced this issue when our project was tested by well known firm specializing in security testing and they suggested this filter approach.
You can give it a try.
I wrote the code in global.asax contain this
oRoutes.MapPageRoute("test-route", "home/{cURL}", "~/test.aspx");
everything fine, but had error when URL contains "." symbol. And I add the code below just can fix only one dot in URL.
<httpRuntime relaxedUrlToFileSystemMapping="true" />
For Example, when I call http://foo.com/home/open.door.foo/, the routing failed.
Is there any simple way to fix this problem? thanks.
P.S 1: please don't provide the way to remove last words like ".foo", because there could be occur in my URL like http://foo.com/hey.john.open.the.book.volume.1-brabra :-)
P.S 2: For some reason, I must be use "." symbol in URL. :'(
I guess based on several posts here in SO, you should encode your values
ASP.NET MVC: How to Route Search Term with . (Period) at the end
Semantic urls with dots in .net
I have hashmap that was created on a page using the struts2 <s:set> tag. It looks something like this
<s:set var="mymap" value="#request.mymap"/>
At some point in the page, i need to get a value from the hashmap based upon a key, and i want to do it using OGNL.
The key is generated based upon some logic, which i store using another <s:set> tag. Something like this
<s:set var="mykey" value="1">
I need to get a value from the hashmap using this key. And I need to display it.
How do I simply call the get function on the hashmap?
I tried this
<s:property value="#mymap[#mykey]"/>
and this
<s:property value="#mymap[%{#mykey}]"/>
and this
<s:property value="%{#mymap[%{#mykey}}]"/>
The third one obviously does not work because of the nesting problem.
But the same nesting logic is applicable to the second case as well, due to the manner the value attribute is handled. However none seem to work for me.
The issue here is that my key is unknown. It is a dynamically generated string based upon some pattern. I need to access the object stored in the hashmap using this dynamic key. And due to the inability of nesting ognl, I am in a fix.
I suppose the issue is very simple. I almost feel that I get it, but somehow the solution eludes me.
I suppose I was using a different version of struts wherein using the %{} was required for the expression to be evaluated. I changed the jar files now.
This is what did the job for me:
<s:property value="#mymap.[#mykey2]"/>
My problem was coming because I was trying to use it in a href for a s:a tag. And without the %{} operator, the expression was not being evaluated.
So, i guess, i was right in the beginning itself. Rest of the time, it was just me being silly. :>
Update:
I wrote a blog post on the issue, in case anyone is interested.
http://mycodefixes.blogspot.com/2010/11/struts-2-creating-and-accessing-maps.html