Develop Reference

How to stop automatically base64 decoding

When the following http request is sent, the body part is automatically base64 decoded by Struts2.
For security reasons (e.g. S2-046), I want to stop automatically base64 decoding.
Is it possible to set this in Struts2?
POST /test.jsp HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Chrome/85.0.4183.102 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Content-Type: multipart/form-data; boundary=---------------------------123456789012345678901234567
Content-Length: 1644
Connection: Keep-Alive
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1NjcKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmb28iOyBmaWxlbmFtZT0ieHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHgiCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgoKeAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Ny0t

Fetch with ReadableStream as Request Body

I'm trying to use fetch with a ReadableStream. In this example, the ReadableStream should simply repeat "Some data..." indefinitely.
fetch('/', {
method: 'POST',
body: new ReadableStream({
pull: function(controller) {
console.log('pull called!');
controller.enqueue('Some data...');
}
})
});
This doesn't work. While pull is executed once, no data is sent in the request body.
POST / HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 0
Origin: https://example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: */*
Referer: https://example.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
How can I make a ReadableStream (or any kind of stream where I can write dynamic data) usable with fetch?
Alternatively, if this isn't yet possible, could you please indicate this? Thank you.
Note: This is a more specific spin-off question from: Method for streaming data from browser to server via HTTP

We're working on making this work, see https://github.com/whatwg/fetch/pull/425 for the PR to the Fetch Standard. Once that is done you can expect this to make its way into browsers (slowly).

Principal is null when CSRF disabled

I'm creating a webapp that uses spring-boot-starter-security and spring-security-oauth2 to use Facebook for login.
To avoid implementing all that CSRF-stuff in angular 2 (and because it's just a toy project) I want to turn off CSRF.
I have implemented the following configuration:
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
But now the Principal-Object is always null:
Task createTask(#RequestBody Task task, Principal principal) {
// do stuff
}
Why?
I guess I unintentionally overwrite the security config configured in my application.yaml, but even if I add an Order-Annotation it doesn't work :(
Edit:
Request headers (I created a Filter to add a XSRF-TOKEN cookie, ignore that):
POST /foo HTTP/1.1
Host: localhost:81
Connection: keep-alive
Content-Length: 15
Origin: http://localhost:81
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://localhost:81/create-task
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: _ga=GA1.1.681162454.1458756836; JSESSIONID=F65FB28C14A8A2D870D18842DE855212; XSRF-TOKEN=551858ab-678e-4dcb-bc72-44fbc569ec41

Does HttpServer handle the same request twice?

Trying to set up a simple Dart HttpServer:
import 'dart:io';
void main() {
HttpServer.bind(InternetAddress.ANY_IP_V4, 80).then((server) {
server.listen((HttpRequest request) {
request.response.write('Hello, world.');
request.response.close();
print(new DateTime.now());
print(request.connectionInfo.remoteAddress);
print(request.method);
print(request.headers.toString());
print("--------------");
});
});
print("listing....");
}
When hitting localhost from a browser (Chrome), it appears as if the incoming request is handled twice:
listing....
2013-11-07 15:19:24.478
InternetAddress('127.0.0.1', IP_V4)
GET
host: localhost:80
connection: keep-alive
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
accept-encoding: gzip,deflate,sdch
accept-language: en-US,en;q=0.8
--------------
2013-11-07 15:19:24.554
InternetAddress('127.0.0.1', IP_V4)
GET
host: localhost:80
connection: keep-alive
accept: */*
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
accept-encoding: gzip,deflate,sdch
accept-language: en-US,en;q=0.8
--------------
Those two requests look almost identical, except for the accept header. Doesn't look like the browser is firing up the request twice:
So, why does the request get handled twice?
EDIT: Dart SDK version 0.8.10.6_r30036

You don't output what is requested (the url member of the request instance) and that is the difference between the two requests.
The first request requests the file you try to open, probably /. The second request is issued internally by the browser and requests favicon.ico to display the icon in the address bar / tab title.

Angular HTTP Post using CORS works behind the scene, but doesn't "succeed"

I'm working on an AngularJS project, and I need to perform a cross-domain (CORS) POST.
It took me a (long) while to get it working, and well, it now sort of work:
The pre flight (OPTIONS) request is sent correctly, and my server
responds to it correctly as well.
The actual POST request is sent
correctly as well, my server receives it all right, and returns a 201
(created) response as it should.
So what is the problem?
Well the Angular $http object doesn't then go to the "success" callback, but to the "error" callback instead... with a status code of 0 and no specific error.
So from my page, I have no way to know if my request actually worked. The only way I know that it does work is by controlling (debugging) the server and using Fiddler.
Did anybody run into this problem before? It's a bit frustrating to have a working solution but not being able to tell that it actually worked :)
Here is my $http request:
this.simulate = function (url, content) {
var deferred = $q.defer();
var data = { "Data": content, "Timestamp": new Date() };
$http.defaults.useXDomain = true;
$http.post(url, data)
.then(function(response) {
deferred.resolve({
isSuccess: true,
httpCode: response.status,
errorMessage: "",
url: url,
data:data
});
},function(response) { // This is this error callback that is being called, despite the fact that my request is working fine...
deferred.resolve({
isSuccess: false,
httpCode: response.status,
errorMessage: response.data.Message + " " + response.data.ExceptionMessage,
url: url,
data: data
});
});
return deferred.promise;
};
In fiddler, this is what I get:
The pre-flight request:
OPTIONS http://myServer:82/xclient/event/volupdate HTTP/1.1
Host: myServer:82
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://myClient:1855
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Access-Control-Request-Headers: accept, origin, x-requested-with, authorization, ssotoken, content-type
Accept: */*
DNT: 1
Referer: http://myClient:1855/XClient/testharness/eventing
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr-FR;q=0.4
Which gives me that pre-flight response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Access-Control-Allow-Origin: http://myClient:1855
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: accept, origin, x-requested-with, authorization, ssotoken, content-type
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 07 Aug 2013 10:13:05 GMT
Content-Length: 0
And then this is followed by the actual POST request:
POST http://myServer:82/xclient/event/volupdate HTTP/1.1
Host: myServer:82
Connection: keep-alive
Content-Length: 56
Origin: http://myClient:1855
Authorization: SSOB2L1ax<BLAHBLAHBLAH>EP49w=|0|jaussan|System X|20130825131712|1748001|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
DNT: 1
Referer: http://myClient:1855/XClient/testharness/eventing
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr-FR;q=0.4
{"Data":"SomeData","Timestamp":"2013-08-07T10:13:06.533Z"}
And then followed by a normal 201 created response to the POST:
HTTP/1.1 201 Created
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 07 Aug 2013 10:13:05 GMT
Content-Length: 0
As you can see everything seems normal, but yet $http seems to think it's not.
Here are a few screenshots from Firebug:
$http goes to the wrong callback:
And this is the response I'm getting from $http... not really my 201!:

It appears as if your server is handling the OPTIONS (preflight) request correctly, but not the actual POST request. Your server needs to at least include an Access-Control-Allow-Origin header in the response to your POST request. In your case, that would be: Access-Control-Allow-Origin: http://myClient:1855.
For future reference, there is an excellent article about CORS that everyone who has to support a cross-origin environment should absolutely bookmark: MDN on HTTP access control.