Redirecting URL in JBOSS AS 7 - jsf-2

Hi everyone currently i am passing query string in my url like
ip:port/contextroot/page.jsf?id=22&tsid=1234
the query string is a user id and tsid. the doesnt specifically need to type in the query string values. my requirement is to hide the query string in the url and still be able to use the query string values in my app. i was thinking if there is a way to strip off the query string using jboss redirection.
To Summarize:
i wanna access my page.jsf like
ip:port/contextroot/page.jsf
and still get id and tsid from the query string.
any help is geartly appreciated.
thanks in advance :)

On your .NET application, encrypt all sensible data using a symmetric cipher (e.g. AES), then POST it to a JBOSS servlet. In that servlet, decrypt the transmitted data and store it in a session scoped bean. This way, you can subsequently access the data from your beans without needing to carry it aound in GET params.

I think you're looking for Pretty Faces ( http://ocpsoft.org/prettyfaces/ )

Related

Netflix Zuul query string encoding

When sending a request via Zuul to a client, Zuul seems to change the query String. More specifically, if the client should receive an url-encoded query String, Zuul decodes the query String once. Here is a concrete example:
If "http://localhost:8080/demo/demo?a=http%3A%2F%2Fsomething/" is sent to the client, the client receives as a query String "a=http://something/".
Looking into Zuul`s code, the function "buildZuulRequestQueryParams" uses "HTTPRequestUtils.getInstance().getQueryParams();" which decodes the query String.
Is this a desired feature or a bug?
Zuul actually offers a flag to disable this behavior.
8.9 Query String Encoding
When processing the incoming request, query params are decoded so that they can be available for possible modifications in Zuul filters. They are then re-encoded the backend request is rebuilt in the route filters. The result can be different than the original input if (for example) it was encoded with Javascript’s encodeURIComponent() method. While this causes no issues in most cases, some web servers can be picky with the encoding of complex query string.
To force the original encoding of the query string, it is possible to pass a special flag to ZuulProperties so that the query string is taken as is with the HttpServletRequest::getQueryString method, as shown in the following example:
application.yml.
zuul:
forceOriginalQueryStringEncoding: true
[Note] This special flag works only with SimpleHostRoutingFilter.
Also, you loose the ability to easily override query parameters with
RequestContext.getCurrentContext().setRequestQueryParams(someOverriddenParameters),
because the query string is now fetched directly on the original
HttpServletRequest.
8. Router and Filter: Zuul
I was facing the same issue yesterday. I think it's related to this pull request. A faster way to solve this issue (without wait for PR get merged) is rewrite the classes in your own project using the same package and class name to override the framework class.
I ran into the same issue recently. Submitted a PR to Netflix/Zuul. Basically adding the same ability that's currently available on spring cloud gateway to Netflix. Hoping it'll get addressed soon.
If accepted, you could pretty much add a config to keep the original uri encoding
zuul.keepOriginalQueryStringEncoding=true

Using Breeze query not invoking action

I am developing single page application using HotTowel.
My question is that, When I am writing a Breeze query with string parameter whose length is greater than 1600 characters then action is not invoking.
Please let me know the reason.
Thanks in advance.
as stated in:
What is the maximum length of a URL in different browsers?
there is a limit for the length of urls
check parametrized queries as a possible workaround:
How to properly send action parameter along with query in BreezeJs
The answer from #fops is correct. Using .withParameters, you may be able to create some methods on your server that allow you to use some shorthand on the client instead of very large queries.
If your queries are really big, and even .withParameters blows up your URL, you may need to use POST instead of GET.
Breeze doesn't support POST for queries directly, but there's an (unsupported) add-on in Breeze Labs called breeze.ajaxpost.js that will let you use POST for .withParameters queries.

Parse id in URL in encrypted form to prevent sql injection

snatching my hair to fix this problem but I can't.
I am parsing id in url to pull data on next page according to that id. So rather than parsing id=123 I encrypted it something like process.php?token=TG4n6iv_aoO7sU3AngFY4WLSppLvueEoh-MnYE6k7NA, and decrypted it on process.php page by collecting it with $_GET, before using it in sql query. This is not proper URL, I need url like process.php?token=9878799889 and I need to decrypt this 9878799889 on process.php which would give me my original user id.
So here I can not use md5 or base64_encode which give me ugly string.
What would be best thing to do here?
id is unique so generated long digits should be unique as well and not easy to guess.
Right now I am using encrypt logarithm with salt. Actually want to parse like www.sitename.com/process/token/9878799889..this can be achieve with .htaccess so not worried about it..
Any help will be much appreciated..
What you could do is add an association table in your databse, which would contains a UUID as primary key (a randomly generated number) and your true ID reference (and other information you may want to store there, like a "valid until" date or other things...)
You'd have to generate the entry in that table as you parse the UUID
let's say INSERT INTO uuid_table (uuid, real_id) VALUES (9878799889, 123);
now when you process the url process.php?token=9878799889
you would only have to SELECT real_id FROM uuid_table WHERE uuid=9878799889;
it would retern the read id 123
You should also DELETE FROM uuid_table WHERE uuid=9878799889 when you're done.
Note that it would also work with md5 or base_64, but indeed it makes the url uglier.

URL routing issue when data have special symbol

I have developed a ASP.NET MVC application. I have a conroller with the name EmployeeController and it got a method called GetEmployeeByName. GetEmployeeByName() takes a name of type string as parameter.
So When I send a request like this, i get the data back :
someDomain:9999/Employee/GetEmployeeByName/Roger Federer
But if the name contains an '&' (you & me), I get a '400 Bad Request' as response from server.
someDomain:9999/Employee/GetEmployeeByName/you%20&%20me
Even if i encode it dont get a reposne back
someDomain:9999/Employee/GetEmployeeByName/you%20&%20me
What is the right way to encode such (data with special character) data?
What is the right way to encode such (data with special character) data?
The right way is to use a query string parameter and not be putting those things as part of the uri portion. Read the following blog post from Scott Hansleman. I will only quote hos conclusion:
After ALL this effort to get crazy stuff in the Request Path, it's
worth mentioning that simply keeping the values as a part of the Query
String (remember WAY back at the beginning of this post?) is easier,
cleaner, more flexible, and more secure.
As you can see in the blog post there are some hacky ways to make it work and circumvent IIS handling but it simply is not something that I would recommend you venturing into. Just put this name in the query string.

Grails Override reserved work in a controller?

I am currently working on a Grails solution and I am looking to pass a URL using WSLite, I basically want to pass a bunch of query params and have them fired off. One of the params I need to have is session.name, I need this exactly like this as a 3rd party system can only read data as "session.WHATEVER". However when i enter the data below it has a problem with the "session." as it appears that session is a reserved word in grails. Is there anyway I can get grails not to pick-up the reserved word and just use session.name? Maybe by some sort of override?
def response = client.get(path:'/TestingService', query:[code:testCode, session.name: name])
Thanks
Use quotes:
query:[code:testCode, 'session.name': name]

Resources