I created spring application implemented with oauth2.0 (authentication_code flow) and deployed into Azure App service. When I run it in my local machine its working properly and getting oauth token properly. But I deployed the same code in Azure App, its not working it showing ******.com redirected you too many times.
When I trace the traffic in "Network Sniffer", there is no cookie information in the response.
For reference i attached error screenshots.
Per my knowledge, ******.com redirected you too many times error is different variation of error ERR_TOO_MANY_REDIRECTS(also known as a redirect loop) in Google Chrome browser.
You could refer to below recommendations and things to check to fix the error.
1.Delete cache and cookies on that specific site
Cookies can sometimes contain faulty data in which could cause the ERR_TOO_MANY_REDIRECTS error.Due to the fact that cookies retain your “logged in” status on sites and other settings, we recommend simply deleting the cookie(s) on the site that is having the problem. This way you won’t impact any of your other sessions or websites that you frequently visit.
2.Determine nature of redirect loop
The free online Redirect Checker tool can help provide some further analysis into what might be going on. This could also be done via cURL.
3.Check your extensions by typing chrome://extensions
Disable each of your extensions one by one while checking and refreshing your page, if the page starts working while a particular extension is disabled, that extension is faulty and you should delete it.
4.Check Your HTTPS Settings
If you have an SSL certificate on your domain host, you may deactivate it.
Hope it helps you.
Related
I have checked the multitude of responses earlier and none of them actually address the issues. The responses, much like the documentation, assume that the user is already aware of all possible flows.
Constraint: We cannot set the app to external in GCP console and ideally don't want a service either.
This leads to any oauth playground based approaches into a 403 Exception.
I tried generating it based on the get requests mentioned on their websites.
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A//www.googleapis.com/auth/drive&
access_type=offline&
include_granted_scopes=true&
response_type=code&
prompt=select_account&
redirect_uri=https%3A//developers.google.com/oauthplayground&
client_id=xyz
I have also tried prompt=consent here. Both also result in 403.
Generating with LocalReceiver also has issues with redirect uri mismatch even though it has been authorized on the console.
Particularly perplexed by the fact that the account for which it is throwing 403 is the account that owns the project. So it can't access its own services.
Thanks
I manage a few Tomcat 9 applications that are run on a remote server that also use IIS 8.5. Each site has three environments (DEV, TEST, and PROD). All of the environments are the same but on different servers. Their databases (Oracle DB) are also on separate remote servers. I do not use any other third party frameworks for the sites (such as Maven or Gradle).
One of my applications had an issue where an attacker could access the web.xml through a Multiple Directory Traversal Vulnerability. Some brief information can be found here: https://www.securityfocus.com/bid/63052/exploit
However, I discovered on the DEV and TEST (I thought PROD as well) that the filter we put in place was actually causing the site to not work correctly. You'd put in your user and password and click login and nothing would happen. I seemed to have fixed it on the DEV and TEST environment by fixing the regular expression that my code was testing the URI against. Code:
final String REGEX_INCLUDED = ".*\\/WEB-INF\\/web.xml.jsf.*";
...
if (Pattern.matches(REGEX_INCLUDED, URI)) {
log.debug("SecurityFilter redirect");
resp.sendRedirect("/errors/403.html"); // /login.jsf OR /index.html
} else
chain.doFilter(request, response);
I deployed the new war onto PROD, entered my user and password and it would load. The site redirects to the homepage after login, BUT it doesn't actually load if that makes sense. The response is a generic 502 error (shown below) but the URL does, in fact, say /home.jsp where it should respond with the homepage.
502 Error
I've checked the catalina log and I've not found a stack trace or any sign of an error being output. No other logs are useful either in showing what the issue is. I've tried just clearing my cache and retrying, using a different browser, restarting the tomcat service, restarting the site in IIS and nothing.
If there is something I'm missing that you wish to see let me know. BTW, I've tried removing the filter that blocks access to the web.xml just to make sure it wasn't the issue and both with and without the filter, it results in the 502 error.
Thanks in advance for any help.
Answering my own question: I had looked around everywhere and only after posting I found a related post:
502 proxy error on deployment
Their answer helped. The difference between my PROD environment and my DEV/TEST environments is that PROD is on a Proxy. I went to IIS on the server and found the server farm that the site used. I then clicked on the Proxy option and changed my timeout from 30 seconds to 60 seconds. Looks like my proxy was timing out. Hope this helps someone in the future.
Environments:
Old Website: React hosted on Heroku URL(http://sameurl.com)
New Website: Java hosted on Heroku URL(http://sameurl.com) but on a new heroku account
I had previously react website running on my domain URL, but now I have hosted Java with AngularJS website on same URL but on a new heroku account.
But when I load the URL in browser I see the old react website, after clearing cache I am able to see the newer Java website. But this is very big issue for me as the clients of this website still see the older website content, as they have not cleared their browser cache. And we can not tell them to do so.
I guess there must be any way to achieve this from server side.
Thanks
The answer here would be that the react website would not be configured with proper caching headers or with Caching header having a larger age on them. This is the reason why the browser is validating the cache and it still finds it valid.
Configuring the response header on your server with the new Java hosted website may resolve the issue. But they are possibly users who still have to clear the cache in order to load the new website. You can have a look at this article from Google to understanding caching and making caching more effective.
I'm building an app to let users export data from a university system. Currently, they can log in and see the data in HTML, but I would like to let people download it as CSV.
I have an app where users supply their username and password. I would like to log in to the university system and HTML scrape the resulting page. How can I do this?
I'm building a GWT app. I could either do this in Java-transliterated-JS on the client, or Java on the server.
Update: Selenium might be nice, but it looks like overkill.
You're going to have to do this from the server unless the domains are the same. You'd need to determine what the POST transaction used by the other server for the login step looks like - parameter names etc. Then you'd perform that operation and do whatever you want with what comes back. If you need to see multiple pages, you need to maintain the appropriate session cookie too so that the server knows you're still logged in on the subsequent HTTP requests.
If you have to hit another site to validate the credentials, then I'm not so sure that people should feel comfortable providing those credentials to you. That is, if you don't have rights to check the credentials directly, why are you trustworthy to receive them? I know sometimes people need to integrate with a system they don't own, so this is just a question.
First, this has to be done server-side because of the limitations on client scripting due to the same origin policy.
The typical way of handling the "screen scraping" you mention is to treat the web page as if it was an XML service. First, examine the source code of the page, then using an internet/HTTP stack, craft a POST to the correct URL and read the response using a standard XML library. It will take some ingenuity to come up with a good way to dig into the XML to find the piece you need that will be as insulated as possible from changes to the page. Keep in mind that your system can break any time that the owners of the site change their page.
Sometimes, you can't just send the POST but have to request the blank page initially in order to get hidden form values that need to be returned in the POST. You'll have to experiment to find out what it requires.
Additionally, you probably have to handle cookies as well, since they usually are an integral part of the web site's authentication and session management (though you might get lucky that the session doesn't matter between the initial POST and the first response).
Last, you may be unlucky enough that the site uses javascript to do part of the authentication work, which may require additional digging to understand how the credentials are posted to the site.
There are other potential barriers such as the site checking to see that the referrer is their own site, possible use of SSL (HTTPS) and so on.
I'm pretty sure that the protection against cross-site scripting in web browsers will mean that you can't log in to the university's app using javascript running in the web browser. So the part of your program that fetches data from the university will need to run on your server. Once you have the data, you can process it either on your server or in javascript in the browser, but I think it would be easier to do it on the server.
See http://en.wikipedia.org/wiki/Same_origin_policy
I'm not too sure about GWT, but in general, you would take the form data submitted by the user, check it against a database of username and hashed passwords. If the database checks out, set a session cookie that says the user is logged in.
In your pages, check if the session cookie say the user is logged in. If not, redirect to login page, otherwise allow them to view the pagfe.
We're trying to upload a file from a flex client to a Java EE app.
In a full HTTPS environment
Java EE server is JBoss 5
Using BlazeDS 'Custom' authentication (username and password are entered trhough a flex form)
Using BlazeDS per session authentication
In regular AMF calls, we can access user principal and use role mecanism.
However, in our upload servlet, we have no access to user principal.
request.getUserPrincipal() // returns null
How to fix this ?
A while ago a guy commented on a blog post of mine that https + flex + firefox doesn't work:
have you tried uploading a file in firefox via https? Well, don’t bother, it can’t be done! Adobe blames it on firefox and puts their head in the sand. Read the teeth gnashing and ridiculous claims of Adobe here:
http://bugs.adobe.com/jira/browse/FP-201
Ultimately they threw up their hands and said it couldn’t be fixed, and, although said ‘We understand that this is a serious issue and are committed to resolving it’ suggested that either you:
1) Send the file to your server in a different way
2) Find another form of authentication
This may no longer be the case - register and see if the linked bug is still unresolved.
Also - this might not be your exact issue (at least not yet) - I'm just giving pointers.
From your post, and since I haven't used BlazeDS, I can't tell whether you're running into this issue specifically, but it sounds to me like you are --
Take a look at your server logs, or try using a Web debugger like Fiddler (you can tweak it to reveal HTTPS traffic in clear text), and you'll see that Flash blocks custom HTTP auth headers with FileReference.upload(). Why it does, I've no idea, but there's no workaround I know of, other than crafting something or your own manually.