I have the below constructor for my customized exception
public CoException(String errorMessage) {
super(errorMessage);
CoDebugger.debugException(errorMessage, this);
}
A static code analyzer tool (fortify) identifies vulnerability issue in this portion of code.
The message given by fortify is
"The method CoException() in CoException.java mishandles confidential information, which can compromise user privacy and is often illegal."
Please let me know where is the issue and how to fix that.
The tool makes a data flow analysis:
Incoming: String errorMessage - What error message could contain interesting information for an attacker? Let me think. Login failed: user=admin pwd=123456 would certainly be something that should be kept internally.
Outgoing: super(errorMessage); and CoDebugger.debugException(errorMessage, this); - What does the debugException method? Does it show the error message directly to the user? That should not happen. Or is the error message written to a log file which under certain conditions (e. g. by an incorrect .htaccess configuration) can be accessed by the user. That should also not happen, of course.
Related
In play framework, every time you get an Internal Server Error (500) in production mode, the browser shows a web page with
Oops, an error occured, This exception has been logged with id XXXX
I would like to customize the error message (or at least translate it to spanish), keeping the error id that makes it easier to look for in the application log.
I've tried to configure an error page in the Global settings in JAVA like this:
public Promise<Result> onError(RequestHeader request, Throwable t) {
return Promise.<Result>pure(internalServerError(
views.html.error.render(t)
));
}
Where I've a view named error.scala.html.
It is not working right now, it does not show any errors, just ignores it. Also with this alternative, I don't know how to display the error id.
I appreciate any suggestions, thanks a lot.
Is your Global class in the root package? That's a quite common mistake and also the reason why it is ignored.
I want to have LinkedIn authentication in my website. Their API returns the desired information, the create account function is working. However, I seem to have some problems when I try to login on the site.
It seems that I get a UserEmailAddressException when I call the LoginUtil.login method.
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticate(UserLocalServiceImpl.java:2480).
It fails at
if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
if (!Validator.isEmailAddress(login)) {
throw new UserEmailAddressException();
}
}
Here is my code :
boolean rememberMe = true;
String authType = CompanyConstants.AUTH_TYPE_EA;
try {
LoginUtil.login(request, response,
String.valueOf(user.getUserId()), user.getPassword(), rememberMe, authType);
}
catch (UserEmailAddressException ueae) {
ueae.printStackTrace();
}
The users authenticate via email address, so I guess that should be the correct authentication type?
I have added company.security.auth.type=emailAddress in portal-ext.properties, but I get the same error as without this setting.
Because Liferay documentation is unsatisfying, I would like to know how to do a proper call to the login() function so that my user will login with its LinkedIn account.
It's hard to answer this question from the amount of code that you give.
First of all: About documentation. Judging by the use of LoginUtil, you seem to be modifying Liferay's internal code in order to implement your functionality. This is an internal API that is not guaranteed to be stable and will most likely be documented last (the API documentation has improved a lot, but it's mostly about the external, public API).
You might want to look into the implementation of ServletFilters that Liferay uses for implementing other external single sign on systems. Many customers/users have implemented these successfully (I haven't looked at the state of that documentation though, but there are several SSO implementations that you can find)
Further, it will probably help, which email address is supposed to be invalid - from your code it looks like you're calling with user.getUserId() (this is numeric), but you state that you demanded the login to be through email.
Lastly, if you have configured the login method through the UI, it is saved to the database - and that setting would win. So please check ControlPanel/Portal/Portal Settings/Authentication/"How do users authenticate?" to make sure that the setting is actually asking for the email address.
I'm trying to publish a photo to a page using the following:
FacebookClient client = new DefaultFacebookClient(destinationAccessToken);
BinaryAttachment attachment = BinaryAttachment.with(imageName, imageInputStream);
Photo photoResponse = client.publish("/me/photos", Photo.class, attachment);
I'm getting the following response:
{
"error": {
"message":"An unexpected error has occurred. Please retry your request later.",
"type":"OAuthException",
"code":2
}
}
When I use the same code to publish to a user wall it works fine.
I've also tried posting to "/{page id}/photos" with the same result.
The destination access token has the manage_pages, photo_upload, publish_actions, and publish_stream permissions amongst others.
What am I doing wrong here?
UPDATE:
If I publish to a predetermined album using "/{album id}/photos" then it works. Quoting this Facebook developer blog post:
https://graph.facebook.com/USER_ID/photos - The photo will be
published to an album created for your app. We automatically create an
album for your app if it does not already exist. All photos uploaded
this way will then be added to this same album.
So is this behavior broken for pages? Or am I misunderstanding something here?
UPDATE 2:
I found a bug report for this issue, so I'm posting that as an answer.
UPDATE 3:
The bug seems to have been resolved.
I found the Facebook bug report corresponding to this behavior:
http://developers.facebook.com/bugs/355536551171535
So it would seem I'm not doing anything wrong. I guess the temporary workaround would be to check for a predetermined album and create it if necessary, then publish to it. (Note that the user_photos permission is not needed for this workaround, since albums/photos on pages are always public).
I am using Twitter4J 2.2.5 (latest, tried other versions). And can no longer get direct messages to work at all. The same code used to work a while ago. I assume Twitter changed something.
I'm using
Twitter.getDirectMessages()
and it gives the error below. No idea why, I can see the direct messages for the account if I login, but always get this error. The limit error makes no sense, as the account is no where near the limit.
Other API work, like followers/fried/status/etc.
403:The request is understood, but it has been refused. An accompanying error message will explain why. This code is used when requests are being denied due to update limits (http://support.twitter.com/forums/10711/entries/15364).
Relevant discussions can be on the Internet at:
http://www.google.co.jp/search?q=00919618 or
http://www.google.co.jp/search?q=332bf6ca
TwitterException{exceptionCode=[00919618-332bf6ca], statusCode=403, retryAfter=0, rateLimitStatus=RateLimitStatusJSONImpl{remainingHits=107, hourlyLimit=350, resetTimeInSeconds=1328297, secondsUntilReset=1116, resetTime=Fri Feb 03 14:39:45 EST 2012}, version=2.2.2}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:189)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:65)
at twitter4j.internal.http.HttpClientWrapper.get(HttpClientWrapper.java:93)
at twitter4j.TwitterImpl.get(TwitterImpl.java:1721)
at twitter4j.TwitterImpl.getDirectMessages(TwitterImpl.java:874)
at org.pandora.sense.twitter.TwitterDirectMessaging.checkDirectMessages(TwitterDirectMessaging.java:44)
at org.pandora.sense.twitter.TwitterDirectMessaging.checkProfile(TwitterDirectMessaging.java:35)
at org.pandora.sense.twitter.Twitter$1.run(Twitter.java:100)
at java.lang.Thread.run(Thread.java:662)
Twitter has some time ago changed the rules for direct messages. An app must be especially authorized by the user to access the direct messages.
Did you make sure this is true for you? You may go to the twitter web site and check for the app.
To get the direct message you should try the below code.It works for me.
getDirectMessages(); gives list of direct messages. We need to put for loop to get text of each message.
List<DirectMessage> messages = twitter.getDirectMessages();
for (DirectMessage message : messages)
{
System.out.println(message.getText());
}
Let me know if you get any error.
I have a JBOSS batch application that sometimes sends hundreds on emails in a minute to the same email address with Log4J errors. This causes problems with Gmail, because it says we are sending emails too quickly for that gmail account.
So I was wondering if there was a way to basically create a "digest" or "aggregate" email puts all the error logs in 1 email and sends that every 5 minutes. So that way every 5 minutes we may get a large email, but at least we actually get the email instead of it being delayed for hours and hours by gmail servers rejecting it.
I read this post that suggested something about using an evaluator to do that, but I couldn't see how that is configured in the Log4J xml configuration file. It also seemed like it might not be able to "digest" all the logs into 1 email anyway.
Has anyone done this before? Or know if it's possible?
From (the archived) SMTPAppender Usage page:
set this property
log4j.appender.myMail.evaluatorClass = com.mydomain.example.MyEvaluator
Now you have to create the evaluator class and implement the org.apache.log4j.spi.TriggeringEventEvaluator interface and place this class in a path where log4j can access it.
//Example TriggeringEventEvaluator impl
package com.mydomain.example;
import org.apache.log4j.spi.LoggingEvent;
import org.apache.log4j.spi.TriggeringEventEvaluator;
public class MyEvaluator implements TriggeringEventEvaluator {
public boolean isTriggeringEvent(LoggingEvent event) {
return true;
}
}
You have to write the evaluator logic within this method.
I created a free useable solution for log4j2 with an ExtendedSmtpAppender.
(If you still use log4j 1.x, simply replace your log4j-1.x.jar with log4j-1.2-api-2.x.jar - and log4j-core-2.x.jar + log4j-api-2.x.jar of course.)
You get it from Maven Central as de.it-tw:log4j2-extras (This requires Java 7+ and log4j 2.8+).
If you are restricted to Java 6 (and thus log4j 2.3) then use de.it-tw:log4j2-Java6-extras
Additionally, see the GitLab project: https://gitlab.com/thiesw/log4j2-extras (or https://gitlab.com/thiesw/log4j2-Java6-extras)
[OLD text:
If you use log4j2, see answer to other stack overflow issue: https://stackoverflow.com/a/34072704/5074004
Or directly go to my external but publically available solution presented in https://issues.apache.org/jira/browse/LOG4J2-1192
]