I have wrote a web proxy for HTTP in Java. But when I get a HTML file, only SOME of the images can be displayed normally and the other cannot. How can I fix it?
Make sure the below points are considered.
Your Content Type is set correctly. Eg. "image/jpeg"
The Character Encoding is correctly set up while proxying
You might as well try this before writing one for your self unless it is a problem that is specific for you.
https://github.com/mitre/HTTP-Proxy-Servlet
Related
Currently my java code uses
response.sendRedirect(request.getRequestUrl().toString());
Which is an open redirect.
I have to fix this but I can not white list it since there are too many URL's are associated with it.
I have tried the following solution with ESAPI but it wont work for me.
ESAPI.httpUtilities().setCurrentHTTP(req, resp);
ESAPI.httpUtilities().sendRedirect(location);
ESAPI.httpUtilities().clearCurrent();
I am new to ESAPI.
[Disclaimer]
I'm project co-lead on ESAPI.
I have to fix this but I can not white list it since there are too
many URL's are associated with it.
Essentially, "I have to fix the problem, but I am restricting myself from the easiest solution."
Here are the best practices enumerated by #jww:
Simply avoid using redirects and forwards.
If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.
These are literally all the solutions available to you. Some web frameworks make this easy for you, like Spring MVC with Spring Security.
These lines:
ESAPI.httpUtilities().setCurrentHTTP(req, resp);
ESAPI.httpUtilities().sendRedirect(location);
ESAPI.httpUtilities().clearCurrent();
Don't work because you have to inspect the user input before performing the redirect.
You definitely are going to want to white-list this, at least at a minimum, based on domain names. Restrict it as much as possible. E.g., if your app is hosted at https://myApp.example.com/ redirecting to anywhere on your site is probably okay. (I write probably, because if it can be used as a way to bypass authorization checks, say on a multi-sequence page series, then it might not be okay. But as long as your regular authorization checks pick up and validate the redirect, you generally will be okay.) But what about redirects to https://anotherApp.example.com/? Would those be okay? What about anything in the "example.com" domain? Are their other 3rd party domains that you need to white-list? If so, be sure to list those URLs as well. But the one thing that you want to avoid are completely open redirects and for that you need some type of white-listing. You could build some custom validators using ESAPI to do this, but it's probably just easier to write it without ESAPI. If you have a bunch of URLs that you have to white-list, keep them in a configuration file that's not part of your .war / .ear file so you can easily update it without redeploying your application and just (re)read the config file when it gets updated.
Hope this helps.
-kevin
Thanks for all your suggestions and comments.
I found that the lines
ESAPI.httpUtilities().setCurrentHTTP(req, resp);
ESAPI.httpUtilities().sendRedirect(location);
ESAPI.httpUtilities().clearCurrent();
Is now working fine for me, after a long struggle I found that my code is using latest version of commons-configuration.jar but when I added Esapi as a dependency the Esapi used an old version of the same and that was not compatible with my code so I just excluded the this from Esapi dependency using the exclusion in pom and it worked for me.
I have a java spring app. It has many views. I got my app started using a template, and I'm trying to understand how exactly it's working. Basically, i have a single index.html page, and many html files which are used as views with the url looking ilke 'mysite.com/#/view0' . I want my java code to be able to detect that a use has changed a url (or loaded a different view) without having my javascript code send a rest request to the server. is this possible? I haven't posted any code as I'm stumbling through my question here, but if there is any further clarification I can give, please let me know
If you're using javascript routing (Which I assume because you're using a hash in the url) then no. There's nothing for the server to natively 'detect' because anchors (#) don't make a server side request.
I found that Liferay transfers my JSP code in a somehow "condensed" way -- putting most of the text into a few very long lines.
This makes it uncomfortable to debug javascript.
Is it possible to turn off this feature temporary?
For others looking at this post, if you simply want to do this on an adhoc basis you can add these params to the URL:
/web/guest/page?js_fast_load=0&css_fast_load=0&strip=0
Note this is for JS, CSS and HTML
HTML Minification is on regardless you're in developer mode or not since HTML stripping can itself produce problems you want to see in developer mode.
You can add strip=0 parameter to the URL to prevent the served HTML page being stripped.
In order to turn HTML-Stripping completely off change in your system.properties:
com.liferay.filters.strip.StripFilter=false
But as #BalusC said you should use a tool which does the formatting when debugging. So you're not bothered by the stripping.
There are two ways to do it. Copy the following in portal-ext.properties and restart the server
javascript.fast.load=false
or If you dont want to restart and its just for temporary purpose add js_fast_load parameter to url and set its value to false.
For example if you are in a page http://localhost:8080/web/guest/home in which your portlet or the javascript is present. Use this url instead http://localhost:8080/web/guest/home?js_fast_load=0
Liferay has a file named portal-developer.properties as template in WEB-INF/classes. You can either reference this or just copy/paste the content into your portal-ext.properties.
This has several options to minify html, js, css and others. You'll kill your loading time - i.e. you really only want these options at development time, but then it really helps.
By default all files are also combined into a single one (for js, another for css etc.) - with the development options you'll get a separate request for every file on every page request.
I just want to update package name for Liferay 6.2 from #Fabian Barney's answer:
com.liferay.portal.servlet.filters.strip.StripFilter=false
Is there a way, or is it even possible to take a screenshot of a website with Flash (or Java)? If it is, could someone please provide some basic information on how to achieve this?
The reason why I need it to be Flash or Java (or even Canvas), is because the screenshot needs to be done on the client-side.
I did some research with no definitive answer to my question.
From Flash you can not take a screenshot beyond the actual view of the flash rendering area - for security reasons. Just ask the user to press PrintScreen.
I did something like this before. Although my solution was to just have javascript send back the actual html rendered on the client-side. I had a servlet that accepts the html code, then the servlet calls an executable (I can't remember what it was, but it was a freeware but has a watermark, it accepts an html in its command-line argument) that produces an image from the html, which the servlet saves to a directory.
Although the business user's requirement also included making sure that the code is not used for spying or snooping on the client side... But they agreed with the outcome of the program in the end. As indeed the screenshot is not made in the client side...
I'm writing an applet that's supposed to show both English and Japanese (unicode) characters on a JLabel. The Japanese characters show up fine when I run the applet on my system, but all I get is mojibake when I run it from the web page. The page can display Japanese characters if they're hard-coded into the HTML, but not in the applet. I'm pretty sure I've seen this sort of thing working before. Is there anything I can do in the Java code to fix this?
My first guess would be that the servlet container is not sending back the right character set for your webapp resources. Have a look at the response in an HTTP sniffer to see what character set is included - if the response says that the charset is e.g. CP-1252, then Japanese characters would not be decoded correctly.
You may be able to fix this in code by explicitly setting a Content-Type header with the right charset; but I'd argue it's more appropriate to fix the servlet container's config to return the correct character set for the relevant resources.
Well I'm not sure what was causing the problem, but I set EVERYTHING to read in and display out in UTF-8 and it seems to work now.