I'm pretty new to android development. One of my buttons in the app, sends the user to a webpage, where the user can login into specific system.
The webpage has text boxes for username and password. Once you click on the Login button (in the webpage) it triggers a javascript to login into the system.
The code triggered is: onclick="updateAction('TourAccLogin');document.main_form.submit();
The webpage form to login:
My question is:
I have the username and password in the app, I want to know if I can somehow manipulate this form, the sign in automatically without user interference? Meaning, I will fill the username and password, I "click" the login button. So the user will be directed to the system right away, without having to put in the username and password.
This technique has worked for me. In my case, I'm loading a hidden field named in mElementId with a string value stored in someData, then firing its onchange event, which didn't fire on its own. I included it to show how you can stack javascript commands in a single injection. I'm sure a variant of this would work for you.
I also escaped any single quotes to prevent a javascript error. You may need to escape any other special characters, including semicolon. In my case it wasn't necessary because the data had already been cleansed.
// Copy data to element
mWebView.loadUrl("javascript:(function() { " +
"document.getElementById('" + mElementId + "').value = '" +
someData.replace("'", "\'") + "'; " +
"document.getElementById('" + mElementId + "').onchange();" +
"})()");
You say that it is your system, so you know what is running behind the scenes to process the login. I'm not mocking, just verifying. I'm assuming you've created a view of some sort where you have the username/password prior to doing this. I'm questioning this because you ask if there is a way of manipulating the form...
That being said, send the data as you normally would to the script that processes the login. If you're using a GET then http://some.domain.com/somescript?username=mumble&password=foo. If you're using a POST then create the post args and send it. Either way, you can process the results in a webview, which would allow your existing interface to pick up where it should.
Of course, if you're using a hash for the password or salting the password, you will need to do all that prior to sending it.
Related
I have been trying to copy code from my eclipse program so I can email it to someone that I'm working with, but the format is messed up. This is what I want it to look like:
while (insOrDel) {// Asks the user for five different options:
// add a username or bot
// add a special username or bot
// remove a username or bot
// remove a special username or bot.
// list all special usernames or bots.
// list all usernames or bots
// run weblog sifter.
However, it ends up like this when it comes out of the email:
while (insOrDel) {// Asks the user for five different options:
// add a username or bot
// add a special username or bot
// remove a username or bot
// remove a special username or bot.
// list all special usernames or bots.
// list all usernames or bots
// run weblog sifter.
Keep in mind this is after Ctrl+Shift+F, and for some reason, the comments aren't indented. Is there a way to fix this?
Thanks!
This can happen when source file uses Tab characters and the destination app you pasting your code in has a different tabwidth.
To avoid this you can set in Eclipse / Window / Preferences / General / Editors / Text Editors the option 'Insert spaces for tabs'
In GWT we need to use # in a URL to navigate from one page to another i.e for creating history for eg. www.abc.com/#questions/10245857 but due to which I am facing a problem in sharing the url. Google scrappers are reading the url only before # i.e. www.abc.com.
Now I want to remove # from my url and want to keep it straight as www.abc.com/question/10245857.
I am unable to do so. How can I do this?
When user navigates the app I use the hash urls and History object (as
to not reload the pages). However sometimes it's nice/needed to have a
pretty URL (e.g. for sharing, showing in public, etc..) so I would like to know how to
provide the pretty URL of the same page.
Note:
We have to do this to make our webpages url crawlable and to link the website with outside world.
There are 3 issues here, and each can be solved:
The URL should appear prettier to the user
Going directly to the pretty URL should work.
WebCrawlers should be able to get the content
These may all seem like the same issue, but they are quite distinct in this context.
Display Pretty URLs
Can be done with a small javascript file which uses HTML5 state methods. You can see a simple demo here, with source here. This makes all changes to "#" appear without the "#" (on modern browsers).
Relevent code from fiddle:
var stateObj = {locationHash: hash};
history.replaceState(stateObj, "Page Title", baseURL + hash.substring(1));
Repsond to Pretty URLs
This is relatively simple, as long as you have a listener in GWT to load based on the "#" at page load already. You can just throw up a simple re-direct servlet which reinserts the "#" mark where it belongs when requests come in.
For a servlet, listening for the pretty URL:
if(request.getPathInfo()!=null && request.getPathInfo().length()>1){
response.sendRedirect("#" + request.getPathInfo());
return;
}
Alternatively, you can serve up your GWT app directly from this servlet, and initialize it with parameters from the URL, but there's a bit of relative-path bookkeeping to be aware of.
WebCrawlers
This is the trickiest one. Basically you can't get around having static(ish) pages here. That's not too hard if there are a finite set of simple states that you're indexing. One simple scheme is to have a separate servlet which returns the raw content you normally fetch with GWT, in minimal formatted HTML. This servlet can have a different URL pattern like "/indexing/". These wouldn't be meant for humans, just for the webcrawlers. You can attach a simple javascript in the <head> to redirect users to the pretty url once the page loads.
Here's an example for the doGet method of such a servlet:
response.setContentType("text/html;charset=UTF-8");
response.setStatus(200);
pw = response.getWriter();
pw.println("<html>");
pw.println("<head><script>");
pw.println("window.location.href='http://www.example.com/#"
+ request.getPathInfo() + "';");
pw.println("</script></head>");
pw.println("<body>");
pw.println(getRawPageContent(request.getPathInfo()));
pw.println("</body>");
pw.println("</html>");
pw.flush();
pw.close();
return;
You should then just have some links to these indexing pages hidden somewhere on your main app URL (or behind a link on your main app URL).
I am a beginner in web programming and I need to create function to change password like in social network. I'm doing it first time and don't know how to do it. I don't know how to create architecture. I'm using backbone.js in user side, I will create userModel (this is backbone model). In server side I'm using Java. I have one idea that: add to UserClass (this is java class) new fields which named
#JsonIgnore
String oldPassword;
#JsonIgnore
String newPassword;
JsonIgnore make field invisible on user side. I will send the fields with userModel from user side,so I check in server side. I think, the idea is not good.
If You know any ways, please, tell me about it !
EDIT
I know how to make html-form. I don't know how to send the filds to server. If I do that:
var val1 // old_pass
var val2 // new_pass
this.model.save({password: val1,new_password: val2});
then model password change to val1, it is not correct, password do not set in user side, because user side haven't model password
I don't know how your server authentication process work but maybe you can try something like this. Create a new View with a user model inside to edit the user attributes. Inside that view render a form that displays the user attributes including the passwords. On the form the user will be able to change his information. Have a button called "Save" or something like that to store the changes. When the button is clicked create a function that grabs the values from the form and using the model save method. This method makes Backbone run a PUT command back to the server. On the server you should be able to handle this request and change the password. A very simple function you can write to save the changes in the view could be something like this:
changePassword = function() {
var attributes;
attributes = {
password: $('#password').val(),
confirm_password: $('#confirm_password').val()
};
this.model.save(attributes);
};
This functions will create an attributes object filled with the password fields and then it sends it back to the server. If you want to understand a little bit more about how the save method work you should check the Backbone documentation. Hope this helps!
I am working on an existing Web based application.
Now, I need to secure the application against what I think is called url hacking. For instance, if the customer with customerId 1 is logged in and viewing his profile, the following http get variable will be visible in the address field: customerId=1.
I need to prevent a customer from being able to set customerId=2 and see the profile of another customer.
The problem is that, the application is already in production and in good working condition, so the changes should be minimal with respect to this change.
How is this best achieved?
Any sugggestions/comments?
why do you give the id in the URL when the user should only be allowed to change his profile? I don't see any need for this. Rather get the current user from SecurityConext and display its profile on an URL without the id.
with the new information you gave in the comments I suggest sth. like this:
just check if the given orderid in the URL belongs to the current user.
You're saying you use "normal web based Application" so I assume Servlet/jsp based. In your servlet you would do something like this:
int orderId = Integer.parseInt(request.getParameter("orderId"));
String username = request.getUserPrincipal().getName();
/*now you need to check if username match with the username of the order e.g. by using hibernate to get the order by id and check its user and if not throw PermissionDeniedException or similiar*/
95% agree with Korgen's answer above.
5% - if you want to allow administrator access to edit user profiles using the same functionality just switch to UUID to identify edited user.
The scenario is such that i am accepting a unicode string from user on webpage and on click of the submit button the control moves to the next page where the complete logic of processing the string is written using a bean class at the same time i m inserting the string into the database by giving call to function of DAO class from inside bean class so as to maintain the log.
the problem is that when user refreshes the result page the bean class is getting called again and again and hence the same string is getting inserted into the database by the same user several times.
what should i do such that string inserted by the same user gets inserted into database only when user presses the submit button not while refreshing the result page.
or should i maintain the cookies with string as values from the user and check it when page gets loaded.
i am trying to maintain cookies at client side for the string that was previously entered by the user and check it accordingly
private void fnSetCookieValues(HttpServletRequest request,
HttpServletResponse response) {
Cookie[] cookies=request.getCookies();
for (int i = 0; i < cookies.length; i++) {
System.out.println("" + cookies.length + "Name" + cookies[i].getName());
if(cookies[i].getName().equals("DNString")) {
System.out.println("Inside if:: " + cookies[i].getValue() +
"" + cookies.length);
cookies[i].setValue(request.getParameter("txtString"));
} else {
Cookie ck = new Cookie("DNString", ";");
response.addCookie(ck);
}
}
}
This piece of code is written in servlet which gets called on submit button click
but each processing of this servlet displays 1NameJSESSIONID it is not showing the cookie DNString
Can anybody figure out the mistake i am doing?
you are looking into a way to prevent double-submits?
There are a couple of approaches, depending on your security needs and the frameworks you are using:
Java Script
Tokens
Synchronization
Google around a bit. There are many many solutions out there.
Thanks,
M
It is not good approach to check whether data is already entered or not.
So, One of the easy solution to this problem is to use HTTP redirect after the form submission from your servlet.Let say to success.jsp. Hence the form is not submitted again.
You can also reset your form once you get response.
For More check here