I'm using the following jquery codes to load a Servlet inside a DIV.
$.get('Test',function(responseText){
$("#test").html(responseText);
});
The elements brought from this Servlet will use the css file including in this webpage.
But if I type in my browser ..../myProject/Test
It will display what this Servlet is meant to display, but with no css file, it will look bad.
How to restrict someone from accessing this Servlet via browser?
First of all, when you are fetching something using AJAX, you are accessing it via browser.
You can set some special HTTP header in AJAX call, but it's not secure by any means. However on the server side you can recognize this special header and if not present, refuse or return some different content.
Related
I need to access a page that contains anchors using vert.x web.
I have a page (for example: a page called display.html) that has some anchors in it. I am using the vert.x web API to display this page.
Using the routers, I am able to get at this page, in the following manner:
router.route("/display.html").blockingHandler(rctx->{
HttpServerResponse resp = rctx.response();
resp.putHeader("content-type","text/html");
resp.setChunked(true);
String content = getFile("./webpage/display.html");
resp.write(content);
resp.end();
},false);
This allows me to access the page from the browser using the following request:
http://localhost:8080/display.html
My problem is that I cannot figure out a way to make the browser go to the anchors on the page. For example, I need to do the equivilant of the following:
http://localhost:8080/display.html#xl_xr_page_-a
I can find no way to make the server pass such a thing to the browser.
Is there a way to make a Vert.x server do this? How does a server like Tomcat or even Apache manage to handle this -- especially when a browser doesn't send anchor tags to the server. The tags are in the web page, so there must be some way of getting the browser to display them. If so, how can this be done?
Someone please advise...
I'm currently running into issues with accessing HTTP resources (which are all local) while using the XForms Filter for Orbeon (in accordance with http://doc.orbeon.com/xforms/filter.html).
I am using a Java Servlet to process the data, and I'm trying to use the xf:submission element to access the Servlet in order to get/post the data required. The Java App and Orbeon wars are both deployed in the same tomcat instance, with all of the session handling etc set up as described in the link above.
Iniitally, the Servlet forwards the request to a .JSP with the XForms implementation, which loads fine. However, the page is then meant to request the data and display it. However, it doesnt do this - and the tomcat localhost access logs show no requests were made.
I know both the java code (and the XForms implementation) is correct, as I have written two .JSP's containing the java code from the servlet (and then call the JSP's directly from the xf:submission instead of the HTTP requests) and it works perfectly.
<xf:submission id="post-results-submission"
ref="instance('categories-instance')"
resource="http://localhost:8082/EmbeddedTesting/questionnaire"
method="post"
serialization="application/xml"
mediatype="application/xml"
replace=""/>
<xf:submission id="get-data-submission"
ref="instance('response-instance')"
resource="http://localhost:8082/EmbeddedTesting/questionnaire"
method="post"
serialization="application/xml"
mediatype="application/xml"
replace="instance"
instance="categories-instance"/>
These are the submission elements for accessing the HTTP resources.
Is there a reason these aren't being called at all? (as shown by logs) and if so, is it possible to fix them?
Also to note - I tested the servlet itself using the Advanced REST Chrome app and through the orbeon form builder HTTP actions (then clicking test) and both worked fine. It just wont work here for some reason. I've also made sure that the licence (for Orbeon Forms PE) is in the WEB-INF/resources/config and that it is still valid.
Here is a link to my XForms, uploaded to dropbox as an XML file so it can be previewed on dropbox: https://www.dropbox.com/s/aq4zx39ohjulcbx/index.xml?dl=0
I'm not sure if this is something I can actually do outside of Form Runner/Builder, so any help would be appreciated!
Is there any way to redirect to a page/template using webcenter sites tags? or we need to depend on standard j2ee respnose.sendRedirect() method??
If you're using a JSP wrapper, then you can't really do this since JSPs start sending the response headers too early. You'll have to render an HTML page with the meta redirect tag.
If your wrapper is XML or Groovy, then you can do this using WebCenter Sites APIs. There's a Groovy example here.
Redirecting a request is a tricky part in oracle webcenter sites. The response.sendRedirect code doesn’t work in sites JSP. Because the response headers are committed early in the page evolution, so we can not set the return status code in jsp in sites.
We can control this at client side immediately after loading the webpage. In javascript we can set the condition to forward to the respective page/url. Return the below javascript code as the response from the sites’s jsp page. Here is the best solution to achieve this task.
http://devble.com/forward-and-redirect-request-in-webcenter-sites/
The idea is that you can add something to a database, which goes from browser -> java code -> JSP -> java code -> database, and you are then redirected to a page containing the information you sent. The servlets are in place but I cannot redirect to the HTML page from a get request.
I have a servlet to PrintWriter().print() the data in a Json object, but that servlet is called from the javascrit within the HTML page. How can I send the HTML page? Should I parse the HTML page and PrintWriter().print() each line? Is there a more proper way of doing this?
Keep in mind that sending HTML straight from JSP is not an option, and I can't change the structure of the system.
edit: Sorry, I typed that in a rush.
As a preface, the system is similar to StackOverflow, whereby you can submit a 'request' which prompts the community to crowd-source learning material.
Right now, the structure of the system is JS/HTML on the browser side, which communicates with a mySQL DB through an API written in Java. The API goes through JSP which communicates with an inner Java API for accessing the DB. The catch is that I must return Json objects from the API. I know that JSP is essentially useless and I could interface the two APIs without JSP, but this is a first year college project so I don't have the choice.
When you submit something to the database using the url /addrequest (or similar), the system puts the text into the database and then redirects you to /request/idnumber. When you access the /request/* URL, another servlet runs. I want this servlet to tell the browser to open my "request_display.html" page. Then the javascript on that page will call another url to get the Json object through the API, and then it will build the page.
I don't know how to tell the browser to open a html page. Should I just parse the html file and then use response.GetWriter().print() to do send the HTML?
If you are in a Servlet:
response.sendRedirect("pathOf YourHTMLPage");
If you are in a JSP page, try using a form or a "a" element. Like this:
<form action="nameOfYourServlet"></form>
or
Can't really understand what you are looking for but if you want to redirect user to an html page using servlet this can be done using response.sendRedirect("path to html");
It would be nice if you could explain via some code as your English is hard to understand.
response.sendRedirect("redirect.html");
Alternative way
ServletContext sc = getServletContext();
sc.getRequestDispatcher("/redirect.html").forward(request, response);
Let's say someone enters the following URL in their browser:
http://www.mywebsite.com/<script>alert(1)</script>
The page is displayed as normal with the alert popup as well. I think this should result in a 404, but how do I best achieve that?
My webapp is running on a Tomcat 7 server. Modern browser will automatically protect against this, but older ones, I am looking at you IE6, wont.
It sounds like you are actually getting a 404 page, but that page includes the resource (in this case a piece of JavaScript code) and doesn't do any converting of < and > to their respective HTML entities. I've seen this happen on several websites.
The solution would be to create a custom 404 page which doesn't echo back the resource to the page, or that does proper HTML entity conversion beforehand. There are plenty of tutorials you can find through Google which should help you do this.
Here's what I did:
Created a high level servlet filter which uses OWASP's HTML sanitizer to check for dodgy characters. If there are any, I redirect to our 404 page.
You should put a filter in your webapp to protect against an XSS attack.
Get all the parameters from the HttpServletRequest object and replace any parameter with value starting with with spaces in filter code.
This way any harmful JS script won't reach your server side components.