i've a login page when you successfuly login by entering username and password you are directed to home.jsp
on home.jsp..i've used request.getParameter() for both id and passwd,which checks and then only let it enters..
but when i'm usind a simple href html link for home..it always shows me nullexception as id and password is not there and request.getParameter() shows error..
but when i'm usind a simple href html link for home..it always shows me nullexception as id and password is not there and request.getParameter() shows error..
It is because your request doesn't hold username password when you make simple GET using a href.
Passing username & password in URL isn't good. Why don't you use Session to hold current logged user's data.
If your tag looks like
click me
`
then indeed, you aren't passing the parameters
It needs to look like
click me
NOTE: As pointed out by others, there are many security reasons why this kind of structure should be used with care.
If you use a <a href=""/> like you specified it, the HTML form content containing username and password will not be submitted. It will create a HTTP GET request and not send any form parameters.
If you use a 'submit' button, it will create a HTTP POST request and send the form parameters to the server.
If you want to keep the link as <a href=""/> then you can add an 'onclick' javascript to your href and call a submit() on your form.
Related
So I'm trying to log in to a webpage using Jaunt. The first thing to mention is that the webpage is .aspx and the submit button has an option onclick="javascript:WebForm_DoP..." and as far as I know Jaunt doesn't support Javascript right?
In case I'm wrong, the code I'm using is the one in the examples of Jaunt:
Form form = userAgent.doc.getForm(0);
form.setTextField("Login1$UserName","USER");
form.setPassword("Login1$Password","PASSWORD");
form.setCheckBox("Login1$RememberMe",false);
form.submit("GO");
System.out.println(userAgent.getLocation());
All the names and values are correct, and the user and password works since I can log in using the web browser. After I execute the code, in the output I get this:
message: UserAgent.sendPOST; Connection error requestUrl:
http://webpagehere.com/default.aspx [posting
__VIEWSTATE=%2FwEPDwUJLTk5MDc0NjQ2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgURTG9naW4xJFJlbWVtYmVyTWUFF0xvZ2luMSRMb2dpbkltYWdlQnV0dG9upWcarODJIwpeMt8HCmfaBn6iMWI%3D&__VIEWSTATEGENERATOR=CA0B0334&Login1%24UserName=USER&Login1%24Password=PASSWORD&Login1%24LoginButton=GO]
response: [none]
The form div is this one:
<form name="form1" method="post" action="Default.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1" style="text-align:center">
Any ideas what could be my problem? In case Jaunt doesn't allow me to do this login, could someone please recommend me a library for web scraping and interaction? Thanks!
Seems like you are stuck. Actually .aspx pages uses AJAX pagination. You will have to extract the values of __VIEWSTATE, __VIEWSTATEGENERATOR and all other form values and then send them with POST method in the request body. You can use Fiddler to get the request body which contains all these hidden variables and your entries to the form.
In Java you can use Selenium Or HTMLUnit which are Java GUI-Less browser, supporting JavaScript, to run agains web pages.
edit: You can use Jaunt-api as well, I just tried it with it, all you do is send a POST request alongwith the request-body, you can easily check it with Fiddler, and it works!!
Form values in HTTP POSTs are sent in the request body, in the same format as the querystring. You can find the request body of a link by inspecting it using the Fiddler and then copy request body from Textview and send the encoded data as request body.
UserAgent userAgent = new UserAgent();
userAgent.sendPOST("<your link to form page>","<request body>");
I am analayising the existing project, in one of the JSP page I saw that
String server=request.getParameter("server");
But I am trying to check How I can find where is this server parameter is set
I searched for setParameter("server"), no luck
can any one suggest on this
Main idea, I need to change the values for the values which is set in "server" parameter.
You can look in any of HTML elements, where they may have tag like <input type='text' id='server' name='server' /> like that. I have given example of text box, it can be anything.
And no, there is no such method called request.setParameter()
You can get this attribute from the html/jsp page from where the form is being submitted.
It is set by the HTTP request that was generated by the client side (such as a browser). For example, an HTML form, upon submission, would result in an HTTP request with parameters for each field. A standalone client (non-browser) can set request parameters by merely adding those parameters to the URL itself.
Therefore, first you have to determine what is generating the HTTP request that results in your JSP page being called. Once you find who's generating the request, it will be very easy for you to find how the parameter itself is set.
In your web.xml first check, from which form present in JSP/HTML the request is coming.
In the corresponding action, you will get all the input fields in the form, which will be fetched in the servelet through request.getParameter('')
This parameter is set when any form is submitted. Check the page which calls this servlet. That page will contain a form having field like <input type='text' name='server' />. If not found then check URL query parameter.
EDIT
In web.xml check which URL is being mapped to your servlet.
I need to automate file downloading from a website. The file download button appears only after login for which I was provided username and password. In login form there are two more hidden fields one of which is csrf_token_login with a generated value:
<input type="hidden" name="csrf_token_login" value="nl9YERDFpecfITb8QwFWneoaefykxp2b" />
It is clear how to code this in Java (using java.net.HttpUrlConnection) if I would have just login and password (there is excellent explanation for this in Using java.net.URLConnection to fire and handle HTTP requests ): submit POST request, get cookies and set them for any subsequent request. But how can I get a generated value of csrf_token_login on the login form and submit it with other values?
Reading it using getInputStream() on the HttpURLConnection of a login page gives me the csrf value. But at the same time this establishes connection and prevents from setting connection properties for posting data:
private HttpURLConnection logUrlCon;
...
BufferedReader logInput = new BufferedReader(new InputStreamReader(logUrlCon.getInputStream()));
... // read and get csrf value OK
logUrlCon.setDoOutput(true); // throws java.lang.IllegalStateException: Already connected
Is there any way of getting this csrf_tiken_login value generated in a login form AND posting it with username and password?
Read login page content and extract the data using regular expressions. Your hidden field has a very distinctive form (with a unique name, etc.), so perfectly suitable for regular expression based data extraction.
I have a login form with username and password. It works, but after the request I see on the web browser something like "...login?user=myUser&password=myPassword".
Given that the form has a password field that hides the password while it's typed, it would not be funny to see the password on the address bar.
Is it possible to avoid this?
The user verification is done on the server with a custom java web server.
Set your HTTP form method to a POST, instead of a GET. This eliminates the form to append the parameters on the url.
Secure your page to use HTTPS instead of HTTP. That way, an eavesdropper cannot read unencrypted HTTP POST message.
The only way that this can be done is by not using the GET method of form submission. You need to use the POST method. More information can be found here http://www.cs.tut.fi/~jkorpela/forms/methods.html
Your form will look like this
<form method="post" action="somepage.php">
</form>
Your form is using the GET not POST. Passing variables via a query-string in the URL (GET) can be dangerous as users can see and modify these values. Change your form's method to POST. In standard HTML this would look like:
<form method="GET" action="......
...to...
<form method="POST" action=".....
You can encode the password, which will obscure it.
However using a POST form instead will hide all its fields.
Yes, use a POST request instead of GET.
Convert your form to use the HTTP "POST" method instead of "GET", e.g.:
<form action="/login" method="post">
Also consider obscuring the password before it is transmitted, e.g. using a scheme such as Base64 or MD5.
Change the 'method' attribute on the form from "get" to "post" -- and send the request over HTTPS, preferably.
When you see a "login?user=myUser&password=myPassword" in your address bar this means that your Login form is using the GET request method:
<form id="login" action="some_file" method="get">
The easiest way of hiding this info would be to change from GET to POST method:
<form id="login" action="some_file" method="post">
You can read more about both of these methods here:
When to use POST and GET?
However, note that POST is not much safer than GET. You can read more about this here:
POST and GET in terms of Security
Ok, so I've got an interesting case of login page redirection going on.
My webservice has a login page (login.html) with some javascript to handle logging in and redirecting to a hardcoded 'default' page. The webservice is written in Java with a servlet filter handling redirection if a user is unauthenticated (so if a user tries to access domain/statistics without being logged in, they are directed to domain/login.html). The redirection from the protected services works: I can redirect to the login page and once a user is authenticated, redirect them to a default page. I am having issues, however, redirecting to the previous page.
I know this is usually handled with the argument document.referrer in the Javascript, which I have tried, but due to the Java's redirection with response.sendRedirect, the Referer header is not sent.
How can I get these two aspects to redirect to the previously called page? Is it something I need to add on the Javascript side, the Java side, or both?
What I've done is to drop the original (redirected) URL into a hidden input field on the login form. The code that does the authentication should just check that parameter, and if it's not empty it can redirect after establishing the session.
You have to be careful doing this to prevent XSS attacks etc., but it's not that hard and it works just fine.
In my framework (Stripes), I can push the original URL (taken from the HttpServletRequest object, a combination of the servlet path, the "path info", and the query string) into a special holding box that will cause the framework to give it back to me on the next request as a parameter. Without that, the simple thing to do is add the URL as a parameter when you redirect. Just URL-encode the original attempted URL and tack it onto the redirect URL with some parameter name. Then, on your login page, you just check for it:
<c:if test='${not empty param.attemptedUrl}'>
<input type='hidden' name='attemptedUrl' value='${fn:escapeXml(param.attemptedUrl)}'>
</c:if>
Then your login action will get that parameter too when the login form is submitted, and it can act on it as appropriate.
Send Redirect will ask to the client to repeat the request to the resource you choose. Have you think of Spring Security with minimal configuration you can achieve this quite easily.
Take a look at this:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html