Develop Reference

Should I use URL rewriting to protect against XSS

Let's say someone enters the following URL in their browser:
http://www.mywebsite.com/<script>alert(1)</script>
The page is displayed as normal with the alert popup as well. I think this should result in a 404, but how do I best achieve that?
My webapp is running on a Tomcat 7 server. Modern browser will automatically protect against this, but older ones, I am looking at you IE6, wont.

It sounds like you are actually getting a 404 page, but that page includes the resource (in this case a piece of JavaScript code) and doesn't do any converting of < and > to their respective HTML entities. I've seen this happen on several websites.
The solution would be to create a custom 404 page which doesn't echo back the resource to the page, or that does proper HTML entity conversion beforehand. There are plenty of tutorials you can find through Google which should help you do this.

Here's what I did:
Created a high level servlet filter which uses OWASP's HTML sanitizer to check for dodgy characters. If there are any, I redirect to our 404 page.

You should put a filter in your webapp to protect against an XSS attack.
Get all the parameters from the HttpServletRequest object and replace any parameter with value starting with with spaces in filter code.
This way any harmful JS script won't reach your server side components.

Spring mvc result page and back browser button

On my MVC spring application I send a form to a page using post method to perform a search with some parameters. The results of the search is a list and, for every entry is possible to navigate to a details page. It works fine but, when an user try to come back to result page with back browser button (or a Javascript), I get an "Expire page" error. Refreshing the page, it rexecutes the post submit and it works fine.
To prevent this error I added
response.setHeader("Cache-Control", "no-cache");
to the search controller and everything works fine with Safari and Firefox but I get the same "Expire page" error when I try to execute the web application with IE (8 and 9).
What's the right way to go to a detail page and come back without getting any error?
thanks for your time!Andrea

The right way is to use GET instead of POST: searching is an idempotent operation which doesn't cause any change on the server, and such operations should be done with a GET.

Not expiring a POST request seems to undermine the very idea of a POST:
Per RFC 2616, the POST method should be used for any context in which a request is non-idempotent: that is, it causes a change in server state each time it is performed, such as submitting a comment to a blog post or voting in an online poll.
Instead, I would restructure how you view the detail records, maybe with an overlay DIV that doesn't refresh the underlying page that shows the results. With many modern web apps, using the BACK button can cause issues with page flow.

How to handle session timeout with wicket ajax requests?

How can I handle a session-timeout when doing an ajax request with wicket?
Currently (e.g. using an AbstractAjaxTimerBehavior) the user is redirected to the session expired page. I would like to handle this on the client side using javascript (for a better user experience).
Overriding onException (doing nothing) and getFailureScript are working well if another error occurs on the server side or the server does not respond at all. But not if the server responds and the user's wicket session is expired.
Any suggestions are very much appreciated, thanks a lot.
Peter

I have found an ugly workaround for this, the wicket devs obviously do not see demand to handle ajax session expiration on the client side.
Have a look at the solution here:
https://issues.apache.org/jira/browse/WICKET-3081

The session expired page usually appears when your pages are not bookmarkable and you make a request for a page to the server but the server has a different version of the page that you have requested. It shouldn't have anything to do with the session time out which is defined in the web.xml file.
As a good practice, your pages should have a constructor with PageParameters. Also be careful with the popup pages because they usually generate these kind of errors when they are not using PageParameters.

Servlet Security question about j_security_check, j_username and j_password

I used jdbcRealm in my web application and it's working fine. I defined all constraints also in my web.xml. Like all pages of url pattern /Admin/* should be accessed by only admin. I have a login form with uses standard j_security_check, j_username and j_password.
Now, when i type Admin/home.jsf it rightly redirects me login.jsf and there when i type the password i am redirected to home.jsf. This works alright but problem comes i directly go to login.jsf and then type password and username. This time it again redirects me to login.jsf. Is there any way through which i can specify which page to go when successful login is there? I need to specify different different pages for different roles. For Admin, it is /Admin/home.jsf for general users it is /General/home.jsf because login form is shared between different type of users. Where do i specify all these things?
Secondly, i want to have a remember me checkbox at the end of login form. How do i do this? By default, it is submitted to j_security_check servlet and i have no control over its execution. Please help. This doesn't seem so hard but looks like i am missing something.

I found the answer to my own question. This is for any newbie who drop on this thread in future. Ok, the solution that i found after much thinking is that i make one folder and one jsp page say flag.jsp. Next, I give access to it to all the roles.
Now, you might be wondering what good would that do?:) Well, just follow it and you might be done. :p
Next in your welcome-file in web.xml mention the url of this file. Thus, when application starts it will go to this url and container will find that i am unauthenticated thus redirect me to login page. That's it. Now, the final part is you can write simple scriplets in our shared roles jsp file and redirect to home based on role.
Eg. if httpservletrequest#isUserInRole("Admin") then redirect to "/admin/home.jsf" and so on.
Well, this is not so efficient but important thing is that it works! :). This idea accidently bumped to me today. I guess, now i can rest and use container managed security easily. Waiting for your comments.

Determine target URL within login page using Forms authentication with WebLogic

I have an application running under WebLogic that is using standard forms authentication. The login page is a JSP that presents the login form that will post to j_security_check. So as you would expect, when a user tries to access a page but is not yet authenticated, they will be redirected to the login.jsp.
My question is, how can I determine the page that the user was attempting to hit before WebLogic redirected them to the login page? I wish to use this to change the content of the login page depending on the user's destination. I'm not seeing anything in the request ojbect that would tell me this.
Thanks for any hints!

You can use:
weblogic.servlet.security.ServletAuthentication.getTargetURLForFormAuthentication(request.getSession())
This is a public static method and returns a String.
I've tested and it works for me.

We concluded there was no way to find out the target URL from the login page. I woudln't mind being proven wrong. :)
In the meantime, the solution was to deploy the content in second WAR with it's own login page providing the alternate content. Lots of overhead for what should be a simple problem to solve.