Is it possible to configure Spring RequestDumperFilter so that it will not log specific headers that contain sensitive information (for example the "Authorization" header)?
Looking at the source https://github.com/apache/tomcat/blob/8e2aa5e45ce13388da62386e3cb1dbfa3b242b4b/java/org/apache/catalina/filters/RequestDumperFilter.java it appears there is no way to do that:
Enumeration<String> hnames = hRequest.getHeaderNames();
while (hnames.hasMoreElements()) {
String hname = hnames.nextElement();
Enumeration<String> hvalues = hRequest.getHeaders(hname);
while (hvalues.hasMoreElements()) {
String hvalue = hvalues.nextElement();
doLog(" header", hname + "=" + hvalue);
}
}
But it would be very easy to copy that file and modify it to do what you want.
Related
I have a scenario where in my code creates a file and an event in cumulocity as well. I need to attach the binary file to the event, however none of the API's provide me the functionality, any guidance as to how to go ahead please?
Update:
On having a look at the documentation https://cumulocity.com/api/10.11.0/#tag/Attachments , the binaryElement has a following structure
I have modified my JAVA code in the following manner:
String pathEvent = platform.getUrl().get()+"/event/events/{{eventId}}/binaries";
String pathEventAttachment = pathEvent.replace("{{eventId}}", event.getId().getValue());
HttpHeaders headers = RequestAuthenticationEncoder.encode(getCredentials());
headers.setContentType(MediaType.MULTIPART_FORM_DATA);
MultiValueMap<String, Object> map = new LinkedMultiValueMap<>();
map.add("file",new ByteArrayResource(FileUtils.readFileToByteArray(file)));//anychanges here fails the code
map.add("filename", file.getName().getBytes());
HttpEntity<MultiValueMap<String, Object>> request = new HttpEntity<>(map,headers);
restTemplate.postForObject(pathEventAttachment, request, String.class);
log.info("Binary file added to the event {}", event.getId().getValue());
Binary is created for the event, however the filename is incorrect:
Please let me know some insights as to why the name is not changing?
You need to create a POST on /event/events/{{eventId}}/binaries with the appropriate Content-Type and body.
Here is a code snippet in python where a binary (log file) is attached to an event. It just POSTs the file content (bytes) as application/octet-stream
# Create event
logfileEvent = {
'type': 'c8y_Logfile',
'text': 'See attached logfile',
'time': datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z',
'source': {
'id': DEVICE_ID
}
}
res = client.post(C8Y_BASE + '/event/events/', data=json.dumps(logfileEvent))
eventId = res.json()['id']
# Attach Binary
res = client.post(C8Y_BASE + '/event/events/' + eventId + '/binaries', data=bytes(FILE_CONTENT, 'utf-8'), headers={'Content-Type': 'application/octet-stream'})
binaryRef = res.json()['self']
# Update operation
logfileFragment = logfileOperation['c8y_LogfileRequest']
logfileFragment['file'] = binaryRef
updatedOperation = {
'status': 'SUCCESSFUL',
'c8y_LogfileRequest': logfileFragment
}
client.put(C8Y_BASE + '/devicecontrol/operations/' + logfileOperation['id'], data=json.dumps(updatedOperation))
Apparently, in the move from Spring Boot 1 to Spring Boot 2 (Spring 5), the encoding behavior of URL parameters for RestTemplates changed. It seems unusually difficult to get a general query parameter on rest templates passed so that characters that have special meanings such as "+" get properly escaped. It seems that, since "+" is a valid character, it doesn't get escaped, even though its meaning gets altered (see here). This seems bizarre, counter-intuitive, and against every other convention on every other platform. More importantly, I can't figure out how to easily get around it. If I encode the string first, it gets double-encoded, because the "%"s get re-encoded. Anyway, this seems like it should be something very simple that the framework does, but I'm not figuring it out.
Here is my code that worked in Spring Boot 1:
String url = "https://base/url/here";
UriComponentsBuilder builder = UriComponentsBuilder.fromHttpUrl(url);
for (Map.Entry<String, String> entry : query.entrySet()) {
builder.queryParam(entry.getKey(), entry.getValue());
}
HttpEntity<TheResponse> resp = myRestTemplate.exchange(builder.toUriString(), ...);
However, now it won't encode the "+" character, so the other end is interpreting it as a space. What is the correct way to build this URL in Java Spring Boot 2?
Note - I also tried this, but it actually DOUBLE-encodes everything:
try {
for (Map.Entry<String, String> entry : query.entrySet()) {
builder.queryParam(entry.getKey(), URLEncoder.encode(entry.getValue(),"UTF-8" ));
}
} catch(Exception e) {
System.out.println("Encoding error");
}
In the first one, if I put in "q" => "abc+1#efx.com", then, exactly in the URL, I get "abc+1#efx.com" (i.e., not encoded at all). However, in the second one, if I put in "abc+1#efx.com", then I get "abc%252B1%2540efx.com", which is DOUBLE-encoded.
I could hand-write an encoding method, but this seems (a) like overkill, and (b) doing encoding yourself is where security problems and weird bugs tend to creep in. But it seems insane to me that you can't just add a query parameter in Spring Boot 2. That seems like a basic task. What am I missing?
Found what I believe to be a decent solution. It turns out that a large part of the problem is actually the "exchange" function, which takes a string for a URL, but then re-encodes that URL for reasons I cannot fathom. However, the exchange function can be sent a java.net.URI instead. In this case, it does not try to interpolate anything, as it is already a URI. I then use java.net.URLEncoder.encode() to encode the pieces. I still have no idea why this isn't standard in Spring, but this should work.
private String mapToQueryString(Map<String, String> query) {
List<String> entries = new LinkedList<String>();
for (Map.Entry<String, String> entry : query.entrySet()) {
try {
entries.add(URLEncoder.encode(entry.getKey(), "UTF-8") + "=" + URLEncoder.encode(entry.getValue(), "UTF-8"));
} catch(Exception e) {
log.error("Unable to encode string for URL: " + entry.getKey() + " / " + entry.getValue(), e);
}
}
return String.join("&", entries);
}
/* Later in the code */
String endpoint = "https://baseurl.example.com/blah";
String finalUrl = query.isEmpty() ? endpoint : endpoint + "?" + mapToQueryString(query);
URI uri;
try {
uri = new URI(finalUrl);
} catch(URISyntaxException e) {
log.error("Bad URL // " + finalUrl, e);
return null;
}
}
/* ... */
HttpEntity<TheResponse> resp = myRestTemplate.exchange(uri, ...)
I'm trying to use the Authentication::login() API call in the DocuSign Java SDK and am receiving an error. Here's some code:
#Component
public class TestClass {
private ApiClient apiClient;
public void authenticate() {
this.apiClient = new ApiClient("account-d.docusign.com", "docusignAccessCode",
"mySecretIntegratorKey", "myClientSecret");
final AuthenticationApi authenticationApi = new AuthenticationApi(this.apiClient);
try {
// ERROR ON THE LINE BELOW
final LoginInformation loginInformation = authenticationApi.login();
} catch (final ApiException e) {
// do something appropriate
}
}
}
The mySecretIntegratorKey and myClientSecret values are not the real values I'm sending in obviously, but the other ones are.
Here is the error I am receiving when making the login() call:
Caused by: org.apache.oltu.oauth2.common.exception.OAuthSystemException: Missing grant_type/code
at com.docusign.esign.client.auth.OAuth$OAuthJerseyClient.execute(OAuth.java:184)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:71)
at com.docusign.esign.client.auth.OAuth.updateAccessToken(OAuth.java:92)
... 123 common frames omitted
I realize that this is using the older legacy authentication, however I have a limitation that won't allow me to upgrade to the newer method of authentication until the first of the year. So for now I need to use this legacy method using SDK Version 2.2.1.
Any ideas what I'm doing wrong here? I'm sure it is something simple...
Thank you for your time.
You want to use Legacy authentication?
In that case you need to make a number of updates to your code.
Only call new ApiClient(base_url)
Set the X-DocuSign-Authentication header--
From an old Readme:
String authHeader = "{\"Username\":\"" + username +
"\",\"Password\":\"" + password +
"\",\"IntegratorKey\":\"" + integratorKey + "\"}";
apiClient.addDefaultHeader("X-DocuSign-Authentication", authHeader);
Then use the authenticationApi.login to look up the user's Account ID(s) and matching base urls.
The authenticationApi.login doe not actually log you in. (!)
Rather, that method just gives you information about the current user.
There is no login with the API since it does not use sessions. Instead, credentials are passed with every API call. The credentials can be an Access Token (preferred), or via Legacy Authentication, a name / password / integration key triplet.
When using Legacy Authentication, the client secret is not used.
More information: see the Readme section for using username/password in this old version of the repo.
Just in case someone was looking for complete legacy code that works! The below C# code snippet works. This is production ready code. I've tested it and it works. You will have to create an EnvelopeDefinition separately as this code is not included. However, the piece below will authenticate the user and will successfully send an envelope and get back the Envelope ID:
string username = "john.bunce#mail.com";
string password = "your_password";
string integratorKey = "your_integration_key";
ApiClient apiClient = new ApiClient("https://www.docusign.net/restapi");
string authHeader = "{\"Username\":\"" + username + "\", \"Password\":\"" + password + "\", \"IntegratorKey\":\"" + integratorKey + "\"}";
apiClient.Configuration.AddDefaultHeader("X-DocuSign-Authentication", authHeader);
AuthenticationApi authApi = new AuthenticationApi(apiClient.Configuration);
LoginInformation loginInfo = authApi.Login();
string accountId = loginInfo.LoginAccounts[0].AccountId;
string baseURL = loginInfo.LoginAccounts[0].BaseUrl;
string[] baseUrlArray= Regex.Split(baseURL, "/v2");
ApiClient apiClient2 = new ApiClient(baseUrlArray[0]);
string authHeader2 = "{\"Username\":\"" + username + "\", \"Password\":\"" + password + "\", \"IntegratorKey\":\"" + integratorKey + "\"}";
apiClient2.Configuration.AddDefaultHeader("X-DocuSign-Authentication", authHeader2);
EnvelopesApi envelopesApi = new EnvelopesApi(apiClient2.Configuration);
EnvelopeSummary results = envelopesApi.CreateEnvelope(accountId, envelopeDefinition);
string envelopeID = results.EnvelopeId;
I hav following route:
from("quartz2:findAll//myGroup/myTimerName?cron=" + pushProperties.getQuartz())
//.setBody().constant("{ \"id\": \"FBJDBFJHSDBFJSBDfi\" }")
.to("mongodb:mongoBean?database=" + mongoDataConfiguration.getDatabase()
+ "&operation=findAll&collection=" + mongoDataConfiguration.getDataPointCollection())
.process(exchange -> {
exchange.getIn().setBody(objectMapper.writeValueAsString(exchange.getIn().getBody()));
}).streamCaching()
.setHeader(Exchange.HTTP_METHOD, constant(pushProperties.getHttpMethod()))
.setHeader(Exchange.CONTENT_TYPE, constant(MediaType.APPLICATION_JSON_VALUE))
.to(pushProperties.getUrl() + "&throwExceptionOnFailure=false").streamCaching()
As you can see I use throwExceptionOnFailure=false
and I take my url from configuration. But we found out that it works if
pushProperties.getUrl() = localhost:8080/url?action=myaction
and doesn't work in case of
pushProperties.getUrl() = localhost:8080/url
Is there universla way in camel to add request parameter to URL?
something like:
private String buildUrl() {
String url = pushProperties.getUrl();
return url + (url.contains("?") ? "&" : "?") + "throwExceptionOnFailure=false";
}
inside Camel api
That is because in case of localhost:8080/url, after appending it becomes like this
localhost:8080/url&throwExceptionOnFailure=false
which is wrong
It should be
localhost:8080/url?throwExceptionOnFailure=false,
In the first case it works you already have a requestpatam(?action=myaction) so the next one can be added with ampersand(&)
I think you have to add your own logic to compose the endpoint to the http component at the runtime. This is because the CamelContext will process it during the route itself. The parameter throwExceptionOnFailure is a property from the http component.
I don't think that adding the parameter via .setHeader(Exchange.HTTP_QUERY, constant("throwExceptionOnFailure=false")) shoud work because these parameters will be evaluated after the http component get processed, e.g. into the URL destination. Please, take a look at "How to use a dynamic URI in to()":
.toD(pushProperties.getUrl() + "&throwExceptionOnFailure=false")
You could use the simple expression to write a logic to do what you want based on the result of pushProperties.getUrl().
I don't like how Camel configure HTTP component in this case, but this is what it is.
What I suggest is to create a map of config, and append your args to it, and do a manual join with "&", then append it to the main url.
I do it like:
public class MyProcessor {
/**
* Part of Camel HTTP component config are done with URL query parameters.
*/
private static final Map<String, String> COMMON_QUERY_PARAMS = Map.of(
// do not throw HttpOperationFailedException; we handle them ourselves
"throwExceptionOnFailure", "false"
);
#Handler
void configure(Exchange exchange, ...) {
...
Map<String, String> queryParams = new HashMap<>();
queryParams.put("foo", "bar");
message.setHeader(Exchange.HTTP_QUERY, mergeAndJoin(queryParams));
...
}
private String mergeAndJoin(Map<String, String> queryParams) {
// make sure HTTP config params put after event params
return Stream.concat(queryParams.entrySet().stream(), COMMON_QUERY_PARAMS.entrySet().stream())
.map(entry -> entry.getKey() + "=" + entry.getValue())
.collect(Collectors.joining("&"));
}
}
Note that toD needs optimization but in that case, HTTP_QUERY cannot be used.
When the optimised component is in use, then you cannot use the headers Exchange.HTTP_PATH and Exchange.HTTP_QUERY to provide dynamic values to override the uri in toD. If you want to use these headers, then use the plain to DSL instead. In other words these headers are used internally by toD to carry the dynamic details of the endpoint.
https://camel.apache.org/components/3.20.x/eips/toD-eip.html
In a java class, am using an arraylist say reports containing list of all the reports which have reportid, reportname, reporttype etc which i want to add into NameValuePair and send a Http postmethod call to a particular url.
I want to add the arraylists - reportname into name value pair(org.apache.commons.httpclient.NameValuePair) and then use the http client post method to submit the name value pair data to a particular url.
Here is my name value pair
if (validateRequest()) {
NameValuePair[] data = {
new NameValuePair("first_name", firstName),
new NameValuePair("last_name", lastName),
new NameValuePair("email", mvrUser.getEmail()),
new NameValuePair("organization", mvrUser.getOrganization()),
new NameValuePair("phone", mvrUser.getPhone()),
new NameValuePair("website", mvrUser.getWebsite()),
new NameValuePair("city", mvrUser.getCity()),
new NameValuePair("state", mvrUser.getState()),
new NameValuePair("country", mvrUser.getCountry()),
new NameValuePair(**"report(s)", reports**.)
};
please suggest me how to add the reports arraylist reportname into reports field of NameValuePair.
--
thanks
# adarsh
can I use with generics something like this?
reportname = "";
for (GSReport report : reports) {
reportname = reportname + report.getReportName();
reportname += ",";
}
and then add in namevalue pair as
new NameValuePair("report(s)", reportname)
for name value pair use map like things... eg. Hastable(it is synchronized) , u can use other
implementation of Map which are not synchronized.
I suggest to serialize your reports ArrayList into a JSON formatted String.
new NameValuePair("reports", reportsAsJson)
You can build your reportsAsJson variable using any of the JSON serialization libraries (like the one at http://json.org/java/). It will have approximatively this format :
reportsAsJson = "[{reportid:'1',reportname:'First Report',reporttype:'Type 1'}, {reportid:'2',reportname:'Seond Report',reporttype:'Type 2'}]";
Well, you cannot do that. NameValuePair takes in String arguments in the constructor. It makes sense as it is used for HTTP POST.
What you can do is come up with a way to serialize the Report object into String and send this string as a string parameter. One way of doing this maybe is to delimit the parameters of the Report class.
reports=reportName1|reportName2|reportName3
Assuming reports is your ArrayList,
String reportsStr = "";
for(int i = 0; i < reports.size(); i++) {
reportStr += reportName;
if(i != reports.size() - 1) {
reportsStr += "|";
}
}
NameValuePair nvPair = new NameValuePair("reports", reportsStr);