I'm new to Java Spring security. I've been able to successfully add some HTTP headers and deploy them via the code I have below.
Once the basic HTTP headers were working, I also added headers for Strict-Transport-Security. It seems to work locally however, once deployed, the value gets overridden.
I've talked to some of our architects and they don't believe that there is anything sitting between this Java app and the browser which might be overwriting/replacing the values. They think it might be something in Spring that is fighting with the code I have here.
Curious if anyone has experience with this and could offer some advice.
I've include some screenshots of what Chrome is showing me for headers.
#Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
response.setHeader("Content-Security-Policy",
"default-src https: http: 'unsafe-inline' 'unsafe-eval'; " +
"script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
"object-src 'none'; " +
"base-uri 'self'; " +
"frame-ancestors 'self'; " +
"form-action https: http: 'self'; "
);
response.setHeader("Strict-Transport-Security",
"max-age=0; " +
"Cache-Control: no-cache, no-store, must-revalidate, private; " +
"Pragma: no-cache; " +
"Expires: 0; " +
"includeSubDomains"
);
response.setHeader("Upgrade-Insecure-Requests", "1");
response.setHeader("X-Frame-Options", "DENY");
response.setHeader("X-XSS-Protection", "1; mode=block");
response.setHeader("Referrer-Policy", "no-referrer-when-downgrade");
super.postHandle(request, response, handler, modelAndView);
}
}```
[![local deployed changes][1]][1]
[![server deployed changes][2]][2]
[1]: https://i.stack.imgur.com/3LGEd.png
[2]: https://i.stack.imgur.com/8NAMn.png
Related
When doing calls to Exact-on-line API to get authenticated we run into the problem that getting the first refresh-token fails. We're not sure why. This is what we get back from Exact:
Http code: 400
JSON Data:
{
error='invalid_request',
description='Handle could not be extracted',
uri='null',
state='null',
scope='null',
redirectUri='null',
responseStatus=400,
parameters={}
}
We use this Java code based on library org.apache.oltu.oauth2.client (1.0.2):
OAuthClientRequest oAuthRequest = OAuthClientRequest //
.tokenLocation(BASE_URL + "/api/oauth2/token") //
.setGrantType(GrantType.AUTHORIZATION_CODE) //
.setClientId(clientId) //
.setClientSecret(clientSecret) //
.setRedirectURI(REDIRECT_URI) //
.setCode(code) //
.buildBodyMessage();
OAuthClient client = new OAuthClient(new URLConnectionClient());
OAuthJSONAccessTokenResponse oauthResponse = client.accessToken(oAuthRequest, OAuth.HttpMethod.POST);
We did do the first step (getting the 'code' as used in setCode(...)) using a localhost-redirect as displayed in https://support.exactonline.com/community/s/knowledge-base#All-All-DNO-Content-gettingstarted There we copy the code from the address-bar of our browser and store it in a place the next computer-step can read it again.
This is due to the fact that the code was copied from your browsers address-bar. There you will find a URL-encoded version of the code (visible in the '%21' often) which when passed into the setCode verbatim will fail the subsequent calls.
Suggestion: URL-decode the value or setup a small temporary localhost-HTTP-server using Undertow or the like to catch the code that was send to you localhost-URL:
Undertow server = Undertow.builder() //
.addHttpListener(7891, "localhost") //
.setHandler(new HttpHandler() {
#Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
String code = exchange.getQueryParameters().get("code").getFirst();
LOG.info("Recieved code: {}.", code);
LOG.info("Store code");
storeCode(code);
LOG.info("Code stored");
exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/plain");
exchange.getResponseSender().send( //
"Thanks for getting me the code: " + code + "\n" //
+ "Will store it for you and get the first refreshToken..." //
+ "Please have a look at " + OAUTH_STATE_INI
+ " for the new code & refreshToken in a minute" //
);
done.add("done");
}
}).build();
server.start();
NB: Do make sure the redirect URL is correct in your Exact-app-settings
I have built a Soap String message without the http header on top.
Is there any spring or Java EE technology that can be used to send the message to a soap server?
I want to have the ability to write to the logs what is sent exactly but also hiding sensitive data in the soap request such as passwords (when it is printed to the logs).
public class SoapRequestTest {
#Test
public void createHttp() throws IOException {
String soapRequest = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
"<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" +
" <soap:Body>\n" +
" <Divide xmlns=\"http://tempuri.org/\">\n" +
" <intA>int</intA>\n" +
" <intB>int</intB>\n" +
" </Divide>\n" +
" </soap:Body>\n" +
"</soap:Envelope>";
}
}
Now this soap message I want to use when calling the Divide method in http://www.dneonline.com/calculator.asmx?wsdl
I am working on a crawler and I have the following question: it works with simple HTTP requests, but not HTTPS, and I need to make an HTTPS request. I changed the port to 443 and try to send the same request, but I get 400 error. Obviously, I need to change something else, but I do not know what. I open socket and this is how I make the request:
String request
= "GET " + file
+ (file.endsWith("robots.txt") ? " HTTP/1.0\r\n" : " HTTP/1.1\r\n")
// " HTTP/1.1\r\n"
+ "User-Agent: " + CrawlerConfig.USER_AGENT + "\r\n"
// + ((!CrawlerConfig.SAVE_IMAGES) ? "Accept: text/html\r\n" : "")
// + "Accept: text/*\r\n"
+ (file.endsWith("robots.txt") ? "Connection: close\r\n" : "")
+ "Host: " + host + "\r\n" + "\r\n"/*
* + body
*/;
outStream.write(request.getBytes("US-ASCII"));
outStream.flush();
Try to send an OPTIONS request on the resource, needed request headers should be returned, some may be missing.
I have a code on selenium to test a form. But first i go to another page and then redirect to the my page. When i set cookies to new domain , i got error :
Exception in thread "main" org.openqa.selenium.InvalidCookieDomainException: You may only set cookies for the current domain
My Code :
//it is going to example.com and example redirect me to the "example.com" all cookie domains is "example.com"
driver.get("http://www.example.com?id=1");
Set<Cookie> cookies = driver.manage().getCookies();
Iterator<Cookie> itr = cookies.iterator();
while (itr.hasNext()){
Cookie c = itr.next();
System.out.println("Cookie Name: " + c.getName() + " --- " + "Cookie Domain: " + c.getDomain() + " --- " + "Cookie Value: " + c.getValue());
driver.manage().addCookie(c);
}
How can i manage that ? I have to get/set cookies for example.com
Like mentioned in previous answer this is expected behavior.
The only work around to date is to driver.get("domain.com/404") page. But this doesn't always work due to SSO often protects domain.com/*
I have made a new feature request on the spec: https://github.com/w3c/webdriver/issues/1238
to make it so the 404 work-around can always work.
The webdriver spec
https://w3c.github.io/webdriver/webdriver-spec.html#add-cookie forces
the current browser session to be on the domain where you are adding
the cookie to.
This makes tons of sense and I agree with it.
This unfortunately prevents 2 key use cases:
You want to re-use cookies from another webdriver session in a new
session to avoid repeating the work it took to get the cookies. Such
as having to repeat a login. Allow a webdriver pool to be shared
amongst unrelated threads where each thread might have their own
cookies. The only current work around is to attempt to force the
webdriver to go to a 404 error page with something like:
webdriver.get("http://the-cookie-domain.com/404adsfasdf"). This would
cause the page to go to domain and would allow you to add cookies with
addCookie. But this hardly ever works. Because the page is very often
protected by SSO, any attempt to go to http://the-cookie-domain.com/*
sends you to an SSO login page e.g. http://login.ssodomain.com and now
you have the same problem.
We should add a new method to the spec webdriver.goTo404Page(domain)
to allow this use-case. This method should simulate a 404 HTTP status
code response from domain in the browser.
Alternatively maybe be a new overload to addCookie could allow this,
for example: void addCookie(Cookie var1, String goTo404PageOfDomain);
By allowing users to go to a fake 404 page of any given domain, this
guarantees the 404-page workaround works for any page and these 2 use
cases are now possible.
For firefox, you can modify Marionette slightly to just remove this check.
diff --git a/testing/marionette/cookie.js b/testing/marionette/cookie.js
--- a/testing/marionette/cookie.js
+++ b/testing/marionette/cookie.js
## -144,14 +144,14 ## cookie.add = function(newCookie, {restri
newCookie.domain = "." + newCookie.domain;
}
- if (restrictToHost) {
- if (!restrictToHost.endsWith(newCookie.domain) &&
- ("." + restrictToHost) !== newCookie.domain &&
- restrictToHost !== newCookie.domain) {
- throw new InvalidCookieDomainError(`Cookies may only be set ` +
- `for the current domain (${restrictToHost})`);
- }
- }
+// if (restrictToHost) {
+// if (!restrictToHost.endsWith(newCookie.domain) &&
+// ("." + restrictToHost) !== newCookie.domain &&
+// restrictToHost !== newCookie.domain) {
+// throw new InvalidCookieDomainError(`Cookies may only be set ` +
+// `for the current domain (${restrictToHost})`);
+// }
+// }
// remove port from domain, if present.
// unfortunately this catches IPv6 addresses by mistake
diff --git a/testing/marionette/driver.js b/testing/marionette/driver.js
--- a/testing/marionette/driver.js
+++ b/testing/marionette/driver.js
## -2638,9 +2638,9 ## GeckoDriver.prototype.addCookie = functi
let {protocol, hostname} = this.currentURL;
const networkSchemes = ["ftp:", "http:", "https:"];
- if (!networkSchemes.includes(protocol)) {
- throw new InvalidCookieDomainError("Document is cookie-averse");
- }
+// if (!networkSchemes.includes(protocol)) {
+// throw new InvalidCookieDomainError("Document is cookie-averse");
+// }
let newCookie = cookie.fromJSON(cmd.parameters.cookie);
diff --git a/testing/marionette/test_cookie.js b/testing/marionette/test_cookie.js
--- a/testing/marionette/test_cookie.js
+++ b/testing/marionette/test_cookie.js
## -190,10 +190,10 ## add_test(function test_add() {
});
equal(2, cookie.manager.cookies.length);
- Assert.throws(() => {
- let biscuit = {name: "name3", value: "value3", domain: "domain3"};
- cookie.add(biscuit, {restrictToHost: "other domain"});
- }, /Cookies may only be set for the current domain/);
+// Assert.throws(() => {
+// let biscuit = {name: "name3", value: "value3", domain: "domain3"};
+// cookie.add(biscuit, {restrictToHost: "other domain"});
+// }, /Cookies may only be set for the current domain/);
cookie.add({
name: "name4",
Why not let the browser be redirected to "example.com" before adding the cookies. Once on that domain, add the cookie values you've taken from "example.com" and the refresh the page?
As per the answer by the team on this issue on the project tracker,
The cookies methods only act on cookies that would be visible as this
is the only thing that can be made to work consistently across all
browsers. The behaviour that you see is the expected behaviour.
Environment
Eclipse Juno Service Release 1
GWT 2.5
Google Chrome with the GWT developer plugin
Running GWT on the Jetty server using 'run application' as Google web application
I am trying to set 2 cookies using gwt using the following code:
if(result.getStatus() == ServerResponse.SUCCESS) {
System.out.println("I will now set cookies: " + result.getMessage() + " and " + Integer.toString(result.getValue().getId()));
Cookies.setCookie("opsession", result.getMessage(), new Date(System.currentTimeMillis() + ClientUser.SESSION_EXPIRY_TIME_IN_MINUTES));
Cookies.setCookie("opuser", Integer.toString(result.getValue().getId()), new Date(System.currentTimeMillis() + ClientUser.SESSION_EXPIRY_TIME_IN_MINUTES));
System.out.println("Cookie set: session: " + Cookies.getCookie("opsession"));
main.checkLoginAndRedirect();
System.out.println("Redirected.");
} else if(result.getStatus() == ServerResponse.FAILURE){
new MessageBox(result.getShortTitle(), result.getMessage()).show();
}
It doesn't seem to work. The println's are there for debugging, and here is the output:
I will now set cookies: 1er1qmaly9ker and 1
Cookie set: session: null
nullnull
Redirected.
ClientUser.SESSION_EXPIRY_TIME_IN_MINUTES is (was an int) a long that returns 20.
Update
Using
if(Cookies.getCookie("opsession") == null) {
System.out.println("opsession: cookie not found at all.");
}
I've confirmed that the cookie is not placed at all, and does not have a 'null' String value.
I've also changed
ClientUser.SESSION_EXPIRY_TIME_IN_MINUTES into a long.
Update
Fiddler confirms that cookie data has been sent:
Response sent 30 bytes of Cookie data: Set-Cookie: JSESSIONID=4kr11hs48gvq;Path=/
But only if I use the longer version of setCookie:
Cookies.setCookie("opuser", Integer.toString(result.getValue().getId()), new Date(System.currentTimeMillis() + ClientUser.SESSION_EXPIRY_TIME_IN_MINUTES), null, "/", false);
If I use the String, String, long variant, fiddler notices no cookie data.
Should be
new Date(System.currentTimeMillis()
+ (ClientUser.SESSION_EXPIRY_TIME_IN_MINUTES * 60000)))
to convert the expiry time to milliseconds.