I am developing a website with Java for the backend and Angular for frontend. There is a situation when some external websites may send data to my website using POST form. For instance,
▼ General
Request URL: https://myangularwebsite/
Request Method: POST
...
▼ Request Headers
Content-Type: application/x-www-form-urlencoded
Host: myangularwebsite
Origin: https://externalwebsite
Referer: https://externalwebsite/send.form?id=0
...
▼ Form data
ID: 0000000
TIME: 2017.06.04 11:53:58
SIGNATURE: ...geirgmGKFGJWR...
...
Now, I need to capture the form in Angular somehow, send/redirect it to the backend to validate the signature and return the answer back to Angular to proceed working with this website.
I tried posting to my website to test how it might work using Postman, but get Cannot POST /.
I know how to work with GET and URL query parameters in Angular but I think I need to process a POST request based on headers I see with Chrome DevTools 'Network' section when coming from externalwebsite to myangularwebsite.
Should I dedicate a route in the backend and expose it, for example, .../api/external in my backend and tell these websites to use this link instead of directly posting to my Angular website's homepage?
I have already read another question ( How to read form post data in Angular 2 typescript? ) which is somewhat similar but I do not think using PHP is the right way for me as the website I am developing already has an older version written in PHP.
The answer at the link you provided is correct: you cannot do it in just Javascript, you have to use some server-side code. They mention PHP as an example, but any server-side component will do, and as you have Java at your backend, let it be Java.
So, when an HTTP request comes from an external site, you have to use a server-side component to handle it. But there are some options.
If this request is made using your user browser (so it is something like a redirect, but using a POST method), then you can do the following: catch that request at your backend, output some javascript with some data to the user's browser and process that data in your Angular code. Or this could be a redirection to your main Angular entry point, it is up to you.
If this request is made by some other means (for example, this is a server-to-server request made with with curl like a notification from a Credit Card processing), with no browser involved, then you don't need to have any Javascript (Angular or whatever it could be) as they are needed for browser only. In this case you just handle the request at your server-side.
In both cases, it seems plausible to dedicate some special endpoint for handling (or landing) such externally-originated requests.
Related
I am building a web application using Spring framework that requires users to make a payment. When the user posts a form, it redirects to Hp's payment website and processes the payments there before returning to my application. This method however leaves my applications vulnerable to security threats and form manipulations.
I now want to post the form to my server, validate users inputs and if necessary post data to hp's web server. I have already written a java code for posting a form from my code and getting the response back into a file from hp's site but am unable to figure out how to redirect the user to the hp website using the java form post. Can someone please help? I am new to Spring so am open to suggestions that would help me accomplish this task either using this method or another way to do so.
Thanks
Obviously you need to perform the redirect on the server side, not on the client side. Redirection is basically returning HTTP 302 with Location header pointing to new location. When browser receives such response it opens the URL in question rather than rendering the response like it is with 200.
If you can receive and validate your form all you have to do is send the redirect back to the browser. I don't know which web framework do you use. In servlets you simply say:
response.sendRedirect("http://www.example.com/payment/...");
In spring-mvc return the following string from your controller as opposed to a view name:
return "redirect:http://www.example.com/payment/...";
Is there any web language that allows the client itself to create HTTP posts to external sites.
I know that JavaScript does this with XMLHttpRequest, but it does not allow cross-domain posting, unless the recipient domain wants to allow the sending domain.
I want to post data to an external site (that I don't control) and have the request be authenticated with what the client's browser already has (cookies, etc).
Is this possible? I tried cURL but it seems to make a server HTTP post, not a client HTTP post.
Edit:
A bit more insight of what I am trying to do:
I am trying to POST JSON to the website using the user's session (I said cookies but I believe they are PHP sessions, which I guess I still consider cookies).
The website does NOT check the referral (poor security #1)
I can execute javascript and html on the webpage using my personal homepage (poor security #2)
The JSON code will still work even if the content-type is form (poor security #3)
There is no security checking at all, just PHP session checking.
The form idea is wonderful and it works. The probably again is that its JSON. So having sent postdata as foo={"test":"123", "test2":"456"} the whole foo= part messes it up. Plus forms seem to turn JSON into form encoding, so its sending:
foo=%7B%22
test%22%3A+%22
123%22%2C+%22
test2%22%3A+%22
456%22%7D
when i need it to send;
{"test":"123", "test2":"456"}
So with everything known, is there a better chance of sending JSON or not?
I don't think so: You won't get hold of the user's auth cookies on the third party site from server side (because of the Single Origin Policy) and you can't make Ajax requests to the third party site.
The best you can do is probably create a <form> (maybe in an <iframe>), point it to the third party site, populate it with data, and have the user submit it (or auto-submit it). You will not be able to get hold of the request results programmatically (again because of the Single Origin Policy), but maybe it'll do - you can still show the request results to the user.
I think for obvious reasons this is not allowed. If this was allowed what would stop a malicious person from posting form data from a person's browser to any number of sites in some hidden iframe or popup window.
If this is a design of your application you need to rethink what you are trying to accomplish.
EDIT: As #Pekka was pointing out I know you can submit a form to a remote site using typical form submits. I was referring to using some client side ajax solution. Sorry for the confusion.
You should follow the way OpenID and other single-sign-on system works. How openID works is your website POSTs some token to openID service and in return gets authentication result. Refer How Does it Work? section here
Yes, you can use a special flash library that supports cross-domain calls: YUI connection manager
Added: not sure about the cookie authentication issue though...
The client cannot post to an external site directly; it's a breach of basic cross-domain security models. The exception is accessing javascript with JSONP. What you describe would require access to a user's cookies for another website, which is impossible as the browser only allows cookie access within the same domain/path.
You would need to use a server-side proxy to make cross-domain requests, but you still cannot access external cookies: http://jquery-howto.blogspot.com/2009/04/cross-domain-ajax-querying-with-jquery.html
I have small ajax problem related to cross domain as i see it.
On localmachine i created html example with some ajax:
in registration text field user types 'username',
on every keystroke ajax sends it to
local Tomcat, where servlet checks if that username is already used
and sends 'taken' reponse back.
No problem on localhost at all.
As soon as i type used 'username' servlet sends 'taken' response
and browser displays it.
But, when i put test html page with ajax
on remote machine (some free hosting on remote network)
that sends validation request on my localhost Tomcat,
connection is made,
in Tomcat console i see request comming,
and in firebug in Mozzila this is Console ouput:
GET http://89.216.182.25:8080/Dinamicki1/UsernameServlet?username=zik 200 OK
...but in response tab
there is not servlet response 'taken'
and message in firebug is in red color
So servers communicate well, no firewall problems, response is 200 OK
But response body is empty.
Any ideas what this red messages in firebugs are?
Thank you very much in advance.
And if anyone can recommend a some serious ajax tutorial for java
it will be highly appreciated :)
You need to use a domain-relative URL in your Ajax request:
/Dinamicki1/UsernameServlet?username=zik
Or a context-relative URL (assuming that the page is served from /Dinamicki1):
UsernameServlet?username=zik
With regard to "Ajax tutorial for Java", start here: How to use Servlets and Ajax?
You cannot use AJAX to read replies from other domains.
Your HTML must be on the same server (and same domain, port, and protocol) as the AJAX servlet.
The 200 status reported in Firebug does not indicate the validity of the cross-domain ajax call, be it successful or not.
You might want to try using a proxy method to perform the call.
E.g. JavaScript: Use a Web Proxy for Cross-Domain XMLHttpRequest Calls
I figured out how to solve it from this site:
"To allow directory browsing via Apache Tomcat change the parameter "listings" in the file conf/web.xml from false to true."
Call your page not as C:/Documents and Settings/.../page.html but as localhost:8080/your_servlet_name (page is better named index.html).
This way, you will be able to make AJAX requests to localhost:8080/your_servlet_name/something_else.
A solution that worked for me was that I had to add "www" to the url! I was using URL Rewrite, so every URL that I had (image, js, get, load, post), I needed to use full url, but it was missing "www"!
For me, It was web api(c# .NET) request and cors was not enabled.
Added header for cors on controller and it solved the problem.
[EnableCors(origins: "*", headers: "*", methods: "*")]
I get the following error from following piece of code. I am trying to login to Google sites service through GAE apps.
"The page you requested is invalid. "
String authenticationUrl = userService.isUserLoggedIn()
? userService.createLogoutURL(MainServlet.MAIN_URL)
: userService.createLoginURL(MainServlet.MAIN_URL+"?close=1");
googleData.setAuthenticationUrl(authenticationUrl);
The complete url for login
https://www.google.com/a/example.com/ServiceLogin?service=ah&passive=true&continue=http://myapp.appspot.com/_ah/login?continue=http://myapp.appspot.com/main%3Fclose%3D1<mpl=ga&ahname=Myapp+Google+Sites&sig=7cbc9f7c9e6ca443ed49f7ce9465e775
I think that you may have misunderstood the use and purpose of createLoginURL. This method is intended to provide a URL that allows someone to log in to your application and your application alone. It does not provide a means to log in to other Google services such as Sites.
It is possible to have your application log on to and access Sites or any other secured web application, but Google AppEngine does not provide a canned means of doing so. You will need to write the code to do it yourself.
Generally, what will happen is that you will request a URL and the response will have an HTTP status code of 302 with the URL of the login page located in the Location header field. You would then send a request to that page which should come back with a 200 response and somewhere inside the body of the response would be a username and password field that you would need to provide and POST back. If the credentials were valid, the server might then return an authentication cookie which you would pass on each subsequent request.
If you are versed at all in Python, you can see an example of how this works in some code from my AppEngine MVC framework project. Look at this file:
http://code.google.com/p/gae-mvc-engine/source/browse/trunk/MVCTests.py and check out the ActiontestCase.run_action method. It handles making a request to an AppEngine application that requires authentication. It is not yet terribly-well commented -- and for that I aplogize -- but I hope that it will provide a useful example. If, indeed, I have understood the nature of your problem correctly.
This problem relates to the Restlet framework and Java
When a client wants to discover the resources available on a server - they must send an HTTP request with OPTIONS as the request type. This is fine I guess for non human readable clients - i.e. in code rather than a browser.
The problem I see here is - browsers (human readable) using GET, will NOT be able to quickly discover the resources available to them and find out some extra help documentation etc - because they do not use OPTIONS as a request type.
Is there a way to make a browser send an OPTIONS/GET request so the server can fire back formatted XML to the client (as this is what happens in Restlet - i.e. the server response is to send all information back as XML), and display this in the browser?
Or have I got my thinking all wrong - i.e. the point of OPTIONS is that is meant to be used inside a client's code and not meant to be read via a browser.
Use the TunnelService (which by default is already enabled) and simply add the method=OPTIONS query parameter to your URL.
(The Restlet FAQ Q19 is a similar question.)
I think OPTIONS is not designed to be 'user-visible'.
How would you dispatch an OPTIONS request from the browser ? (note that the form element only allows GET and POST).
You could send it using XmlHttpRequest and then get back XML in your Javascript callback and render it appropriately. But I'm not convinced this is something that your user should really know about!