URL:http://localhost:8080/admin/users/8VHlQMoMAeGAfwADT%2FtM2Q%3D%3D
When i try to hit the above URL using advanced rest client, i am getting 400:Bad Request.
I need special characters to be passed in URl path via URL encoding only. But %2F is not being accepted.How to enable jboss to accept encoded slash in url? kindly help.
First of all you have to know that JBoss by default is not allowing the escaped slashes in paths for security reasons.
However you can set the following system property to true
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH
Related
I have a Java Web application deployed in tomcat.
I receive 400 Bad request from Tomcat 8 if my URL is like this
https://<serverurl>?cmisSelector=object&objectId=TyNGT0wjJSMwMDAjMDAjIyMj&filter=cmis:createdBy,a:b:ab,a:b:abc&renditionFilter=cmis:thumbnail,application/pdf,image/bmp,image/gif,image/jpeg,image/png
Which is encoded as
https%3A%2F%2F%3Cserverurl%3E%3FcmisSelector%3Dobject%26objectId%3DTyNGT0wjJSMwMDAjMDAjIyMj%26filter%3Dcmis%3AcreatedBy%2Ca%3Ab%3Aab%2Ca%3Ab%3Aabc%26renditionFilter%3Dcmis%3Athumbnail%2Capplication%2Fpdf%2Cimage%2Fbmp%2Cimage%2Fgif%2Cimage%2Fjpeg%2Cimage%2Fpng
But if i remove the a:b:ab,a:b:abc and renditionFilter=cmis:thumbnail,application/pdf,image/bmp,image/gif,image/jpeg,image/png from the URL then the it works, this URL is formed like below
https://<serverurl>?cmisSelector=object&objectId=TyNGT0wjJSMwMDAjMDAjIyMj&filter=cmis:createdBy
Seems to be some URL encoding issue but not able to find out the exact issue.
By default Tomcat returns a HTTP Bad Request (400) if the URL contains a forward or backward slash / (%2F) and \ (%5C) respectively. This is done as a security measure.
You can disable that feature and allow those characters by setting the following system properties (for instance in catalina.properties or in CATALINA_OPTS):
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
### You may not need this one, as you only have forward slashes
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
I have an application which is a set of Java Web Services and some static content (HTML, XML, JavaScript, etc.). I know that JavaScript has a limited character encoding that is possible, but HTML and XML can use various character encodings. I happen to know that all of these files are UTF-8 encoded. The WebSphere application server that I am using properly sets the Content-Type to 'text/html; charset=utf-8' for the HTML, but not for JavaScript or XML. They get the Content-Type header set to 'application/javascript' and 'text/xml' respectively. My security folks are telling me that ot specifying the charset for the XML files is a vulnerability. Remember these are static files.
On an IBM HTTPD web server (in front of the WebSphere application server) is there a directive that I can use to add the character encoding to the content type of 'text' types? On WebSphere is there a directive I can use to set the default character encoding for text types? I assume that after I "fix" this for the XML files that I will then be asked to fix it for CSS files, JavaScript files, etc. I would rather fix it once and be done.
If this question has been asked before, please provide the URL. I did find this question, but it is not the same. I am looking into the feasibility of this answer, but there are many folders and I would rather not have to remember to add a .htaccess file with this directive to each one.
You can just append AddDefaultCharset utf-8 to httpd.conf and everything will go out with that charset appended to it, even content generated by the application server. htaccess is not necessary and not useful for appserver content.
If you find you need to blacklist context roots, extensions,
or anything else, sue <LocationMatch> with AddDefaultCharset off.
Unfortunately Header edit Content-Type... will not work in IBM HTTP Server prior to V9. In V9 this allows you to easily cherry pick the current Content-Type:
Header always edit Content-Type ^(text/html)$ "$1 ; charset=utf8"
Header always edit Content-Type ^(application/javascript)$ "$1 ; charset=utf8"
Just as same as covener described:
Add the following lines into the conf/httpd.conf file:
AddDefaultCharset utf-8
AddCharset utf-8 .html .js .css
<Location />
Header always edit Content-Type ^(text/html)$ "$1; charset=utf8"
Header always edit Content-Type ^(application/javascript)$ "$1; charset=utf8"
RewriteRule ^(.*)$ $1 [R=200,L]
</Location>
and it should work.
I am using rg.glassfish.jersey.server.ApplicationHandler
need to capture the url path
URL: video/Id19%2Fabc%3D/title?sub=CDA
I have tried the following to capture but this doesn't capture % sign.
#Path("/video/{Id:.*}/title/")
Is this what you're looking for?
https://regex101.com/r/qYs7gQ/3
Regex: video\/Id(?<ID>.*)\/title
I found a way to handle URL encoding request. It is handled on Application server level and in my case, it is apache tomcat. So all I need to do is set
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true in catalina.properties file.
I have developed an application which contacts a Sun One web server. The Web Server has Lotus domino and SiteMinder Plugin.
Below is the URL for the application
http://HostName.example.com
After hitting the URL in the browser, the URL is redirect to webserver and a login page appears with below URL.
http://HostName.example.com:9898/SiteMinderagent/forms/login.fcc?TYPE=
33554433&REALMOID=06-1716e557-15f3-100f-b9a4-835cc8200cb3&GUID=&SMAUTHREASON=
0&METHOD=GET&SMAGENTNAME=$SM$sHjbzl4f9R%2bcSa0%2fEgnu6oUQQPMQnUgkU6Zvx5zWZpQ%
3d&TARGET=$SM$http%3a%2f%2fshivalik%2ered%2eiplanet%2ecom%3a9898%2fvalidation%
2findex%2ehtml
After logging into the application, the request is redirect using the TARGET parameter( URL is decoded in the application) from the URL Now the login doesnot work if i block the HTTP requests. As the TARGET parameter is a HTTP request, I am unable to login into the application.
Is there any way I can change the TARGET parameter to HTTPS. Can i know in which file I can change it in the WebServer. The Sun One Web Server runs Solaris OS. I have tried hard finding the solution as I think the URL is appended with Query strings like SMAGENTNAME, SMAUTHREASON, TARGET in the Servlet of the Domino.
The TARGET parameter is populated with the URL originally presented by the user - i.e. in your example http://HostName.example.com will result in the TARGET query string parameter containing the same URL plus the other parameters generated by the SiteMinder agent.
Possible solutions in your case could be to hardcode the TARGET by putting something like the following on the top of login.fcc:
#TARGET=https://hostname.example.com/
That would cause the FCC to ignore the query string parameter that is POSTed and instead will hardcode it.
Alternatively if you need to preserve the path component of the URL (e.g. http://hostname.example.com/path/to/file.html) you could add some javascript to the FCC page. The standard implementation populates TARGET into an element so you could use JavaScript to parse the value and replace http:// with https:// if required. Make sure that your Agent Configuration has single and double quotes in BadFormChars (BadFormChars=%22,%27) to prevent XSS attacks.
There is also an Agent Config parameter HttpsPort that you can use to "trick" SiteMinder into thinking you're serving HTTPS traffic out of port 80 but you will have to test for any unintended side effects.
I've stored an email address in a cookie, and I'm sending it to a jsp file on google appengine to be verified. The # is coming through as %40. I need to get it back to an #, and convert any other special chars that might have been encoded. Are there classes available through appengine that deal with this conversion?
Look at URLDecoder and URLEncoder:
http://download.oracle.com/javase/6/docs/api/java/net/URLDecoder.html
Looking at the JRE whitelist they are both fine to use.