I configure my error-page in web.xml,for example: <error-page><error-code>404</error-code><location>/error.jsp</location></error-page>。
If I put a URL in browser that does not exits such as http: //localhost:8080/mywebsite/a , it will display the contents of error.jsp.But the URL in browser is not http: //localhost:8080/mywebsite/error.jsp , it is still http: //localhost:8080/mywebsite/a why ? And what to do if make the URL to be error.jsp?
I ask this because I scan this URL using IBM AppScan, it says response status is 200 OK.
There is no point in re-writing the URL to show the user that he/she has hit the error page. In-fact it may expose the structure of your application that may be harmful if you are not too careful.
http://yourhost/something/invalid/url is not much helpful for any malicious user.
But
http://yourhost/pages/errorPages/404Page.jsp
exposes a lot of critical information to the user about the structure of your web-application.
Related
I am trying to update an app that I wrote for Android that will automatically log a user into a captive portal at my university. The app worked fine last year with the portal URL hard coded in, however this year that won't work because they changed the server URL, I know what the URL is, so I simply changed it in my program ... which sort of works
There are two main problems, for me, with this approach.
hard coding is a pain in the ass to do every year, I also want to be able to make it future proof, so that hard coding the URL won't be necessary
for some unexplainable reason there are actually buildings on campus that will direct to the OLD authentication server, it truly boggles my mind why it would do that
I would like to be able to make an HTTP request and get the URL of the captive portal that is redirected to, how is that done?
Captive portals generally will intercept users' HTTP requests and issue a "fake" redirect to the portal's authentication page. Or they can simply replace the actual response with the login page.
If yours is a redirect-to-login, then simply do something like trying to load http://google.com, which can reasonably be expected to be truly available for at least the next few years. If the response comes in as a redirect to some totally different site, the redirect url is highly likely to be the portal's login page.
If it's a replace-the-response-with-login, then you should try to contact a known page with some known content, and see what you get back. if the response you got doesn't match you should have gotten, then you've gotten the login page and can try tearing apart the response and finding the login form via DOM operations.
Captivate portals uses 2 methods.
as described above. http redirect so the gateway takes you to another address.
ICMP - sending "better route" message
Still from my exprience on cases where non simple redirect happens the approach of expecting the redirect won't work.
I have a web app which uses spring security basic authentication .
So now if i hit the url.. server sends a 401 and my browser show the username/password popup.
Every thing is fine.
But now i want that a user can login and can change the access as anonymous i.e.
If now user hit the url he/she will be directly able to see the content without 401 or a redirect
How to do that since xml is hardcoded ?
Not sure if I got it right but what you want can be done with separating your "dynamic part" into some URL subtree (i.e. "/dynamic/**") and permitting everyone to access this part with single filter rule.
How can I prevent a user from accessing my app at myproject.appspot.com and force them to access it at myproject.com? I already have myproject.com working, but I don't want users to be able to access the myproject.appspot.com domain. I'm using Java Servlet/ServletFilter with 301 redirection.
Please guide me.
Check the HTTP referrer header and act correspondingly.
If it's on the right domain, serve normally, if not, redriect.
I am working on a project where I have running servlets packaged in a war that listen for requests and populate a foreign div on a separate page. An initial request is made to servlet (a) and if there is data to display, it renders that HTML. If there is NO data, it passes a query string to another servlet to handle the request and then renders a page with options to choose.
I am running Tomcat 6 with Windows Server 2008.
But I run into two problems:
When I use redirect, I get no response from the servlet being
redirected to. I have some javascript alerts up that are never called by the (b)
servlet. I AM using relative paths and confirm the link is
correct in logs.
When I copy that link in step 1 in a new window, I see
the results. Just not when it's embedded in another page that makes
the request. Why would that be? Is it possibly a limitation from the host page and not being able to render the response?
When I use a forward, I see the servlet response,
but then a new window opens. Thus taking the person away from the
original page. This would be great if the results render in the same page.
What's the best practice to assure that I can "redirect" from an initial servlet call to another servlet using the response object from that first servlet?
A redirect returns a HTTP 302 response with the new URL in Location header which the client needs to deal with. Basically, your JS code must check the response status code if it's 302 and then extract the Location header and then re-send a new request on it. Repeat this until the response status code is 200.
That it works when pasting the URL in browser's address bar is because the browser already knows how to deal with 3nn responses properly. If you open up the network traffic tracker in browser's webdeveloper toolset, then you'll see that a second GET request is been fired on the new URL.
Another way, if the servlets run in the same container, is to just use RequestDispatcher#forward() instead of HttpServletResponse#sendRedirect().
I get the following error from following piece of code. I am trying to login to Google sites service through GAE apps.
"The page you requested is invalid. "
String authenticationUrl = userService.isUserLoggedIn()
? userService.createLogoutURL(MainServlet.MAIN_URL)
: userService.createLoginURL(MainServlet.MAIN_URL+"?close=1");
googleData.setAuthenticationUrl(authenticationUrl);
The complete url for login
https://www.google.com/a/example.com/ServiceLogin?service=ah&passive=true&continue=http://myapp.appspot.com/_ah/login?continue=http://myapp.appspot.com/main%3Fclose%3D1<mpl=ga&ahname=Myapp+Google+Sites&sig=7cbc9f7c9e6ca443ed49f7ce9465e775
I think that you may have misunderstood the use and purpose of createLoginURL. This method is intended to provide a URL that allows someone to log in to your application and your application alone. It does not provide a means to log in to other Google services such as Sites.
It is possible to have your application log on to and access Sites or any other secured web application, but Google AppEngine does not provide a canned means of doing so. You will need to write the code to do it yourself.
Generally, what will happen is that you will request a URL and the response will have an HTTP status code of 302 with the URL of the login page located in the Location header field. You would then send a request to that page which should come back with a 200 response and somewhere inside the body of the response would be a username and password field that you would need to provide and POST back. If the credentials were valid, the server might then return an authentication cookie which you would pass on each subsequent request.
If you are versed at all in Python, you can see an example of how this works in some code from my AppEngine MVC framework project. Look at this file:
http://code.google.com/p/gae-mvc-engine/source/browse/trunk/MVCTests.py and check out the ActiontestCase.run_action method. It handles making a request to an AppEngine application that requires authentication. It is not yet terribly-well commented -- and for that I aplogize -- but I hope that it will provide a useful example. If, indeed, I have understood the nature of your problem correctly.