I'm following this blog post. But I'm getting 403 error in AEM 6.1.
I do not want to change in 'Apache Sling Referrer Filter'.
I think this error is coming because of CSRF token which I can get by calling /libs/granite/csrf/token.json
But how can I add this CSRF token in this form header? Or is there any other way to make it work?
you can add the csrf token with the standalone tag
<cq:includeClientLib categories="granite.csrf.standalone" />
you can add this on every page you use a form, or maybe you have a masterpage witch inherits to every page
the csrf token is a hidden field, before the formular is sent. it looks like
<input type="hidden" name=":cq_csrf_token" value="4a6sd4f6as4df6as.a5s4df6a4sdf674asd96f"></input>
As your page is outside AEM, one way to handle this globally would be to include the granite csrf JS in your application and modify it to point to your AEM token.json url. This script takes care of form posts, AJAX calls at a global level.
Secondly, this script does some checks related server url hosts and context paths. So you will have to disable those as well. It's a fairly simple JS to modify.
I know this is not an ethical approach but using AEM in this manner is also not a normal usecase :)
Related
I'm using TYPO3 9.5 and building a search Extension with extbase and have some problems with the cHash.
I build my search form in fluid with f:form and use GET as method. There are no problems if I use POST.
My search action is configured as non-cachable action. I also tried to set the TypoScript config requireCHashArgumentForActionArguments = 0 for my extension.
But every time I try to search, I get a 404. Even when I let the form viewhelper generate a cHash. The only workaround that is working, is to disable pageNotFoundOnCHashError in the LocalConfiguration. But that feels wrong to me.
The action works also if I create a Link with fixed search words.
So there are some questions that came up to me.
Why is a cHash for a non-cachable action needed?
How can the cHash work on a form at all? It's the concept of a form that the user can modify the values, and as far as I understand it is the concept of the chash to prevent this.
Here is also some example code
<f:form
id="search-form"
class="press-search-widget"
additionalAttributes="{'role': 'search'}"
method="get"
action="search"
extensionName="MySearch"
pluginName="Mysearch"
controller="Search"
section="search-form" >
<f:form.textfield
id="pressfilter-search"
class="form-control"
type="text"
name="searchTerms[searchTerm]"
value="{parameters.searchTerm}"
placeholder=""
/>
</f:form>
Why is a cHash for a non-cachable action needed?
cHash is evaluated before it is known which TypoScript should be fetched, so it is also not known which (un-)cached plugins should be loaded or if they require cHash evaluation (or have it disabled).
How can the cHash work on a form at all? It's the concept of a form that the user can modify the values, and as far as I understand it is the concept of the chash to prevent this.
I don't know the reason of you using a form submission with HTTP GET. However all GET parameters are taken into account except for the ones excluded (see response above already).
I strongly recommend switching to HTTP POST - mainly because the HTTP standard requires POST parameters to not be cached (also not in the browser!), otherwise Visitor A could submit something with the form and Visitor B sees the result from Visitor A. POST is for data submission, GET is actually defined as a "read-only" mode in HTTP.
Two options for TYPO3 are:
switch to POST if there is no 100% necessity for GET in your use case
use the cHashExcludedParameters option in TYPO3 to disable all user-input values from the form.
cHash is a security feature. It protects against maniuplation of parameters. And servers as an additional layer of security it also prevents a cache bloat attacks.
Where a bot can generate links with new parameters and TYPO3 then caches the result of every such page and quickly grow the cache tables in the database.
It is however possible to exclude certain parameter from this caluculation using the install tool: [FE][cHashExcludedParameters] setting.
The excluded parameters then also do not affect the caching. (pages are cached as if the parameters are not present) but as you have a non-cacheable-action your result has to be generated on the fly anyway.
Why is a cHash for a non-cachable action needed?
I dont really know. Maybe they just forgot it or no one really uses GET forms.
How can the cHash work on a form at all? It's the concept of a form that the user can modify the values, and as far as I understand it is the concept of the chash to prevent this.
The URL parameters are included in the chash. So sending via POST shouldnt take use of the chash except for the action/controller parameters.
You have to build the form by yourself and validate it manually or use Javascript. Indexed_search uses POST, changes the page/pointer ind the hidden form fields and submits the form again for the pagination.
I'm seeing many frameworks recently that have decided to "fake" PUT and DELETE requests in form submissions (not ajax). Like Ruby on Rails. They seem to be waiting for browsers to catch up. Are they waiting in vain?
Is this even slated to be implemented anywhere?
Browsers do support PUT and DELETE, but it's HTML that doesn't.
For example, a browser will initiate a PUT request via Javascript (AJAX), but not via HTML <form> submission.
This is because HTML 4.01 and the final W3C HTML 5.0 spec both say that the only HTTP methods that their form elements should allow are GET and POST.
There was much discussion about this during the development of HTML 5, and at one point they got added to HTML 5, only to be removed again. The reason the additional methods were removed from the HTML 5 spec is because HTML 4-level browsers could never support them (not being part of HTML at the time they were made); and there is no way to allow them to do so without a JavaScript shim; thus, you may as well use AJAX.
Web pages trying to use forms with method="PUT" or method="DELETE" would fall back to the default method, GET for all current browsers. This breaks the web applications' attempts to use appropriate methods in HTML forms for the intended action, and ends up giving a worse result — GET being used to delete things! (hello crawler. oh, whoops! there goes my database)
Changing the default method for HTML <form> elements to POST would help (IMO the default should have always been POST, ever since Moasic* debuted forms in 1993), but to change the default would take at least a decade to percolate through the installed base. So in two words: ‘because legacy’. :-(
To support current browsers, authors will have to fake it with an override. I recommend authors use the widely knowna, b _method argument by including <input type=hidden name=_method value=DELETE> in their HTML; switch the form method to POST (since the request is unsafe); then add recognition of _method on the server side, which should then do whatever's necessary to mutate the request and forward it on as if it were a real DELETE request.
Note also that, since web browsers are the ultimate HATEOAS client, they need to have a new state to be transferred to them for DELETE requests. existing APIs often return 204 No Content for such requests. You should instead send back a hypermedia response with links so that the user can progress their browser state.
Also see the answers to these similar/identical questions:
Why are there are no PUT and DELETE methods on HTML forms?
Are the PUT, DELETE, HEAD, etc methods available in most web browsers?
Using PUT method in HTML form
Do Browsers support PUT requests with multipart/form data
* Mosaic, created by Marc Andreessen, also introduced the compound mistake of the <img src=…> tag — it should have been <image source=…>fallback</image>.
Here is one of the use-case as to what I want to do:
A User clicks on a blog-link or directly pastes the blog-link in the URL
The blog portlet is on the private-page of a Community (Site).
Since the user is not a member of the Community (Site) he would be taken to the error page.
He is shown, either a 404 page or a No-access error page.
My requirement starts: Now instead of showing the above pages or a customized version of the above pages.
I want to Intercept the request for 404 or other such requests.
And redirect to a portal page (not a static error page) based on some parameters of the User and the initial request parameters.
In this case I would want the user to be redirect to any public page of the same Community (Site) and ask him to Join or request membership for that Community (Site).
So in short I would want a way to intercept the request which generates the error and then redirect to where ever I want.
Is this available in liferay? If not can I get some idea as to how can I achieve this?
Environment: Liferay 6.1 GA2
Thanks for your valuable time.
Add a JSP page to manage 404 errors as described here in that Liferay's forum post.
In that JSP you can put your custom logic based on whatever param (the user, the community, etc..) that you can access from inside the JSP using, for example, the themeDisplay object.
An alternative way (and the way I have redirect 404 errors to a specific page in the community) is to override the 404.jsp with a Hook. Then add your custom logic to the overridden JSP.
I'm assuming something similar could be done for no-access.
Can we invoke ATG FormHandler thu AJAX ?Do I have a hope ?
Generally: Yes :-)
But the possibilities may be limited or require some weird hacks to get them running, so it may depend on what exactly you want to do.
There are several different approaches:
You cannot directly send requests to a form handler, like you could do it with a servlet or a controller in frameworks like Struts or Spring MVC, but instead you always have to have a form in the JSP page (created using the DSP taglib), and then submit that form. This means that you cannot trigger a form handler without having an according form for it in your JSP page. But if you have that form in your page, you can submit it via an AJAX request. Your AJAX request will then trigger the form handler and get the result back, in the same way as a normal form submission would. This approach is possible and generally works. If you don't want to have a form for your AJAX request visible in the page, you could hide it e.g. using CSS.
Another approach would be using ATG'S REST Web Services module, which allows you to expose any component as a RESTful web service. This also allows you to invoke form handlers without the need to have a form for them or first render a JSP page. The document titled "ATG Web Services and Integration Framework Guide" (from Oracle's ATG documentation) has a whole chapter on how to invoke a form handler as a REST Web Service.
Or you could write a small custom servlet that receives your AJAX request and then uses the received data to invoke the form handler, just like it would lookup and invoke any other Nucleus component...
yes, invoke the handle method in the page you are making the ajax request to.
I have done this using APIs.
You need to use APIs to populate the form data required and then call the handle method from the API. You can use ATG's REST APIs or Spring if you want.
Just make a simple JSP no need of complex code to call handle method,create a JSP and just add the dsp:setvalue tag and the bean attribute should point to your handle Method ,now call this JSP through simple ajax
<dsp:setvalue bean="TestFormahandler.submit" value="" />
this will invoke the handleSubmit of formhandler
and there is always a hope friend :)
I have a jsp form which takes in user details. On submit button it goes to a jsp page where the details are entered into the database. But before that I would like to check if the username is available as soon as the user clicks the check availability button. How can this be done?
2 ways:
Just redisplay the same page after submitting the form wherein you conditionally display the validation message. This is rather trivial and already covered in the Hello World example in our Servlets wiki page.
Use Ajax to send an asynchronous HTTP request and manipulate the HTML DOM based on the response of the request. This requires a bit more in depth understanding of how websites really work and what JavaScript is. You can find some concrete examples in How to use Servlets and Ajax?
Use AJAX(Asynchronous Javascript and Xml). Its the best web2.0 technology. You can manipulate DOM based on the answer from server