FORM scope always empty? URL scope is fine? - forms

I'm running a legacy CF Fusebox 5.5 app within Railo 4.0.2.002 Express with Jetty 8 on Mac OS X 10.8 with java 1.7.
I'm also using jetty urlrewrite http://tuckey.org/urlrewrite/ (if that's relevant)
Why is the FORM scope always blank upon form submissions? But if I use the URL scope it works fine.
The app has worked fine in all other versions of CF and should also work fine here.
UPDATE 1:
Also, when I do onRequestStart within Application.cfc and I dump the FORM scope it's empty there too.
Anyone have trouble with this? I don't think it's necessarily "fusebox" so I'm wondering if it's a Railo 4 compatibility issue?
UPDATE 2:
When the form posts to /admin/index.cfm?event=Main.Login
the form scope work fine. But when it posts to /admin/event/Main.Login the form scope is gone.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite
PUBLIC "-//tuckey.org//DTD UrlRewrite 3.0//EN"
"http://tuckey.org/res/dtds/urlrewrite3.0.dtd">
<urlrewrite>
<rule>
<from>^/admin/event/(.*)</from>
<to last="false">/admin/index.cfm?event=$1</to>
</rule>
<rule>
<from>^/lms/event/(.*)</from>
<to last="false">/lms/index.cfm?event=$1</to>
</rule>
</urlrewrite>
UPDATE 3:
It should also be noted that Charles (proxy) is properly detecting the 'POST' Request contains the Email / Password and other form elements properly sent to the server.
The Jetty server is simply not seeing them or not properly forwarding them on to the Railo engine or something?
UPDATE 4:
Here is the tuckey configuration that they tell you to place in your web.xml. I actually placed this in the webdefault.xml in etc/ directory of Railo Express which I guess could just be Jetty files.
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>

I had a number of issues with Tuckey and ended up using Apache and modrewrite for features that Tuckey just didn't support. That being said Railo + Tomcat/Jetty is not ColdFusion with Jrun and the configuration was challenging to ensure that mod_rewrite had all the request information and even had the request at all. Even Adobe had to patch CF10 after release because they were missing original functionality from CF9-+JRUN connectors.
However, for your solution, you need to reach up and out. See the thread here.
https://groups.google.com/forum/#!msg/railo/uw-U9hCFu5k/bEmr_I2Kl8sJ
Other people have the same problem, and have worked around it by placing this in onRequestStart:
<cfscript>
if(gethTTPRequestData().method eq "POST") {
if(NOT structKeyExists(form,"fieldnames")) {
var paramMap = getPageContext().getRequest().getParameterMap();
var paramMapKeys = structKeyList(paramMap);
form.fieldnames = paramMapKeys;
for(x =1; x lte listLen(paramMapKeys); x++) {
param = listGetAt(paramMapKeys,x);
form[param] = paramMap[param][1];
}
}
}
</cfscript>
It's not clear if this is a bug in Jetty, Railo, or Tuckey.

Related

ca siteminder saml sso proxyrule namespace case can not forward

everyone
our policyserver is 12.8
and run on redhat
and our sampl sso is ok
and we access application via relaystate ,
and we want to access more applications
and we want to access : https://fed.test.com.cn/test,https://fed.test.com.cn/prd,
we want to judge when is test ,forward to one place ,and judge when is prd ,forward to another place
and our proxyrule is here :
<?xml version="1.0"?>
<?cocoon-process type="xslt"?>
<!DOCTYPE nete:proxyrules SYSTEM "file:////app/siteminder/agent/agentfed/secure-proxy/proxy-engine/conf/dtd/proxyrules.dtd">
<!-- Proxy Rules -->
<!-- replace www.example.com with your namespace -->
<nete:proxyrules xmlns:nete="https://fed.test.com.cn/" debug="yes">
<nete:cond criteria="beginswith" type="uri">
<!-- replace /dir1 with an appropriate URI -->
<nete:case value="/test">
<!-- replace http://server1.example.com with the appropriate destination server -->
<nete:forward>https://10.164.29.65$0</nete:forward>
</nete:case>
</nete:cond>
</nete:proxyrules>
but when we passed https://fed.test.com/affwebservices/public/saml2assertionconsumer,
we found not forward to destination server.
so ,where is wrong ,we did not found errors in logs
can anyone help us ?
we are in hurry
Proxy rules don't apply to /affwebservices, that's a different "app" on SPS itself.

Apache Shiro takes me back to login page after authentication

I am replacing Siteminder with Apache Shiro in my web application. I noticed that shiro logs me in successfully and takes me to the home page. When i click on any other link on the home page, I am taken back to the login page. I login again and i am forwarded to the page i was looking to goto. How can i fix this?
Here is my shiro.ini
[main]
authc.loginUrl = /login.jsp
ssl.enabled=false
[users]
user=admin
[urls]
/css/** = anon
/images/** = anon
/js/** = anon
/login.jsp = authc
/logout = logout
/** = authc
A section from my web.xml
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
Printing out currentUser.isAuthenticated() in my User Class displays 'true'.
Is there any other info i can provide?
I believe the problem is related to the fact that in the shiro.ini file you are not enforcing SSL:
ssl.enabled=false
However, in the weblogic.xml file you are enforcing SSL for cookies:
<session-param>
<param-name>CookieSecure</param-name>
<param-value>true</param-value>
</session-param>
So, my recommendation would be to change shiro.ini to:
ssl.enabled=true
And leave the original weblogic.xml file in place.
That way you will only accept users who authenticated over SSL (which is a good practice).
Please let me know the results.
Thanks
Fabio #fcerullo
Your configuration looks almost exactly like the Shiro sample web app (in fact, yours is even better by using authc.loginUrl instead of the deprecated global 'shiro.loginUrl' that the sample app uses). The sample app does not exhibit the behavior you're seeing.
This leads me to believe that something else (another filter?) is causing problems for you. Do you have a little sample app that you can make available (maybe on Github) that demonstrates the problem? I'd be happy to take a look if this can be recreated.
I figured out what was going on. My application was deployed on Weblogic and i had the following section inside weblogic.xml which was causing the issue. Removing it, fixed it. Any idea why this caused it?
<session-param>
<param-name>CookieSecure</param-name>
<param-value>true</param-value>
</session-param>
I have experienced the same behaviour,but I am using Wildfly 10.0.0 , and apache shiro v 1.3.2.
I foun the solution here in this Jboss Forum article.
Setting the cookie name from JSESSIONID to something else fixes the issue.
The solution provided here was to add the following in shiro.ini
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = shiro.session.id
sessionManager.sessionIdCookie = $cookie
This worked for me.

Sitecore 6.5 urls across multiple sites/domains (not resolving sites?)

I'm using a Sitecore install with multiple sites. When linking from example1.com (/sitecore/content/example1) to an item under example2.com (/sitecore/content/example2/about)
Sitecore is not generating the link correctly for any cross-domain links. It is generating:
http://www.example1.com/example2/about.aspx
This is what is expected:
http://www.example2.com/about.aspx
The same thing happens from example2.com when linking to example1.com or any item under that site.
Both sites are defined in the web.config.
The rootNodes are both "/sitecore/content"
The start items are "/example1" and "/example2" respectively.
Rendering.SiteResolving is set to true
Rendering.SiteResolvingMatchCurrentSite is set to false
I'm using sc:link to generate the links.
Sitecore.Links.LinkProvider's alwaysIncludeServerUrl is set to true
If you are using hostName with wild cards (eg. "www.example1.com|example1.com"), you need to set targetHostName="www.example1.com" on your entry.
Even if you only have one domain, set targetHostName, as there is one thing/function that only looks at targetHostName. Eg. GetItemUrl() doesn't work as planned without a targetHostName and in 6.5.0 ver. 120706 it doesn't account for stuff set in the web.config. This is a bug and one they hopefully have fixed in future version. If you expirience the problem look here for a solution:
http://sitecorepm.wordpress.com/2010/08/04/using-cross-site-links-dynamic-links/
Have you set the hostName value of the <site> entry in web.config?
<site name="example1" hostName="www.example1.com" ... />
<site name="example2" hostName="www.example2.com" ... />
There's a very good blog post on this here: http://blog.paulgeorge.co.uk/2011/05/01/sitecore-linkmanager-inside-out-muti-site-and-sub-site-setups/ It looks like you've covered everything else required to make this work.

httpOnly cookie

I had done web scan for an application(built in struts and hibernate framework) deployed in jboss 5 which reported "Set-cookie does not use HTTPOnly keyword. The web application does not utilize HTTPOnly cookies". What does it mean. I looked for some post and just added one line in my jboss/deploy/jbossweb.sar/context.xml as
<SessionCookie secure="true" useHttpOnly="true" >
After setting that, I am getting error while running the application. Is there any configuration that I am missing?
try this:
<SessionCookie secure="true" httpOnly="true" />
What does it mean
The HttpOnly flag in a http response header indicates to the browser that client-side access to the JSESSION_ID or other session-cookie type identifier should not be permitted. What this is intended to prevent is a malicious access to the session token via client side scripts in an XSS(or other attack involving session hijacking from the client side). Currently almost all major browsers support this flag(see this list for supporting browsers), but it's simply ignored in browsers that don't support it. See more info on this at the OWASP site
Setting it up is similar for tomcat and forks of it, including Jboss, by including the following in your context file:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
or
<SessionCookie secure="true" httpOnly="true" />

servlet filter for url rewriting makes gwt page getting 404

I have a GWT application /application.html
for easy access (and SEO) I would like make url rewriting like /station/fr/foo mapping
I'm trying with a servlet filter declared like this
url-pattern : /station/*
and in this filter, I split parts of the url to build parameters for the target url:
and I do :
request.getRequestDispatcher( targetUrl ).forward( request, response);
But it seems to try accessing /station/Application.html and then 404
[ =========== edited from here =========== ]
Well, know, since this question, I understood a few things: the html page is reached, but tries to load his resources (css, js, img) in /station/
This behaviour is done by the browser (!)
If I had <base href="http://servername/"> it works, but I can't get dev mode working anymore...
Is there's a way to transparently modify on the fly the response to change paths in html source ?
You are looking for fixing the app path in both hosted jetty mode and tomcat/deployment mode to be same - Try https://groups.google.com/d/topic/google-web-toolkit/a8OsRmMSaMg/discussion
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN"
"http://jetty.mortbay.org/configure.dtd">
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
<Set name="contextPath">/yourapp</Set>
</Configure>