I have created one jsp form which contains the username textfield. On the click of submit button it pass on to servlet and read parameter and display on the screen.
I want to generate a querystring of username with the url.
Can anyone tell me how can i do that??
The following example will add the username field in the querystring of the request URL.
<form action="servletURL">
<input type="text" name="username" />
<input type="submit" />
</form>
Note that there's no method. It defaults to GET already, which means that all form data is passed by URL.
If you still don't see the querystring in the request URL, then it means that your servlet is performing a redirect after submit.
response.sendRedirect("result.jsp");
The enduser will then see the redirected URL in browser address bar instead. If you don't include the querystring in the redirect URL, then the enduser will indeed not see it at all.
You should either be doing a forward() instead,
request.getRequestDispatcher("/WEB-INF/result.jsp").forward(request, response);
or append the query string yourself:
response.sendRedirect("result.jsp?" + request.getQueryString());
Related
I'm adding in CSRF token validation and I'm running into a problem where I have two forms on a page and one of them will submit successfully and the other will not. I'm not doing AJAX requests, I'm simply using hidden input fields. If I submit the form when it is the only one on the page, it submits without issue. If I submit it on a page with more than one form, it fails.
Below is the template code for my two forms
{{if .IsAuthenticated}}
<form action='/admin/logout' method='POST'>
<button>Logout</button>
{{.CsrfField}}
</form>
{{end}}
<form action='/admin/stuff/create' method='POST'>
{{with .Form}}
<div>
<label>Title:</label>
<input type='text' name='title' value='{{.Get "title"}}'>
</div>
<div>
<input type='submit' value='Publish stuff'>
</div>
{{end}}
{{.CsrfField}}
</form>
And this is what the generated HTML looks like. Both appear to be valid.
When I click the "Logout" button though, I get the Forbidden - CSRF token invalid error, but clicking the create input value in the second form always works.
The logout button is correctly validated when I attempt to use it on the home page which is "/admin/" but it does not work on any of the other pages "/admin/snippet/:id" or "/admin/snippet/create". The Logout button is part of a base template, so it appears on every page, so there shouldn't be anything different in how it appears on any page.
I've read other SO posts about multiple forms & CSRF tokens on a page and I understand there should be no issue with multiple forms with the same information as long as you have each one in it's own form, it should be fine. So I am not sure where I am going wrong.
I found the issue. Currently the way that gorilla/csrf works, it does not like creating the masked token from one path and then sending that token off to another path. So in my situation, going from /admin/snippet/create to /admin/logout threw an error because it was expecting the path for the token to be /admin/snippet/<something> and so it threw an error.
This issue has been addressed in this PR: https://github.com/gorilla/csrf/pull/147 and essentially the solution is to set the default path yourself to something which all of your routes will contain, so in my case that was /admin
This is what my CSRF declaration looks like now in main.go
var csrfMiddleWare = csrf.Protect(
[]byte("<put your 32 character key here>"),
csrf.Path("/admin"),
csrf.Secure(false),
)
A note, if you had this issue and then apply this fix and it doesn't resolve the problem, trying testing in a separate browser as there may be some caching issues.
How to hide the values in the URL? In routes:
GET /admin/:userId com.example.sample.getUser(userId: Int)
When getUser action is requested, URL returns in the format as shown below:
http://localhost:9000/admin/0
I don't want to view the userId in the URL.
This is common GET vs POST difference. In GET request params are sent within the URL, in POST are not.
If you need to avoid params in the URL just use a HTML form with hidden field instead of a tag to send the requests and in your controller fetch the POST arguments, dummy HTML sample:
<form action="/admin/" method="POST">
<input type="hidden" name="userId" value="#userId" >
<input type="submit" value="#userName" >
</form>
It will give you submit button with name of the user as a label, you can use CSS to give it feel and look of common link.
Note that's invalid REST pattern, as POST shouldn't be used to showing data, you don't mention what is the purpose of this, so maybe you should rethink your needs.
Maybe you can also just make usage of parameters with default or fixed values:
check the docs for more options
As suggested on stackoverflow, I make sure to log in to https://developer.paypal.com, to set cookies for sandbox development before attempting my SetExpressCheckout flows.
I get a successful response from my SetExpressCheckout call, with a reply such as:
TOKEN=EC%2d2D3179619P0352202&TIMESTAMP=2014%2d08%2d08T01%3a58%3a29Z&CORRELATIONID=ca8756c977f0&ACK=Success&VERSION=116&BUILD=12301660
My problem comes when trying to redirect to PayPal with the _express-checkout command:
I extract the TOKEN value, and pass that in an HTTP form, with GET and POST variations shown below. I'm using Perl, but the forms are just plain HTML, and the forms below are taken directly from viewing the page source that is generated by my Perl CGI script.
form using GET:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="GET">
<input type="hidden" name="cmd" value="_express-checkout">
<input type="hidden" name="token" value="EC%2d1BH04005UH441943R">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynow_SM.gif" border="0" alt="PayPal - The safer, easier way to pay online!">
</form>
form URL: https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC%252d1BH04005UH441943R&x=61&y=11
lands on: https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_flow&SESSION=S4XbHMPLePuv_A93vhHvqIo4GEYOpsQCYkn6iiIE6AeRfMEkXHzSPWYeH3G&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b08198a0586321b47f5ae7b54ee269d9200b8b
( PayPal page with "This transaction is invalid. Please return to the recipient's website to complete your transaction using their regular checkout flow." )
form using POST:
<form action=https://www.sandbox.paypal.com/cgi-bin/webscr METHOD='POST'>
<input type=hidden name='cmd' value='_express-checkout'>
<input type=hidden name='token' value=EC%2d9MK58577ER8913409>
<input type=image src=https://www.paypalobjects.com/en_US/i/btn/btn_buynow_SM.gif border=0 alt='PayPal - The safer, easier way to pay online!'>
</form>
form URL: https://www.sandbox.paypal.com/cgi-bin/webscr
lands on: https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_flow&SESSION=MQjOoKQ1FNeHGrVOsukD0Ln8K8LvfvfrejsDm9XZq3JeLThBanMZ2vC1Wtm&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b08198a0586321b47f5ae7b54ee269d9200b8b
( PayPal page with "This transaction is invalid. Please return to the recipient's website to complete your transaction using their regular checkout flow." )
Curiously, if I manually enter the URL that would have been the 'action=' URL of my form using method=GET, it all works:
Manual cut-n-paste of form URL: https://www.sandbox.paypal.com/cgi-bin/webscr&cmd=_express-checkout&token=EC%2d00D71751FM635411H (with or w/o appending &x=nn&y=nn)
lands on: https://www.sandbox.paypal.com/cgi-bin/webscr&cmd=_express-checkout&token=EC%2d00D71751FM635411H
( Sandbox test store, showing order summary and buyer PayPal account login prompts, as expected )
It seems to me there is some issue with PayPal's session caching, since my form URLs get transformed to ones with parms "_cmd=flow&SESSION={long session ID}, but I clear (Safari) browser cookies before logging in to developer.paypal.com.
I get similar behavior on a different computer, using Firefox and IE browsers.
PayPal won't accept your token because you send it back as percent-encoded twice.
The SetExpressCheckout response is a string that contains a series of parameter names and values. This string is percent-encoded, meaning that you need to decode it to extract the actual values.
Most importantly, you are interested in the TOKEN=EC%2d2D3179619P0352202 part, where the %2d represents the character -.
When you re-inject the string directly to a form input as shown in your question, the %2d represents nothing but the sequence of characters % 2 d. Moreover, when sent to PayPal as a GET request, the sequence will be percent-encoded itself, with the percent sign encoded to %25, resulting in the sequence % 2 5 2 d that you observed. So the token gets lost in translation.
What you need to input is the decoded version of the token:
<input type="hidden" name="token" value="EC-1BH04005UH441943R">
In Perl, the decoding can be achieved using, for example, CPAN's URI::Escape module.
I feel like I've entered the Twilight Zone. I have a Grails form that redirects to a URL, but gives a 404. If I go directly to that exact URL, everything works fine (that is, the URL mappings are correct).
This is an example generated form tag:
<form action="/alm/contactRefresh/itemRefreshProcess/7070" method="post">
On submit, it redirects to:
http://localhost:8080/alm/contactRefresh/itemRefreshProcess/7070
But gives this error:
HTTP ERROR 404
Problem accessing /alm/contactRefresh/itemRefreshProcess/7070. Reason:
NOT_FOUND
Powered by Jetty://
But then if I just go directly to that same URL (by focusing the browser Location bar and pressing enter), the page renders just fine, though the form params are lost because it's just a GET now. I've also tried changing the form method to GET, and that doesn't work either (throws a 404).
I've done similar forms a zillion times before with no problems. I'm sure this is some stupid user error, but I seriously can't figure out what's wrong.
Thanks for any ideas!
So, I finally started ripping parts out of the form and found out that for some reason you can’t name a Grails checkbox starting with the word "action". It must be something related to the default params["action"] entry. Though my checkbox names were a concatenation of "action_" + an id.
Anyway, there was some kind pre-processing of the checkbox form params that was blowing up before making it to the controller, and somehow that translated to a 404 instead of an actual Exception.
Originally I had this:
<g:checkBox name="action_${serviceRefreshAction.id}" value="${true}" />
Which renders this:
<input type="hidden" name="_action_7196" /><input type="checkbox" name="action_7196" checked="checked" id="action_7196" />
I changed "action" to "myAction", like this:
<g:checkBox name="myAction_${serviceRefreshAction.id}" value="${true}" />
Which renders this:
<input type="hidden" name="_myAction_7206" /><input type="checkbox" name="myAction_7206" checked="checked" id="myAction_7206" />
And now everything works fine.
Five hours of my life down the drain.
But I guess I have to forgive Grails, for the all time it saves me on a daily basis normally. :o)
I'm having a simple HTML form on my page that looks like this:
<form action="/" method="post" enctype="multipart/form-data">
<input type="file" name="file" />
<input type="input" name="pin" />
<input type="submit" value="Upload" />
</form>
Now what I am trying to accomplish (with Sinatra) is to check if the PIN entered into the form field is correct:
post "/" do
if params[:pin] == "1234"
start_upload()
else
print_error_message()
end
end
Of course, I want the PIN to be checked before the file starts uploading. But that's my problem. Immediately after clicking the "Upload" button, the file upload starts until it is finished. Then the script checks to see if the PIN is valid.
Is there a way to do stuff before the file upload starts? And if not, what other ways of doing this are there?
Unless you use some Ajax and split up your request this won't work. You could have two forms, one that holds the pin and that authorizes the user. Once you enter a correct pin you send an asyn request to the server which will then reply with a positive or a negative answer. Depending on the response some javascript will then enable your file upload button so you can start uploading the file. What you should also do is setting a session for the user so that only an authorized user (via the pin) is allowed to send a form. If you check the Sinatra Readme you can find some information on how to do that.
That would be my solution.