encrypted parameter problem

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

encrypted parameter problem

Chris Cheshire
I have a login interceptor that redirects to a login page where necessary with a "next" parameter set to the url that was just accessed, like so :


        if (user == null && LOGIN_NEEDED.contains(clazz)) {
            resolution = new RedirectResolution(Login.class);
            if (context.getRequest().getMethod().equalsIgnoreCase("GET")) {
                ((RedirectResolution)resolution).addParameter("next", action.buildReturnUrl());
            }
        }

        return resolution;

buildReturnUrl is defined in my base action class as :

    public String buildReturnUrl() {
        try {
            HttpServletRequest req = getContext().getRequest();
            ActionResolver resolver = StripesFilter.getConfiguration().getActionResolver();

             ActionBean bean = resolver.getActionBean(this.context, req.getRequestURI());
            String urlBinding = resolver.getUrlBinding(bean.getClass());

            UrlBuilder builder = new UrlBuilder(req.getLocale(), urlBinding, true);
            builder.addParameters(req.getParameterMap());

            return builder.toString();
        }
        catch (StripesServletException ex) {
            throw new RuntimeException("failed to build url", ex);
        }
    }

(I resorted to this as opposed to the method shown in the Stripes book because it does not handle clean urls properly. If you have a binding such as "/some/path/{id}", you end up with "/some/path/foo?id=foo").

However, URLBuilder is encrypting the parameters as it builds so what is already encrypted turns into a broken value. Since all the methods to modify the request map in StripesRequestWrapper throw UnsupportedOperationExceptions, I can't decrypt the encrypted parameters (known parameter names) and then replace them so they get re-encrypted properly by the URLBuilder.

How can I modify the request parameters to fix the double encoding issue?

Thanks

Chris


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: encrypted parameter problem

Chris Cheshire
In case anyone else runs into this issue my solution was to rebuild a duplicate parameter map and decrypt any parameter that was encrypted. I dug through the stripes source to find out how the validations were handled and came up with :

            UrlBuilder builder = new UrlBuilder(req.getLocale(), urlBinding, true);
            // create a duplicate map of the parameters
            HashMap<String, String[]> newMap = new HashMap<>(req.getParameterMap());
            // locate validations for this action
            Map<String, ValidationMetadata> validations =
                    configuration.getValidationMetadataProvider().getValidationMetadata(getClass());
            if (validations != null) {
                // If a field is encrypted, decrypt it and replace its values in the new parameter map
                for (String property : validations.keySet()) {
                    if (validations.get(property).encrypted()) {
                        List<String> newValues = new ArrayList<>();
                        for (String encValue : newMap.get(property)) {
                            newValues.add(CryptoUtil.decrypt(encValue));
                        }
                        newMap.put(property, newValues.toArray(new String[newValues.size()]));
                    }
                }
            }
            builder.addParameters(newMap);



On Tue, Sep 17, 2013 at 11:49 AM, Chris Cheshire <[hidden email]> wrote:
I have a login interceptor that redirects to a login page where necessary with a "next" parameter set to the url that was just accessed, like so :


        if (user == null && LOGIN_NEEDED.contains(clazz)) {
            resolution = new RedirectResolution(Login.class);
            if (context.getRequest().getMethod().equalsIgnoreCase("GET")) {
                ((RedirectResolution)resolution).addParameter("next", action.buildReturnUrl());
            }
        }

        return resolution;

buildReturnUrl is defined in my base action class as :

    public String buildReturnUrl() {
        try {
            HttpServletRequest req = getContext().getRequest();
            ActionResolver resolver = StripesFilter.getConfiguration().getActionResolver();

             ActionBean bean = resolver.getActionBean(this.context, req.getRequestURI());
            String urlBinding = resolver.getUrlBinding(bean.getClass());

            UrlBuilder builder = new UrlBuilder(req.getLocale(), urlBinding, true);
            builder.addParameters(req.getParameterMap());

            return builder.toString();
        }
        catch (StripesServletException ex) {
            throw new RuntimeException("failed to build url", ex);
        }
    }

(I resorted to this as opposed to the method shown in the Stripes book because it does not handle clean urls properly. If you have a binding such as "/some/path/{id}", you end up with "/some/path/foo?id=foo").

However, URLBuilder is encrypting the parameters as it builds so what is already encrypted turns into a broken value. Since all the methods to modify the request map in StripesRequestWrapper throw UnsupportedOperationExceptions, I can't decrypt the encrypted parameters (known parameter names) and then replace them so they get re-encrypted properly by the URLBuilder.

How can I modify the request parameters to fix the double encoding issue?

Thanks

Chris



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: encrypted parameter problem

Nikolaos Giannopoulos
You can encrypt or decrypt as you like as far as I recall:


On Oct 3, 2013, at 1:16 PM, Chris Cheshire <[hidden email]> wrote:

In case anyone else runs into this issue my solution was to rebuild a duplicate parameter map and decrypt any parameter that was encrypted. I dug through the stripes source to find out how the validations were handled and came up with :

            UrlBuilder builder = new UrlBuilder(req.getLocale(), urlBinding, true);
            // create a duplicate map of the parameters
            HashMap<String, String[]> newMap = new HashMap<>(req.getParameterMap());
            // locate validations for this action
            Map<String, ValidationMetadata> validations =
                    configuration.getValidationMetadataProvider().getValidationMetadata(getClass());
            if (validations != null) {
                // If a field is encrypted, decrypt it and replace its values in the new parameter map
                for (String property : validations.keySet()) {
                    if (validations.get(property).encrypted()) {
                        List<String> newValues = new ArrayList<>();
                        for (String encValue : newMap.get(property)) {
                            newValues.add(CryptoUtil.decrypt(encValue));
                        }
                        newMap.put(property, newValues.toArray(new String[newValues.size()]));
                    }
                }
            }
            builder.addParameters(newMap);



On Tue, Sep 17, 2013 at 11:49 AM, Chris Cheshire <[hidden email]> wrote:
I have a login interceptor that redirects to a login page where necessary with a "next" parameter set to the url that was just accessed, like so :


        if (user == null && LOGIN_NEEDED.contains(clazz)) {
            resolution = new RedirectResolution(Login.class);
            if (context.getRequest().getMethod().equalsIgnoreCase("GET")) {
                ((RedirectResolution)resolution).addParameter("next", action.buildReturnUrl());
            }
        }

        return resolution;

buildReturnUrl is defined in my base action class as :

    public String buildReturnUrl() {
        try {
            HttpServletRequest req = getContext().getRequest();
            ActionResolver resolver = StripesFilter.getConfiguration().getActionResolver();

             ActionBean bean = resolver.getActionBean(this.context, req.getRequestURI());
            String urlBinding = resolver.getUrlBinding(bean.getClass());

            UrlBuilder builder = new UrlBuilder(req.getLocale(), urlBinding, true);
            builder.addParameters(req.getParameterMap());

            return builder.toString();
        }
        catch (StripesServletException ex) {
            throw new RuntimeException("failed to build url", ex);
        }
    }

(I resorted to this as opposed to the method shown in the Stripes book because it does not handle clean urls properly. If you have a binding such as "/some/path/{id}", you end up with "/some/path/foo?id=foo").

However, URLBuilder is encrypting the parameters as it builds so what is already encrypted turns into a broken value. Since all the methods to modify the request map in StripesRequestWrapper throw UnsupportedOperationExceptions, I can't decrypt the encrypted parameters (known parameter names) and then replace them so they get re-encrypted properly by the URLBuilder.

How can I modify the request parameters to fix the double encoding issue?

Thanks

Chris


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users