hdiv / hdiv Goto Github PK

View Code? Open in Web Editor NEW

211.0 25.0 70.0 4.14 MB

Hdiv CE | Application Self-Protection

Home Page: https://hdivsecurity.com

License: Other

Java 100.00%

hdiv's Introduction

New to Hdiv? Check this out

Hdiv: Application Self-Protection

Hdiv is a leading provider of open source software for real-time, self-protected applications. Hdiv solutions are built into applications during development to deliver the strongest available runtime application self-protection (RASP) against OWASP Top 10 threats. Since 2008, Hdiv has pioneered self-protection cyber security software, and today its solutions are used by leading commercial software providers and global enterprises in banking, government, retail, technology, and aerospace.

Official Site: https://hdivsecurity.com

Online documentation: https://hdivsecurity.com/docs/

Community Technical documentation: https://hdivsecurity.com/docs/installation/library-setup/

April 20th, 2018 - Hdiv v3.4.0 released!

How does Hdiv help?

Hdiv repels 90% of application security risks included in the OWASP Top 10—a broad consensus of the most critical web application security flaws —such as SQL injection, cross-site scripting, cross-site request forgery, data tampering, and brute force attacks. Hdiv offers higher effectiveness than any of the solutions currently available to fight web application security risks.

Want to ensure strong security without having to know and understand all current security threats.
Want strong security without compromising application performance or the user experience.
Want to build security into applications while in development, instead of having to go back and patch and tweak applications later.

Editions

Hdiv Community

Is an open-source web application security framework that includes read-only data protection and editable data risk mitigation. It is appropriate for customers who have less stringent security requirements but want protection from cyber threats.

Hdiv Enterprise

Is a commercial all-in-one solution integrating the best of AST (Application Security Testing), RASP (Runtime application self protection), and WAF (Web application firewall) approaches with enterprise-class security, exclusive functionality, scalability, and enterprise-level support services. For more information, contact us at [email protected]

Installation

Spring MVC

https://www.youtube.com/watch?v=6-BNTh8AqQY

Steps

Thanks to the new extension point included in Spring 3.1, Hdiv installation and configuration for Spring MVC is cleaner and easier than previously.

Add Hdiv Jars.

 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-spring-mvc</artifactId>
     <version>3.3.0</version>
 </dependency>

Add Hdiv listener and filter within web.xml file.

 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <!-- Spring MVC Servlet name-->
     <servlet-name>SampleMvc</servlet-name>
 </filter-mapping>

Multipart configuration. Replace Spring MVC's MultipartResolver with the one from Hdiv. If commons-fileupload library is used for multipart processing:

 <bean id="multipartResolver" class="org.hdiv.web.multipart.HdivCommonsMultipartResolver">
     <property name="maxUploadSize" value="100000" />
 </bean>

If Servlet 3 standard multipart processing is used:

 <bean id="multipartResolver" class="org.hdiv.web.multipart.HdivStandardServletMultipartResolver"></bean>

Editable data validation. In order to add editable validation errors into Spring MVC binding and validation errors, configure hdivEditableValidator as application wide validator.
```
 <mvc:annotation-driven validator="hdivEditableValidator"/>
```

If you are using a Spring MVC version prior to 3.1, it is necessary to introduce an additional step, replacing Spring MVC tlds with Hdiv tlds according to the specific version. The next example shows the code for Spring MVC 3.0.4:

    <jsp-config>
        <taglib>
            <taglib-uri>http://www.springframework.org/tags/form</taglib-uri>
            <taglib-location>/WEB-INF/tlds/hdiv-spring-form-3_0_4.tld</taglib-location>
        </taglib>
        <taglib>
            <taglib-uri>http://www.springframework.org/tags</taglib-uri>
            <taglib-location>/WEB-INF/tlds/hdiv-spring.tld</taglib-location>
        </taglib>
    </jsp-config>

Spring MVC and Thymeleaf

Thanks to the implementation of RequestDataValueProcessor interface in Thymeleaf, Hdiv support is straightforward.

Follow configuration steps for Spring MVC installation.

Add Hdiv jar for Thymeleaf

 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-thymeleaf</artifactId>
     <version>3.3.0</version>
 </dependency>

Grails

With the plugin architecture and Hdiv Plugin implementation supported by Grails, Hdiv installation is implemented using the BuildConfig.groovy configuration file adding the Hdiv plugin to it:

compile ':hdiv:1.0-RC2'

JSTL

Add Hdiv jars.

 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-jstl-taglibs-1.2</artifactId>
     <version>3.3.0</version>
 </dependency>

Add Hdiv Listener and Filter within web.xml file

 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <!-- Spring MVC Servlet name-->
     <servlet-name>SampleMvc</servlet-name>
 </filter-mapping>

 <!-- Replace JSTL tld with Hdiv tld-->
 <jsp-config>
     <taglib>
         <taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
         <taglib-location>/WEB-INF/tlds/hdiv-c.tld</taglib-location>
     </taglib>
 </jsp-config>

Struts 1

Add Hdiv jars.

 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-struts-1</artifactId>
     <version>3.3.0</version>
 </dependency>

Add Hdiv listener and Filter within web.xml file.

 <!-- Hdiv Initialization listener -->
 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <url-pattern>*.do</url-pattern>
 </filter-mapping>

 <!-- Replace Struts 1 tld with Hdiv tlds -->
 <jsp-config>
     <taglib>
         <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-html.tld</taglib-location>
     </taglib>
     <taglib>
         <taglib-uri>/WEB-INF/struts-nested.tld</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-nested.tld</taglib-location>
     </taglib>
     <taglib>
         <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-logic.tld</taglib-location>
     </taglib>
 </jsp-config>

Struts 2

The latest Struts 2 version supported by Hdiv is Struts 2.0.11. Higher versions are supported by Hdiv Enterprise Edition.

Add Hdiv jars.

 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-core</artifactId>
     <version>2.0.4</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-struts-2.0.11</artifactId>
     <version>2.0.4</version>
 </dependency>

Add Hdiv Listener and Filter within web.xml file.

 <!-- Hdiv Initialization listener -->
 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->

 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <url-pattern>*.action</url-pattern>
 </filter-mapping>

 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <url-pattern>*.jsp</url-pattern>
 </filter-mapping>		

 <!-- Replace Struts 2 tld with Hdiv tlds -->

 <jsp-config>
     <taglib>
         <taglib-uri>/struts-tags</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-tags.tld</taglib-location>
     </taglib> 	
 </jsp-config>

JSF

Add Hdiv jars.

 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-jsf</artifactId>
     <version>3.3.0</version>
 </dependency>

Add Hdiv listener, Hdiv Filter and define your custom faces-config (with Hdiv configuration, see the next point) within web.xml file.

 <!-- Define the hdiv-faces-config -->
 <context-param>
      <param-name>javax.faces.CONFIG_FILES</param-name>
      <param-value>/WEB-INF/hdiv-faces2-config.xml</param-value>
 </context-param>

 <!-- Hdiv Initialization listener -->
 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <servlet-name>Faces Servlet</servlet-name>
 </filter-mapping>

This is the content of /WEB-INF/hdiv-faces2-config.xml file:

 <?xml version="1.0" encoding="UTF-8"?>
 <faces-config xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
     version="2.0">

     <component>
         <component-type>javax.faces.HtmlOutcomeTargetLink</component-type>
         <component-class>org.hdiv.components.HtmlOutcomeTargetLinkExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.HtmlOutcomeTargetButton</component-type>
         <component-class>org.hdiv.components.HtmlOutcomeTargetButtonExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.Parameter</component-type>
         <component-class>org.hdiv.components.UIParameterExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.HtmlInputHidden</component-type>
         <component-class>org.hdiv.components.HtmlInputHiddenExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.HtmlOutputLink</component-type>
         <component-class>org.hdiv.components.HtmlOutputLinkExtension</component-class>
     </component>

     <lifecycle>
         <phase-listener>org.hdiv.phaseListeners.ComponentMessagesPhaseListener</phase-listener>
         <phase-listener>org.hdiv.phaseListeners.ConfigPhaseListener</phase-listener>
         <phase-listener>org.hdiv.phaseListeners.ValidatorPhaseListener</phase-listener>
     </lifecycle>

     <factory>
         <external-context-factory>org.hdiv.context.ExternalContextFactoryWrapper</external-context-factory>
     </factory>

 </faces-config>

Configuration

Hdiv configuration is based on Spring configuration. Hdiv has a custom schema to reduce the configuration tasks. First of all we need a Spring configuration file to add Hdiv configuration.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:hdiv="http://www.hdiv.org/schema/hdiv"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">

From Hdiv version 2.1.7, it is possible to configure Hdiv in Java instead of XML.

@Configuration
@EnableHdivWebSecurity
public class HdivSecurityConfig extends HdivWebSecurityConfigurerAdapter {

    @Override
    public void configure(SecurityConfigBuilder builder) {

        // Configuration options
    }
}

All the configuration options are on the technical documentation.

How to build your own Hdiv jar

Clone this repository and build jar files (you'll need Git and Maven installed):

git clone git://github.com/hdiv/hdiv.git
cd hdiv
mvn install

The jars will be created in a folder named target and installed in local Maven repository.

Do you need help?

If you have questions or problems, please open an issue on this repository (hdiv/hdiv) or contact us at [email protected]

License

Hdiv is released under version 2.0 of the Apache License.

Profiler

JProfiler is kindly supporting Hdiv open source project with its full-featured Java Profiler. Take a look at JProfiler's leading software products: Java Profiler

hdiv's People

Contributors

Stargazers

Watchers

hdiv's Issues

HDIV always redirects to errorpage

I am trying to implement HDIV to a spring 3.1 application.

I have added the dependencies in pom file and listener, filter in web.xml file.

I have done the configuration as shown and when I access the application then welcome page is loading but after that if I access any link from the screen then it is redirected to errorpage.

What might be the problem?

web.xml:

 <listener>
<listener-class>org.hdiv.listener.InitListener</listener-class>
</listener>

ValidatorFilter org.hdiv.filter.ValidatorFilter ValidatorFilter mvc-dispatcher

<jsp-config>
     <taglib>
    <taglib-uri>http://www.springframework.org/tags/form</taglib-uri>
    <taglib-location>/WEB-INF/lib/spring-form.tld</taglib-location>
    </taglib>
    <taglib>
          <taglib-uri>http://www.springframework.org/tags</taglib-uri>
          <taglib-location>/WEB-INF/lib/spring.tld</taglib-location>
    </taglib>
     <taglib>
      <taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
           <taglib-location>/WEB-INF/lib/hdiv-c.tld</taglib-location>
</taglib>

pom.xml: org.hdiv hdiv-core ${org.hdiv-version} org.hdiv hdiv-config ${org.hdiv-version} org.hdiv hdiv-spring-mvc ${org.hdiv-version} org.hdiv hdiv-jstl-taglibs-1.2 ${org.hdiv-version} configuration:

<hdiv:config excludedExtensions="css,png,gif,jpeg,jpg,js" errorPage="/errorPage.jsp">
hdiv:startPages/,/index.htm/hdiv:startPages
/hdiv:config

<hdiv:validation id="safeText">
hdiv:acceptedPattern/hdiv:acceptedPattern
/hdiv:validation

hdiv:editableValidations
<hdiv:validationRule url="/.*">safeText/hdiv:validationRule
/hdiv:editableValidations

Broken Maven-Artifact for jstl in hdiv-jstl-taglibs-1.2/2.1.4

Hey there,

the maven-artifact for the jstl-Implementation in your jstl-taglibs-Project points to a broken build. The build is (eventhough the version states 1.2) a 1.1 definition, you can check this for yourself by looking into the c.tld inside the META-INF-Folder.
Refer to this Maven-Ticket for further info: https://issues.sonatype.org/browse/MVNCENTRAL-71

Consider using the glassfish-Implementation for replacement: http://download.java.net/maven/glassfish/org/glassfish/web/jstl-impl/1.2/jstl-impl-1.2.jar

Cheers,
Michael

"avoidValidationInUrlsWithoutParams"-Setting not mentioned in documentation

Hi,

here's a simple one. When browsing the sources and shema-declarations, I figured that there's a parameter called "avoidValidationInUrlsWithoutParams", which - in my case - saved me tons of hours in my expected requirements for porting an existing web-application.

So for future developers/admins, please document this parameter, it's worth a lot!

Cheers,
MezzoMicks

AbstractUrlProcessor, URL parameters without values cause Exception

Line 57:
String param = token.substring(0, token.indexOf("="));
will cause an exception if there is no value, e.g. http://www.mywebapp.com/document?form

I guess parsing should be done like in LinkUrlProcessor...

hdiv struts2 exception on startup of web app

I have configured & integrated hdiv on my struts2 web-app by referring to the doc. But, when I start my tomcat I get exceptions, and not able figure out what is the issue.

11/11 21:18:03 INFO iders.XmlConfigurationProvider - Parsing configuration file [struts-plugin.xml]
11/11 21:18:03 ERROR .struts2.dispatcher.Dispatcher - Dispatcher initialization failed
Unable to load configuration. - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:58)
at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:374)
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:418)
at org.apache.struts2.dispatcher.FilterDispatcher.init(FilterDispatcher.java:190)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:295)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:422)
at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:115)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4072)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4726)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:943)
at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:778)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:504)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1065)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
at org.apache.catalina.core.StandardService.start(StandardService.java:525)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: Unable to load bean: type:org.apache.struts2.dispatcher.mapper.ActionMapper class:org.hdiv.dispatcher.mapper.HDIVActionMapper - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:221)
at org.apache.struts2.config.StrutsXmlConfigurationProvider.register(StrutsXmlConfigurationProvider.java:101)
at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:169)
at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:55)
... 30 more
Caused by: Bean type interface org.apache.struts2.dispatcher.mapper.ActionMapper with the name struts has already been loaded by [unknown location] - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:205)
... 33 more
Nov 11, 2012 9:18:03 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter struts2
Unable to load configuration. - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:431)
at org.apache.struts2.dispatcher.FilterDispatcher.init(FilterDispatcher.java:190)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:295)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:422)
at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:115)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4072)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4726)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:943)
at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:778)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:504)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1065)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
at org.apache.catalina.core.StandardService.start(StandardService.java:525)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: Unable to load configuration. - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:58)
at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:374)
at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:418)
... 28 more
Caused by: Unable to load bean: type:org.apache.struts2.dispatcher.mapper.ActionMapper class:org.hdiv.dispatcher.mapper.HDIVActionMapper - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:221)
at org.apache.struts2.config.StrutsXmlConfigurationProvider.register(StrutsXmlConfigurationProvider.java:101)
at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:169)
at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:55)
... 30 more
Caused by: Bean type interface org.apache.struts2.dispatcher.mapper.ActionMapper with the name struts has already been loaded by [unknown location] - bean - jar:file:/D:/tomcat/apache-tomcat-6.0.35/webapps/publisher/WEB-INF/lib/hdiv-struts-2.0.11-2.0.4.jar!/struts-plugin.xml:9:136
at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.register(XmlConfigurationProvider.java:205)
... 33 more

HDIV is supported in HTML

Hi
I am using HTML+Thymeleaf as front end. Is HDIV can be used with HTML? If yes then can you guide me the procedure

Thank you

randomname hinders AJAX-based State-Modification

Hi there,

when using AJAX-Request to modify the State of a I have to use a workaround.
Instead of delcaring my request-URL this way (as stated in the showcase -> partialform.jsp)

<c:url value="/form1/colors" var="urlColors">
    <c:param name="_MODIFY_HDIV_STATE_" value="${hdivFormStateId}" />
</c:url>

I do this.

<c:url value="/form1/colors" var="urlColors">
    <c:param name="${modifyHDIVStateParameter}" value="${hdivFormStateId}" />
</c:url>

I guess, this is actually how it was intended, but for clarities sake you should change the example (line 104 in partialform.jsp) and documentations, which point to this.

BUT you could also modify your URL-Processor so that it automatically replaces parameters with the name "MODIFY_HDIV_STATE" with the required random name (if needed).

Cheers,
MezzoMicks

Customize dv rules in defaultEditableValidations.xml

Hello,

What is the best way, if any, to customize data validation rules in defaultEditableValidations.xml? Rather than using the default file provided in hdiv-config.jar file, I would like to specify my own default rules for HDIV and configure it with Spring. I can certainly unjar hdiv-config, make the changes to defaultEditableValidations.xml, and re-jar but that's a bit ugly.

Thanks for your help.

Is HDIV supports plain HTML tags like <input, <select, etc.?

In one of my application we have used lot plain HTML tags along with Struts Tags i.e. In some page we use only HTML input tags and in some other pages only Struts tags. is HDIV supports pages like this? Can you give some examples how plain HTML tags supported?

Protecting an URL using the POST method, but not when GET is used.

We have the following URL-pattern in a RESTful context:

/myContextRoot/someItem/1

This URL needs to be protected when we use the POST method, but NOT when we use the GET method on this URL.
Is there a way to configure HDIV to enforce this?

EXAMPLE

When we adopt the following in our .jsp:

<form:form method="POST" action="/myContextRoot/someItem/1" ...>
    <form:input ... />
    <input type ="submit" .../>
</form:form>

This will correctly result in:

<form method="POST" action="/myContextRoot/someItem/1" ...>
    <input ... />
    <input type ="submit" .../>
    <input type="hidden" name="_HDIV_STATE_" value="..."></input>   
</form>

So far so good, however if we use a GET method on the same URL it will, e.g., result in:

<a href="/myContextRoot/someItem/1?_HDIV_STATE_="...">...</a>

But what we want is that the following link is perfectly legal according to HDIV:

<a href="/myContextRoot/someItem/1>...</a>

Problem while loads a JSF page

Greetings

We have a JSF application running with HDIV 2.1.4 which has a problem when a page is loaded. In the HDIV log we have this:

"HDIV_PARAMETER_NOT_EXISTS;/webtest/home/home.xhtml;HDIV_STATE;null;0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;user"

I don’t know if this is relevant but a lot of this also comes:

"The page [n] has no states, is not stored in session"

The exception goes as a null object and we got NullPointerException in the backing bean. Thanks in advance!

AJAX-Request only works with "memory"-strategy

Hey again,

I fiddled around with different strategies while using AJAX-Requests. And I came to the conclusion, that it only seems to work with the memory-strategy.

I come to following log-output:

ERROR: org.hdiv.filter.ValidatorFilter - Exception in request validation:
ERROR: org.hdiv.filter.ValidatorFilter - Message: INVALID_PAGE_ID
ERROR: org.hdiv.filter.ValidatorFilter - StackTrace:    at org.hdiv.session.SessionHDIV.getState(SessionHDIV.java:220)
    at org.hdiv.state.StateUtil.getStateFromSession(StateUtil.java:169)
    at org.hdiv.state.StateUtil.restoreState(StateUtil.java:106)
    at org.hdiv.dataComposer.DataComposerFactory.initDataComposer(DataComposerFactory.java:134)
    at org.hdiv.dataComposer.DataComposerFactory.newInstance(DataComposerFactory.java:114)
    at org.hdiv.filter.ValidatorHelperRequest.startPage(ValidatorHelperRequest.java:990)
    at org.hdiv.filter.ValidatorFilter.processRequest(ValidatorFilter.java:256)
    at org.hdiv.filter.ValidatorFilter.doFilterInternal(ValidatorFilter.java:191)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at java.lang.Thread.run(Thread.java:662)

ERROR: org.hdiv.filter.ValidatorFilter - Cause: null
ERROR: org.hdiv.filter.ValidatorFilter - Exception: org.hdiv.exception.HDIVException: INVALID_PAGE_ID

You can reproduce it with the partialforms-example in the showcase, while switching the strategy to "hash" in the hdiv-config.xml.

From my understanding of the source I would recommend one of the following approaches:

When modifying a state in either hash or cipher mode, give the possibility to the developer to manually append the new state-hash/-cipher to the JSON payload, so one can manually inject the new value into the dom when parsing the request.
Alternatively allow the StateCache to be in mixed-mode, so every parameter/value that was not in the original hash will be compared to an appended memory-state.
Leave it as it is (for the time being) and mention it in the documentation.

Cheers,
MezzoMicks

Problem accessing MultipartFiles

I've integrated HDIV in my project and everything seems to work well except for Multipart files.

I tried using both HDIV the multipart resolver

and the ordinary spring common resolver (like in your example)

The controller param is @RequestParam(value="fotoFile", required=false) MultipartFile fotoFile,
but the parameter is always null but If I "navigate" all the request wrappers to the original request I can find the multipart.

If I debug, I can see a right call to the MultipartResolver.

What do you suggest to do?
Thanks in advance,
Massimo

HDIV_PARAMETER_NOT_EXISTS on one URL, but not another. Same URL pattern.

I am gettings HDIV_PARAMETER_NOT_EXISTS on URL's:

"http://localhost:7001/lv/articles/articleDetail/title/Rehabilitation%20exercise%20for%20certain%20chronic%20disease%20conditions"

"http://localhost:7001/lv/articles/articleDetail/title/How%20hard%20to%20exercise%20-%20Easy%20ways%20to%20measure%20exercise%20intensity"
Console output for this URL => ("HDIV_PARAMETER_NOT_EXISTS;/lv/articles/articleDetail/title/How hard to exercise - Easy ways to measure exercise intensity;HDIV_STATE;null;0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;user")

and no errors on:

"http://localhost:7001/lv/articles/articleDetail/title/How%20gaining%20muscle%20can%20be%20beneficial"
"http://localhost:7001/lv/articles/articleDetail/title/An%20introduction%20to%20core%20strength"

In hdiv:startPages I have "/articles/articleDetail/title/.*" in a spring context.

This is for plain HTTP GET requests. The URL's are very similar, only differing in length from what I can see.

Please ask if I need to provide anything else and thanks in advance.

HDIV with jQuery ajax in Spring MVC

Hi,

I am having a Spring MVC application in that i am using jQuery to do some ajax calls but I am getting INVALID_PARAMETER for my parameters. I tried c:url to create ajax URL. is there any way to achive this.

Regards,
Karthikeyan V

how to implement hdiv in our struts1 base project

JSF HDIV Libraries

Where can I get the latest HDIV for JSF libs.

Regards,
Karthikeyan V.

HDIV support for Spring Portlets

Is Spring Portlets supported for HDIV integration? if Yes, are there any examples and documentations? In No, is there any road map to build support?

Thanks

maximum client-payload-size is hardwired to 4kb

Hey there,

I know, this might not be a 'real' bug, but I want to push this into consideration for near future development:
Currently the maximum cache size ist hardwired to 4000 bytes. [ConfigBeanDefinition.createDataComposerFactory():306 in current Version 69e41f2]

It would be helpful if this was configurable.

Cheers,
MezzoMicks

Use HDIV with JSP Web Application?

Hi,

I want to know If HDIV can be applied to a JSP Based Application which does not even use servlet as a controller.

Is HDIV only for applications based on standard based frameworks like Struts and Spring.

HDIVException: IDataComposer has not been initialized in request

Hi guys,

I'm integrating your original, and very useful framework, in my project. I'm using JSTL 1.2 , Spring MVC 3.1 and Spring Security.

I' have this error

org.hdiv.exception.HDIVException: IDataComposer has not been initialized in request
at org.hdiv.util.HDIVUtil.getDataComposer(HDIVUtil.java:91)
at org.hdiv.urlProcessor.LinkUrlProcessor.processUrl(LinkUrlProcessor.java:48)
at org.hdiv.taglibs.standard.tag.common.core.UrlSupportHDIV.doEndTag(UrlSupportHDIV.java:105)
....

I have used hdiv configurations i found in "spring-mvc-showcase" can you suggest me the way how to solve it ?

Thanks
Stefano

J2EE clustering

Does HDIV work in Application Server cluster (a real J2EE cluster, no sticky sessions) ?

All things that matter are in http session ? Or there are state info needed to work into spring singleton ora in other not clusterizable objects ?

Thanks in advance
Stefano

Non editable field in Multipart form.

Hi.

I have file upload page the form has a form:checkbox, If confidentiality is enabled I'm getting the following error. This is hapening for all non editable fields.

Message: validation error: validation error: El objeto request no es de tipo RequestWrapper.

Thanks and Regards.
Karthikeyan Vaithilingam

java.lang.NoClassDefFoundError: org/springframework/web/context/WebApplicationContext

Ignore jsessionid as part of url

Hi,

I'd like HDIV can ignore ";jsessionid=..." parto of url when it search the match in validator filter. There is the way ?
For Example:

I have in hdiv cache this url /edit.html?id=12
after the same browser send request with url /edit.html;jsessionid=...?id=12

HDIV complains
INVALID_ACTION;/webapp/edit.html;jsessionid=F2A5109A28E05FED57214345D7D7F4EC;null;null;127.0.0.1;127.0.0.1;user "

I'd like HDIV filter consider "/edit.html;jsessionid=F2A5109...?id=12" same as "/edit.html?id=12", there is the way ?

Thanks in advance
Stefano

Incomplete trailing escape (%) pattern in HDIV 2.1.6

We have Spring MVC webapp and integrated with HDIV. With latest version 2.1.6 integration, we started getting below error for form fields which accepts % value.

We have one form field which accepts % as accepted charactor and when form is submitted, it get processed but when controller returns to jsp, below error is thrown as the field value has %. We have CharacterEncodingFilter filter set in web.xml and JSP has UTF-8 encoding but didnt addressed the issue.

This was non-issue in previous versions but below change in HDIV's DataComposerMemory.java on 02/14/2014 causing the error.

b3ec18e#diff-6becde333bc45d372e099b7c74f55f23

private String getDecodedValue(String value, String charEncoding) {

    String decodedValue = null;
    try {
        decodedValue = URLDecoder.decode(value, charEncoding);

```
 } catch (Exception e) {
```

 } catch (UnsupportedEncodingException e) {
    decodedValue = value;
}

Error:

SEVERE: Servlet.service() for servlet [toaNextGen] in context with path [/appPath] threw exception [Request processing failed; nested exception is org.apache.tiles.impl.CannotRenderException: ServletException including path '/WEB-INF/content/jsp/registration.jsp'.] with root cause
java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
at java.net.URLDecoder.decode(URLDecoder.java:187)
at org.hdiv.dataComposer.DataComposerMemory.getDecodedValue(DataComposerMemory.java:461)
at org.hdiv.dataComposer.DataComposerMemory.composeParameter(DataComposerMemory.java:366)
at org.hdiv.dataComposer.DataComposerMemory.compose(DataComposerMemory.java:276)
at org.hdiv.dataComposer.DataComposerMemory.composeFormField(DataComposerMemory.java:238)
at org.hdiv.web.servlet.support.HdivRequestDataValueProcessor.processFormFieldValue(HdivRequestDataValueProcessor.java:144)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.processFieldValue(AbstractDataBoundFormElementTag.java:243)
at org.springframework.web.servlet.tags.form.InputTag.writeValue(InputTag.java:171)
at org.springframework.web.servlet.tags.form.InputTag.writeTagContent(InputTag.java:146)
at org.springframework.web.servlet.tags.form.AbstractFormTag.doStartTagInternal(AbstractFormTag.java:103)
at org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:80)

Appreciate any help or workaround.

Thank you,
Krishnaraj

HDIV and Webservices

Hi,

As I've asked on stackoverflow with no responses, I would like to know how to configure HDIV to protect my application containing some REST webservices.

But maybe using HDIV for such case is pointless?

Thank in advance.

Issue with textarea and values which contains script or eval.

Hi,

In textarea if the value contains script or eval (e.g. description or evaluation) Invalid content for field is thrown. I think this is because of scriptXSS and evalXSS validation. I tested this in hdiv-jsf-example by changing the first name field to textarea in /view/newAccount.faces.

2013-03-27 11:24:15,080 INFO  org.hdiv.logs.Logger  - INVALID_EDITABLE_VALUE;/hdiv-jsf-example/view/newAccount.faces;formNewAccount:firstName;evaluation description;127.0.0.1;127.0.0.1;anonymous

Thanks,
Karthikeyan Vaithilingam

"UTF-8" Encoding problem

Hi,

We encounter a problem that we have observed recently, with “UTF-8” encoding. This problem is obviously related to the integration of HDIV Framework to our “Spring MVC / Spring Security” application.

Concerning the management of “UTF-8” encoding, we proceeded as follows:

1- We have activated the Spring Character encoding filter "org.springframework.web.filter.CharacterEncodingFilter" and we have positioned it as the first filter in our deployment descriptor "web.xml" like this:

<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>
org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>

<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

2- Then we set up Tomcat to handle "UTF-8" encoding, by changing the file "sever.xml" like this:
…
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/>
…..
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
URIEncoding="UTF-8" useBodyEncodingForURI="true"/>

Without the integration of HDIV Framework, i.e.: only with Spring MVC and Spring Security (+ tomcat setup / and Spring character encoding filter) we have no problem with "UTF-8" encoding.

With the activation of HDIV Framework (Filter + RequestDataValueProcessor, JSTL-HdIV Taglib, etc.) the problem occurs.

Our Spring configuration files:
• HDIV (hdiv-config.xml : https://gist.github.com/4672835),
• Spring Security(security-config.xml : https://gist.github.com/4672833),
• Spring MVC(presentation-config.xml : https://gist.github.com/4672840),
• And our deployment descriptor (web.xml :https://gist.github.com/4672821).

You will also find screenshots of a use case (domain entity update), that permit to reproduce the encoding problem.

In advance, thanks’ for your help!

Regards,

Youssef

ResponseWrapper.addCookie

We are deploying to 2 J2EE applications and to mimic SSO, we add 2 cookies to the request.
When running the apps with HDIV the cookie's values are set to "0" and we get INVALID_COOKIE error.
I've tried to add the cookies using :
ResponseWrapper hdivResponseWrapper = new ResponseWrapper(response);
hdivResponseWrapper.addCookie(cookie1);
hdivResponseWrapper.addCookie(cookie2);
but their values are still "0"

Any ideas?
Regards,
-Z

Issue in Integarting HDIV to my Spring -MVC application

Hi,
i am trying to integrate HDIV to my application ,have referred hdiv-reference document.

getting following Exception

Mar 11, 2013 7:32:09 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter ValidatorFilter
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'application' is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:504)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1041)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:273)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:189)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1004)
at org.hdiv.util.HDIVUtil.getApplication(HDIVUtil.java:231)
at org.hdiv.filter.ValidatorFilter.initFilterBean(ValidatorFilter.java:73)
at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:179)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:275)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:108)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3696)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4343)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Mar 11, 2013 7:32:09 PM org.apache.catalina.core.StandardContext start
SEVERE: Error filterStart

This error is thrown at startup of my server...
have added

HDIV: core library (hdiv-core-2.0.4.jar) and tags library (hdiv-spring-mvc-2.5-2.0.3.jar).
Spring: spring-2.0.1.jar or higher
Commons codec: commons-codec-1.3.jar
Commons fileupload: commons-fileupload-1.1.1.jar
Commons io: commons-io-1.1.jar

is their any error in mapping??
any help would be highly appreciated!!!

HDIV Validator and JSR 303 Validation

Our use case:
We try to integrate HDIV Framework to our Spring MVC 3.1 application in order to protect it against XSS and XSRF attacks.
We also annotate our Form beans/DTOs with JSR 303 annotations in order to make some business validation rules.
To achieve this, on the one hand, we activate the HdIV validator via the annotation-driven xml configuration like this:

  <annotation-driven validator="editableValidator"/>
<beans:bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>

On the other hand, we use the Spring MVC/JSR 303 integration, to get errors (both XSS & JSR 303 ) under the controller method using @Valid annotation.
Example:

    @RequestMapping(value = { "/attacks/SQLInjection/processSQLStringInjection",
            "/secure/SQLInjection/processSQLStringInjection" }, method = RequestMethod.POST)
    public String processSQLStringInjection(@Valid Account account, Errors errors, Model model) {
    if (errors.hasErrors()) {
        return "/attacks/SQLInjection/SQLStringInjection";
    }

..etc

}

1/ with this configuration, no JSR 303 validation error is launched in any case.

2/ with an update on “SampleMvc-servlet.xml“ like this :
      <mvc:annotation-driven  />

JSR 303 validation works as expected.

How can we combine both JSR 303 and HDIV validation ?
Regards,

Youssef

memory pattern clarity

The StateUtil.java currently has:
private static final String MEMORY_PATTERN = "([0-9]+-){2}[A-Za-z0-9]+";

For consistency with the other code it should read:
private static final String MEMORY_PATTERN = "([0-9]+"+AbstractDataComposer.DASH+"){2}[A-Za-z0-9]+";

The matching of [A-Za-z0-9] assumes that the pluggable uidGenerator will return that format but there is no contract for that. The comment in AbstractDataComposer.initPage suggests to take the return value and ensure/convert it to a hex value, but a more OO approach to StateUtil would be better.

Integrating HDIV with improper SPRING framework

Hi,
we are thinking of implementing HDIV in our products.but the problem is all our products do not use proper Spring MVC architecture or any other of your mentioned architecture.mostly the flow is through the controllers.(in some products Spring is used but not MVC).can HDIV be used in such conditions???if so any modification in existing code is required(like jsps,how much modification will be required?)?any example code is their for such scenario?any provision of implementing only some features of HDIV in such scenario?

Avoiding URL Confidentiality

HI,

I don't know if it's the right place to ask for some help, but if not, sorry for that.

I'm facing a little problem with parameters confidentiality.
I know it's possible to turn off confidentiality in hdiv:config, but is it possible to turn off confidentiality for a specific url? Something like paramsWithoutValidation?

In my case I have a link like this: http://localhost:8080/myapp/authentifier/AuthnRequest?urlOK=redirectUrl&_HDIV_STATE_=D4F1E1D13EE5040A1A51AFBA and urlOK is replaced with urlOK=0.

The problem is that this URL is intercepted by a filter placed before HDIV filter, so the confidentiality mapping is not done and I have an error redirecting to url OK

Thanks in advance.

Problems when using HDIV with Spring-mvc and RESTful urls.

I am trying to integrate HDIV in an existing RESTful application. I would like all the GET requests to be start pages, and POST, PUT and DELETE requests to be HDIV protected pages.

I am using HDIV 1.2.4-SNAPSHOT and I am using this configuration:

<hdiv:config 
    strategy="hash"
    excludedExtensions="css,png,gif,jpeg,jpg,js"
    confidentiality="true"
    errorPage="/error.jsp">

    <hdiv:startPages method="get">.*</hdiv:startPages>

    <hdiv:paramsWithoutValidation>
        <hdiv:mapping url=".*" parameters="_method"/>
    </hdiv:paramsWithoutValidation>
</hdiv:config>

The problem is that when proccessing fields HDIV only takes into account the action of the form, ignoring the method. This leads to several problems, e.g. confidentiality is not applied to readonly fields but is checked in the filter, resulting in validation errors.

Support for login page when integration with Spring Security

I have integrated spring-security into my application. HDIV integration is done on top of it.

When the session expires, if HDIV is not integrated, upon accessing any URL, the redirection happens to the login page. But when HDIV is integrated with the application , the redirection happens to the error page configured in hdiv-config.xml,

I thin the redirection to error page should be only when there URL is tampered, when the session expires it should be redirected to the login page.

NoSuchFieldException is thrown for hdiv-config.xml

Hi,

I'm using struts-1.2.9 in my application. Based on the hdiv-reference.pdf, I configured HDIV in my application. But when I deployed my application, I'm getting few NoSuchFieldException instances like the one below:

I'm getting the below error for memory, cache, key, and HDIV_STATE

2012-11-27 11:28:34,144 DEBUG [org.springframework.beans.TypeConverterDelegate] Field [HDIV_STATE] isn't an enum value
java.lang.NoSuchFieldException: HDIV_STATE
at java.lang.Class.getField(Class.java:1507)
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:200)
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:95)
at org.springframework.beans.BeanWrapperImpl.convertIfNecessary(BeanWrapperImpl.java:358)
at org.springframework.beans.factory.support.AbstractBeanFactory.doTypeConversionIfNecessary(AbstractBeanFactory.java:831)
at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:367)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:126)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:684)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:622)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:381)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:245)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:140)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:242)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:156)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:273)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:346)
at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.refresh(AbstractRefreshableWebApplicationContext.java:156)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:184)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3827)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4343)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:823)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:150)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at org.apache.catalina.core.StandardContext.init(StandardContext.java:5441)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:150)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeployInternal(TomcatDeployer.java:336)
at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeploy(TomcatDeployer.java:83)
at org.jboss.web.AbstractWebDeployer.start(AbstractWebDeployer.java:370)
at org.jboss.web.WebModule.startModule(WebModule.java:62)
at org.jboss.web.WebModule.startService(WebModule.java:40)
at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:242)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:891)
at $Proxy0.start(Unknown Source)
at org.jboss.system.ServiceController.start(ServiceController.java:416)
at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:242)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy24.start(Unknown Source)
at org.jboss.web.AbstractWebContainer.start(AbstractWebContainer.java:362)
at org.jboss.deployment.MainDeployer.start(MainDeployer.java:935)
at org.jboss.deployment.MainDeployer.start(MainDeployer.java:927)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:746)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:709)
at sun.reflect.GeneratedMethodAccessor29.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:119)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:131)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:242)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
at $Proxy8.deploy(Unknown Source)
at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:305)
at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:463)
at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:204)
at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.loop(AbstractDeploymentScanner.java:215)
at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.run(AbstractDeploymentScanner.java:194)

One of the default validation rules can cause stackoverflow error

In file
hdiv-config/src/main/resources/org/hdiv/config/validations/defaultEditableValidations.xml

There is a rule

This can cause stackoverflow error on certain input text.

Here is a short test

@Test
public void test(){
    String text = 
            "The purpose of this communication is " +
            "to publically announce the Department's intention in this regard and to provide " +
            "the appropriate contact information for any inquiries or for those wishing to " +
            "submit comments or any new scientific information relevant to the safety of this " + 
            "additive. Health Canada's Food Directorate is committed to reviewing any new " +
            "scientific information on the safety in use of any food additive, including " +
            "urease. Anyone wishing to submit new scientific information on the use of this " +
            "additive or to submit any inquiries may do so in writing, by regular mail or " +
            "electronically. If you wish to contact the Food Directorate electronically, " +
            "please use the words \"Urease Notification\" in the subject line of your e-mail. " +
            "Health Canada is able to consider information received by May 24 2013, " +
            "75 days from the date of this posting."
            ;
    String sqlInjectionPattern = "(\\s|\\S)*((%27)|(')|(%3D)|(=)|(/)|(%2F)|(\")|((%22)|(-|%2D){2})|(%23)|(%3B)|(;))+(\\s|\\S)*";
    Pattern p = Pattern.compile(sqlInjectionPattern);
    Matcher m = p.matcher(text);
    System.out.println(m.matches());
}

Multipart issue in hdiv 2.1.5

While testing hdiv 2.1.5 with spring mvc, we have encountered an issue with the handling of multipart files.

We believe the bug is in org.hdiv.filter.RequestWrapper.getParameterNames(), line 178.

The current code,

 list.add(multipartParams);

Adds the array to the list, not the contents. What was probably meant is

 list.addAll(multipartParams);

Editable attribute validation - errors logged but request is allowed through.

Hi,

I have a Spring 3.1 MVC application configured with HDIV. I have written a simple form with one input field. The problem is that it doesn't show an error page for invalid input. I have configured an editable validation to prevent special characters from being submitted but it doesn't seem to be doing anything.

It logs the fact that the field contains invalid characters but the request still gets to the controller and it doesn't show me the error page.

The error page is shown for cases where an invalid HDIV_STATE is given and where parameters are missing as expected.

Here is the hdiv-config-xml

<description></description>

<hdiv:config errorPage="/error.jsp"
             maxPagesPerSession="200"
             debugMode="false"
             avoidCookiesConfidentiality="false"
             confidentiality="true"
             strategy="memory"
             avoidValidationInUrlsWithoutParams="false"
        >

    <hdiv:startPages>/index.jsp,/common/.*,/resources/.*,/login</hdiv:startPages>
    <hdiv:paramsWithoutValidation>            
        <!-- excluded -->
    </hdiv:paramsWithoutValidation>
</hdiv:config>

<hdiv:validation id="safeText">
    <hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9@.\-_]*$]]></hdiv:acceptedPattern>
</hdiv:validation>

<hdiv:editableValidations>
    <hdiv:validationRule url=".*">safeText</hdiv:validationRule>
</hdiv:editableValidations>

Here is the form:

<c:url var="testalturl" value="/testalt"/>
<form:form id="testaltfrom" modelAttribute="testFormVo" action="${testalturl}" method="POST" >
<form:input path="sometext" id="sometextbit"/>
<input type="submit"/>
</form:form>

Spring bootstrap problem when upgrading from Hdiv 2.1.2 to 2.1.4

Hi Guys,

Wanting to upgrade HDIV, from 2.1.2 to 2.1.4, in order to take advantage of patches and in particular these two (
#21
#11)
I encountered the following problem:

In my spring servlet file , I defined the request data value processor in this way:

    HDIV implementation of RequestDataValueProcessor
<beans:bean id="requestDataValueProcessor"
    class="org.hdiv.web.servlet.support.HdivRequestDataValueProcessor">
    <beans:property name="linkUrlProcessor" ref="linkUrlProcessor" />
    <beans:property name="formUrlProcessor" ref="formUrlProcessor" />
</beans:bean>

URL PROCESSOR
<beans:bean id="linkUrlProcessor" class="org.hdiv.urlProcessor.LinkUrlProcessor">
    <beans:property name="config" ref="config" />
</beans:bean>

<beans:bean id="formUrlProcessor" class="org.hdiv.urlProcessor.FormUrlProcessor">
    <beans:property name="config" ref="config" />
</beans:bean>

with the HDIV version 2.1.2 the instantiation of the Spring BeanFactory goes well. When I upgrade to 2.1.4 I get this error:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'linkUrlProcessor' defined in ServletContext resource [/ WEB-INF/spring/presentation-config.xml]: Can not resolve reference to bean 'config' while setting bean property 'config 'org.springframework.beans.factory.NoSuchBeanDefinitionException nested exception is: No bean named' config 'is defined

When I go back to version 2.1.2 everything works again !

Have you an idea of the problem or what I have, perhaps, forgotten to do?

For more details, our Spring configuration files:

• HDIV (hdiv-config.xml : https://gist.github.com/4672835),
• Spring Security(security-config.xml : https://gist.github.com/4672833),
• Spring MVC(presentation-config.xml : https://gist.github.com/4672840),
• And our deployment descriptor (web.xml :https://gist.github.com/4672821).

In advance, thanks’ for your help!

Best wishes,
Youssef

Integrating HDIV with Struts 1.3.10 WebApp

Hi all,

I tried to follow the installation guide from reference-hdiv.pdf to setup my struts web-app to use HDIV. But here is what i got from the tomcat log.

SEVERE: Exception sending context initialized event to listener instance of class org.hdiv.listener.InitListener
org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.hdiv.application.IApplication] is defined: expected single bean but found 0:
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:257)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1012)
at org.hdiv.listener.InitListener.initServletContext(InitListener.java:148)
at org.hdiv.listener.InitListener.contextInitialized(InitListener.java:80)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4779)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5273)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:895)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:871)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:962)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1603)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Im using

springs-aop-3.0.0.RELEASE.jar,springs-asm-3.0.0.RELEASE.jar, springs-aspects-3.0.0.RELEASE.jar, springs-beans-3.0.0.RELEASE.jar, springs-context-3.0.0.RELEASE.jar, springs-core-3.0.0.RELEASE.jar, springs-expression-3.0.0.RELEASE.jar, springs-jdbc-3.0.0.RELEASE.jar,springs-test-3.0.0.RELEASE.jar,springs-tx-3.0.0.RELEASE.jar,springs-web-3.0.0.RELEASE.jar
hdiv-config-2.1.5.jar, hdiv-core-2.1.5.jar, hdiv-struts-1-2.1.5.jar, hdiv-jstl-taglibs-1.2-2.1.5.jar

Here is my configuration for web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/applicationContext.xml,/WEB-INF/hdiv-config.xml
    </param-value>
</context-param>

<filter>
    <filter-name>ValidatorFilter</filter-name>
    <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ValidatorFilter</filter-name>
    <url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>ValidatorFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
</filter-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<listener>
    <listener-class>
        org.hdiv.listener.InitListener
    </listener-class>
</listener>

<jsp-config> 
    <taglib>
        <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
        <taglib-location>/WEB-INF/hdiv-html.tld</taglib-location>
    </taglib>
    <taglib>
        <taglib-uri>/WEB-INF/struts-nested.tld</taglib-uri>
        <taglib-location>/WEB-INF/hdiv-nested.tld</taglib-location>
    </taglib>
    <taglib>
        <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
        <taglib-location>/WEB-INF/hdiv-logic.tld</taglib-location>
    </taglib>
</jsp-config>

Please tell me what to do next? Thanks.

ValidatorFilter - is it really thread-safe?

There is a method initDependencies which is not synchronized and is not thread-safe. This method is called from doFilterInternal().

Spring 2.5 support?

Hi, I got hdiv 2.1.3 and build it, but unable to make it work:

first there's neither sample hdiv-config.xml nor applicationContext.xml included with the source,

second even after I managed to run it it gives me HDIV-PARAMETER-NOT-PRESENT exception in logs no matter what I do. It seems this version does not include any HDIV Spring view resolvers, is that the problem?

Does your code still support Spring 2.5 which I use? If yes, where can I get sample application from?

Exception While trying to redirect

Whenever there is a redirect, I get the exception as given below. I recently did a 2.1.4 update. There were no errors in 2.1.4-SNAPSHOT. What can be the problem ?

Thanks & Regards
Bala

[ERROR] http-bio-7780-exec-3 03:01:51 Exception in request validation:
[ERROR] http-bio-7780-exec-3 03:01:51 Exception in request validation:
[ERROR] http-bio-7780-exec-3 03:01:51 Message: Request has not been initialized in threadlocal
[ERROR] http-bio-7780-exec-3 03:01:51 Message: Request has not been initialized in threadlocal
[ERROR] http-bio-7780-exec-3 03:01:51 StackTrace: at org.hdiv.util.HDIVUtil.getHttpServletRequest(HDIVUtil.java:349)
at org.hdiv.util.HDIVUtil.getHttpSession(HDIVUtil.java:335)
at org.hdiv.session.SessionHDIV.getHttpSession(SessionHDIV.java:303)
at org.hdiv.session.SessionHDIV.addPage(SessionHDIV.java:129)
at org.hdiv.dataComposer.DataComposerMemory.endPage(DataComposerMemory.java:515)
at org.hdiv.filter.ValidatorHelperRequest.endPage(ValidatorHelperRequest.java:1008)
at org.hdiv.filter.ValidatorFilter.processRequest(ValidatorFilter.java:258)
at org.hdiv.filter.ValidatorFilter.doFilterInternal(ValidatorFilter.java:191)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:300)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

[ERROR] http-bio-7780-exec-3 03:01:51
The exception Stacktrace is given below.

StackTrace: at org.hdiv.util.HDIVUtil.getHttpServletRequest(HDIVUtil.java:349)
at org.hdiv.util.HDIVUtil.getHttpSession(HDIVUtil.java:335)
at org.hdiv.session.SessionHDIV.getHttpSession(SessionHDIV.java:303)
at org.hdiv.session.SessionHDIV.addPage(SessionHDIV.java:129)
at org.hdiv.dataComposer.DataComposerMemory.endPage(DataComposerMemory.java:515)
at org.hdiv.filter.ValidatorHelperRequest.endPage(ValidatorHelperRequest.java:1008)
at org.hdiv.filter.ValidatorFilter.processRequest(ValidatorFilter.java:258)
at org.hdiv.filter.ValidatorFilter.doFilterInternal(ValidatorFilter.java:191)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:300)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

[ERROR] http-bio-7780-exec-3 03:01:51 Cause: null
[ERROR] http-bio-7780-exec-3 03:01:51 Cause: null
[ERROR] http-bio-7780-exec-3 03:01:51 Exception: org.hdiv.exception.HDIVException: Request has not been initialized in threadlocal
[ERROR] http-bio-7780-exec-3 03:01:51 Exception: org.hdiv.exception.HDIVException: Request has not been initialized in threadlocal
Jul 30, 2013 3:01:51 PM org.apache.catalina.core.StandardWrapperValve invoke

ul 30, 2013 3:37:30 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [action] in context with path [/Sampe] threw exception
java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed
at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:483)
at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
at org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:25)
at org.hdiv.filter.ValidatorFilter.doFilterInternal(ValidatorFilter.java:220)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:300)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

HDIV and Spring: nesting <spring:url> tag in Spring's form tag breaks

When creating a form like this:

<form:form method="POST" modelAttribute="bulkSelection">
<input type="submit" name="test" value="testbutton"/>
                    <form:checkbox path="pathvalue" value="${backingObject.path}"/> 
</form:form>

everything works as expected, and a hidden field is appended to the form containing the CSRF token. However, when I use a <spring:url> tag inside the form, the hidden CSRF token is suddenly not appended to the form anymore:

<form:form method="POST" modelAttribute="bulkSelection">
<input type="submit" name="test" value="testbutton"/>
        <form:checkbox path="pathvalue" value="${backingObject.path}"/> 
        <a href="<spring:url value ='/some/link' />">
                <img src="${pageContext.request.contextPath}/pic.png"/>
        </a>
</form:form>

It seems that something is going wrong in the DataComposerMemory class. Because in the first situation, in the getExtraHiddenFields method (see https://github.com/hdiv/hdiv/blob/master/hdiv-spring-mvc/src/main/java/org/hdiv/web/servlet/support/HdivRequestDataValueProcessor.java#L150) sees true when it calls DataComposer.isRequestStarted(), but in the second situation with the nested <spring:url> tag, it returns false!

When the <spring:url> tag is moved outside of the form, everything works correctly again:

the form gets its hidden CSRF token
the link gets the HDIV state parameter appended

Therefore the nesting causes the issue it seems.

CipherHTTP thread safety issues

When using strategy="cipher" and there are simultaneous requests by the same user (I have 2 ajax requests run when a page loads) there are a myriad of exceptions that occur at cipher.doFinal(data) in org.hdiv.cipher.CipherHTTP.decrypt. It turns out that javax.crypto.Cipher is not thread safe so any of the operations such as Cipher.encrypt / Cipher.decrypt / Cipher.init will blow up with rather confusing exceptions related to insufficient padding, gzip stream corruption, etc.

Because init and encrypt/decrypt have to be synchronized together, I have worked around this in decode/encode64Cipher like this:

ICipherHTTP cipher = this.session.getDecryptCipher();
Key key = this.session.getEncryptCipherKey();
byte[] data;
synchronized (cipher) {
    cipher.initDecryptMode(key);
    data = cipher.decrypt(encodedData);
 }

and session.getEncrypt/DecryptCipherKey no longer does initDecryptMode

I'm more than willing to work on a pull request, but as there are many ways to go about fixing this I'll hold off too see if you want to take it on or give me some direction.

NullPointerException in org.hdiv.filter.ValidatorFilter

Just upgraded from 2.1.4 to 2.1.5. Getting this error on some requests during automated tests.

java.lang.NullPointerException
at org.hdiv.filter.ValidatorFilter.doFilterInternal(ValidatorFilter.java:128)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

HDIV should use WAC.getBean(Class requiredClass), not (String beanName)

The following is an example where HDIV is expecting to have sole rights to name a bean "config", where there will only be one bean of type HDIVConfig in the container, so getting the bean by type would be cleaner and more friendly to the app developers using HDIV.

    WebApplicationContext wac = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);

    this.config = (HDIVConfig) wac.getBean("config");
    this.dataComposerFactory = (DataComposerFactory) wac.getBean("dataComposerFactory");
    this.stateUtil = (StateUtil) wac.getBean("stateUtil");
    this.session = (ISession) wac.getBean("sessionHDIV");

hdiv / hdiv Goto Github PK

hdiv's Introduction

Hdiv: Application Self-Protection

How does Hdiv help?

Editions

Hdiv Community

Hdiv Enterprise

Installation

Spring MVC

Steps

Spring MVC and Thymeleaf

Grails

JSTL

Struts 1

Struts 2

JSF

Configuration

How to build your own Hdiv jar

Do you need help?

License

Profiler

hdiv's People

Contributors

Stargazers

Watchers

Forkers

hdiv's Issues

EXAMPLE

Recommend Projects

Recommend Topics

Recommend Org

Jobs