I have setup a console application that just runs a loop and emits a message using Signal R. The client that is listening is an angular application.
When I run locally, (Both the Console application and the Angular Site) it works fine. However, when I run my console application in my Vagrant VM (Ubuntu HOST), then I get an all too familiar error message such as the following:
GET http://localhost:12345/signalr/negotiate?clientProtocol=1.5&userId=12345&connectionData=%5B%7B%22
name%22%3A%22testem
itter%22%7D%5D&_=1446565284280 500 (Internal Server Error)
I have ran into issues similar to this before (maybe this exact one) so here are some initial details
The code I have looks like the following:
namespace test
{
public class Program
{
public static void Main(string[] args)
{
try
{
using (WebApp.Start<EmmitStartup>("http://*:12345"))
{
Console.Out.WriteLine("Emmit started on http://*:12345");
IEmitterFactory factory = new EmitterFactory();
while (true)
{
Thread.Sleep(5000);
ITestEmitter emitter = factory.Create((ctx) =>
{
return new TestEmitter(ctx);
});
emitter.SayHello();
emitter.Echo("Hello World:" + DateTime.Now);
}
}
}
catch (Exception e)
{
Console.Out.WriteLine(e.Message);
Console.Out.WriteLine(e.StackTrace);
Console.ReadLine();
}
}
}
public class TestEmitter:Emitter,ITestEmitter
{
public TestEmitter(IEmitterContext emitterContext) : base(emitterContext)
{
}
public TestEmitter(IEmitterContext emitterContext, EmitterModel model) : base(emitterContext, model)
{
}
public TestEmitter(IDictionary<string, object> model) : base(model)
{
}
public void SayHello()
{
EmitterContext.Clients.All.onSayHello();
}
public void Echo(string message)
{
EmitterContext.Clients.All.onEcho(message);
}
}
public interface ITestEmitter
{
void SayHello();
void Echo(string message);
}
public class EmmitStartup
{
public void Configuration(IAppBuilder app)
{
app.UseCors(CorsOptions.AllowAll);
app.Map("/signalr", map =>
{
map.UseCors(CorsOptions.AllowAll);
GlobalHost.HubPipeline.AddModule(new ErrorHandlingPipelineModule());
var config = new HubConfiguration()
{
EnableDetailedErrors = true,
EnableJavaScriptProxies = true,
EnableJSONP = true
};
map.RunSignalR(config);
});
}
}
}
There are no exception or error logs being thrown on the server.
I have enabled CORS in SignalR
I have tried to use both http://*:12345 and http://localhost:12345 and http://0.0.0.0:12345
The Emmit library is just syntactic sugar and makes direct pass through to SignalR (I have tried same exact with SignalR directly.
I have tried different combinations of enabling/disabling EnableJSONP
I know SignalR is working and accessible through the VM because I can hit http://localhost:12345/signalr/hubs and it shows proxy file.
I have setup port fowarding to the Vagrant VM for port 12345
I have disabled firewall on VM HOST (Ubuntu) with sudo ufw disable
The code for the client looks like the following:
var emmitProxy = null;
Emmit.createProxy({
emitter:'testEmitter',
path:'http://localhost:12345/signalr',
listeners:{
'onSayHello':function(){
$log.info('onSayHello triggered')
},
'onEcho':function(message){
$log.info(message);
}
},
onError:function(){
//an error occured
$log.error('testEmitter:onError');
},
onDisconnected:function(){
//proxy was disconnected
$log.debug('testEmitter:onDisconnected');
},
queryParams:{
userId:'12345' //optional
}
}).then(function(newProxy){
emmitProxy = newProxy;
});
UPDATE
I enabled logging and here is the output. Before another person recommends I enable CORS, I don't think that CORS is the issue, I think its just the cascading impact of something else that is having an issue.
UPDATE
I have ran this in multiple environments with the following results:
Ran in Docker container on Vagrant VM (Ubuntu) - ERROR OCCURS
Ran directly on Vagrant VM (Ubuntu) - ERROR OCCURS
Deployed in Docker Container to Tutum - ERROR OCCURS
Ran directly through Visual Studio on Windows - EVERYTHING WORKS
Ran directly on Mac oSX (on Mono obviously) - EVERYTHING WORKS
I have added the following IHubPipelineModule
public class ErrorHandlingPipelineModule:HubPipelineModule
{
public override Func<HubDescriptor, IRequest, bool> BuildAuthorizeConnect (Func<HubDescriptor, IRequest, bool> authorizeConnect)
{
try
{
Console.Out.WriteLine ("BuildAuthorizeConnect");
return base.BuildAuthorizeConnect (authorizeConnect);
}
catch (Exception exception)
{
Console.Out.WriteLine ("AuthorizeConnect Failure");
Console.Out.WriteLine(exception.Message);
}
return base.BuildAuthorizeConnect(authorizeConnect);
}
protected override void OnAfterDisconnect (IHub hub, bool stopCalled)
{
try
{
Console.Out.WriteLine ("OnAfterDisconnect");
base.OnAfterDisconnect (hub, stopCalled);
Console.Out.WriteLine ("After OnAfterDisconnect");
}
catch (Exception exception)
{
Console.Out.WriteLine ("AfterDisconnect Failure");
Console.Out.WriteLine(exception.Message);
}
}
protected override bool OnBeforeDisconnect (IHub hub, bool stopCalled)
{
try
{
Console.Out.WriteLine ("OnBeforeDisconnect");
return base.OnBeforeDisconnect (hub, stopCalled);
}
catch (Exception exception)
{
Console.Out.WriteLine ("BeforeDisconnect Failure");
Console.Out.WriteLine(exception.Message);
}
return base.OnBeforeDisconnect (hub, stopCalled);
}
public override Func<IHub, System.Threading.Tasks.Task> BuildConnect(Func<IHub, System.Threading.Tasks.Task> connect)
{
try
{
Console.Out.WriteLine("BuildConnect");
return base.BuildConnect(connect);
}
catch (Exception exception)
{
Console.Out.WriteLine(exception.Message);
}
return base.BuildConnect(connect);
}
protected override void OnAfterConnect(IHub hub)
{
try
{
Console.Out.WriteLine("OnAfterConnect");
base.OnAfterConnect(hub);
}
catch (Exception exception)
{
Console.Out.WriteLine ("OnAfterConnect Failure");
Console.Out.WriteLine(exception.Message);
}
}
protected override bool OnBeforeConnect(IHub hub)
{
try
{
Console.Out.WriteLine("OnBeforeConnect");
return base.OnBeforeConnect(hub);
}
catch (Exception exception)
{
Console.Out.WriteLine ("OnBeforeConnect Failure");
Console.Out.WriteLine(exception.Message);
}
return base.OnBeforeConnect (hub);
}
}
And when I check my logs, the only logs that are printed out are the following:
BuildConnect
BuildAuthorizeConnect
UPDATE
I am not sure if this will be relevant or how I may have missed it, but I checked the response from the 500 and have posted it to Here
It looks like it is showing it is related to Improperly protected user's key pairs in '/root/.config/.mono/keypairs'.
Also, I am not sure if this link contains sensitive information. If somebody can let me know if it does, I would appreciate it.
I did a minimal amount of research thus far and came across SignalR.Owin works under Windows but returns 500 for Mono on Linux
When I check the Network tab for the negotiate request, I get the following
** Headers**
Remote Address:127.0.0.1:12345
Request URL:http://localhost:12345/signalr/negotiate?clientProtocol=1.5&userId=12345&connectionData=%5B%7B%22name%22%3A%22testemitter%22%7D%5D&_=1446964166640
Request Method:GET
Status Code:500 Internal Server Error
HTTP/1.1 500 Internal Server Error
Access-Control-Allow-Origin: http://localhost:8100
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
Content-Type: text/html
Server: Mono-HTTPAPI/1.0
Date: Sun, 08 Nov 2015 06:30:28 GMT
Connection: close
Transfer-Encoding: chunked
Accept:text/plain, */*; q=0.01
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:JSESSIONID.ae4b31f4=aqpz31hevinaauwftyijure; JSESSIONID.26c95422=1m32u58exuvjz5jrojszqziqh; JSESSIONID.3fd19426=iv9fawaej3nt14yzcruj45si5; JSESSIONID.8868ba42=1gh4w06alx8ehuuj1adr5w8y8; JSESSIONID.947cfb91=nyxfrp6u0pny1sl8gwlouprh4; screenResolution=1280x800
Host:localhost:12345
Origin:http://localhost:8100
Pragma:no-cache
Referer:http://localhost:8100/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Although your app contains app.UseCors(CorsOptions.AllowAll), the original error message is pretty clear that this is a CORS issue.
The Origin URL (http://localhost:8100) is different than the SignalR server URL (http://localhost:12345) With CORS, the scheme, domain, and port have to match; in this case, the port is different.
Here's what to do:
Ensure the URLs are actually correct and are what you expect. (Port 8100)
Capture the HTTP traffic on the client. You can do this using Fiddler or a similar tool. You can also just use the "network" tab of the chrome debugger.
Verify that the initial page load actually contains the CORS header. You should see Access-Control-Allow-Origin: in the response header. Based on how you've configured it, the value should be: *
...I believe the issue here is that you've enabled CORS on the SignalR server (Port 12345), but CORS needs to be enabled on your webserver. (Port 8100)
EDIT
The original question was edited. With the addition of the HTTP headers, the error message has changed from a CORS issue to a 500 error.
CryptographicException: Improperly protected user's key pairs in '/root/.config/.mono/keypairs'.
...
CryptographicException: Data protection failed.
System.Security.Cryptography.ProtectedData.Protect (System.Byte[] userData, System.Byte[] optionalEntropy, DataProtectionScope scope) [0x00000]
Microsoft.AspNet.SignalR.Infrastructure.DefaultProtectedData.Protect (System.String data, System.String purpose) [0x00000]
I did a minimal amount of research thus far and came across SignalR.Owin works under Windows but returns 500 for Mono on Linux
The GitHub Issue that you linked to exactly matches what you've described. Since it's marked closed, the obvious question is to see if what's described in the ticket also applies to you. From the ticket:
davidfowl commented on May 22, 2013 -
I just fixed the build in the dev branch yesterday. It requires mono 3.0.10 to run and works fine now.
So, verify two things:
The version of Mono installed on your server. The Ticket says Mono 3.0.10 is needed. What version do you have?
SignalR needs to include the changes. It's one or both of these. Ensure that whatever version of SignalR you're using includes these changes:
Change 1
Change 2
Lastly, if you need to, you do have the option of injecting your own version of SignalR.Core/Infrastructure/DefaultProtectedData.cs. You can simply set it in the OWIN pipeline. From the SignalR Source Code:
// Use the data protection provider from app builder and fallback to the
// Dpapi provider
IDataProtectionProvider provider = builder.GetDataProtectionProvider();
IProtectedData protectedData;
See the selected answer for insight into the problem and potential solution.
I solved the problem by making sure I had a version of Mono 3.0.10 or later. I am using Docker, so this was as easy as updating my FROM statement in my Dockerfile.
Related
My scenario is as follows. I have an Android Emulator which is hosting an EmbedIO web server through an App. When I try to access the URL to the web server from the host machine's (Mac) browser I receive ERR_EMPTY_RESPONSE error.
I have issued the following port forwarding commands through ADB:
adb forward tcp:8080 tcp:8080
In the browser I am navigating to: http://localhost:8080/api/ChangeBackGround
and the Android emulator web server is listening on: http://10.0.2.16:8080/api/ChangeBackGround
Here is the code that starts the web server in the Xamarin Forms App (runs on Android Emulator):
public static class WebServerFactory
{
public static WebServer CreateWebServer<T>(string url, string baseRoute)
where T : WebApiController, new()
{
var server = new WebServer(url)
.WithWebApi(baseRoute, api => api.WithController<T>());
// Listen for state changes.
server.StateChanged += (s, e) => Debug.WriteLine($"WebServer New State - {e.NewState}");
return server;
}
}
public class EventController : WebApiController
{
[Route(HttpVerbs.Get, "/ChangeBackGround")]
public void ChangeBackGround()
{
Device.BeginInvokeOnMainThread(() =>
{
App.Current.MainPage.BackgroundColor = Color.Green;
});
}
}
public partial class App : Application
{
public App()
{
InitializeComponent();
MainPage = new MainPage();
}
private WebServer _WebServer;
protected override void OnStart()
{
var localIPAddress = GetLocalIPAddress();
var url = $"http://{localIPAddress}:8080";
Task.Factory.StartNew(async () =>
{
_WebServer = WebServerFactory.CreateWebServer<EventController>(url, "/api");
await _WebServer.RunAsync();
});
((MainPage)MainPage).Url = url;
}
private string GetLocalIPAddress()
{
var IpAddress = Dns.GetHostAddresses(Dns.GetHostName()).FirstOrDefault();
if (IpAddress != null)
return IpAddress.ToString();
throw new Exception("Could not locate IP Address");
}
protected override void OnSleep()
{
}
protected override void OnResume()
{
}
}
The scenario currently works on the iOS simulator and an Android physical device. But I always get ERR_EMPTY_RESPONSE even when I've setup the port forwarding rules.
Any help would be much appreciated.
Please first make sure your android emulator could connect internet properly.
If the problem perisist, you can try the following methods:
Method 1:
1.start your Command prompt by runing as an admistrator;
2.Run the following commands in sequence:
netsh int ip reset c:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
exit
Method 2: (If method 1 didn't work,try modthod 2)
Open your Control Panel -->NetWork and Internet-->Network and Sharing Center-->Change adapter settings-->right click Ethenet and click Properties-->select Internet Protocol 4-->click Properties -->using the following NDS server addresses
Fill in the following configuration:
Preferred NDS Server: 1.1.1.1
Alternate NDS Server: 1.0.0.1
Method 3: (If above methods didn't work,try modthod 3)
Open Settings in your PC-->Open NetWork and Internet-->click Nnetwork reset-->press Reset Now
Note:
For more details, you can enter keywords How to fix "ERR_EMPTY_RESPONSE" Error [2021] in your browser and then you will find relative tutorail.
You should have you service listening on either one of these IPs:
127.0.0.1: The emulated device loopback interface (preferred, I don't think you have reasons to use a different one)
10.0.2.15: The emulated device network/ethernet interface
See https://developer.android.com/studio/run/emulator-networking#networkaddresses
I've read a lot of conflicting information about this and it seems people are not 100% clear on what is possible and what is not. I am certain that you cannot host a gRPC server app in IIS due to the HTTP/2 limitations. The documentation is pretty clear. However, I want to use IIS as a reverse proxy, with the internal side communicating using gRPC. So the client would be in IIS, not the server. I assumed that since the communication at this point (i.e. the back end) was not funneled through IIS, there would be no issue with this. However, I keep seeing mixed answers.
I have created a dumb webapp that is hosted in IIS Express and can successfully post to my service running on Kestrel with gRPC.
Client code sample below. The SubmitButton is just a form post on the razor page.
public async void OnPostSubmitButton()
{
// The port number(5001) must match the port of the gRPC server.
using var channel = GrpcChannel.ForAddress("https://localhost:5001");
var client = new Greeter.GreeterClient(channel);
var reply = await client.SayHelloAsync(
new HelloRequest { Name = "GreeterClient" });
Console.WriteLine("Greeting: " + reply.Message);
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
Server code is the boilerplate template for gRPC but looks like this:
namespace grpcGreeter
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
// Additional configuration is required to successfully run gRPC on macOS.
// For instructions on how to configure Kestrel and gRPC clients on macOS, visit https://go.microsoft.com/fwlink/?linkid=2099682
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
});
}
}
namespace grpcGreeter
{
public class GreeterService : Greeter.GreeterBase
{
private readonly ILogger<GreeterService> _logger;
public GreeterService(ILogger<GreeterService> logger)
{
_logger = logger;
}
public override Task<HelloReply> SayHello(HelloRequest request, ServerCallContext context)
{
return Task.FromResult(new HelloReply
{
Message = "Hello " + request.Name
});
}
}
}
This works. But, because I keep seeing mixed information saying it that it won't, I am not certain that once I go to deploy the client code (i.e. the reverse proxy), if I will run into problems. I would like to use a host like Azure...but don't know if it's possible or not.
Any clarity on the subject would be greatly appreciated.
As far as I know, we could use asp.net core mvc or razor page application as the client to call the grpc server.
But gRPC client requires the service to have a trusted certificate when you hosted the application on remote server IIS.
If you don't have the permission to install the certificate, you should uses HttpClientHandler.ServerCertificateCustomValidationCallback to allow calls without a trusted certificate.
Notice: this will make the call not security.
Additional configuration is required to call insecure gRPC services with the .NET Core client. The gRPC client must set the System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport switch to true and use http in the server address.
Code as below:
AppContext.SetSwitch(
"System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", true);
var httpClientHandler = new HttpClientHandler();
// Return `true` to allow certificates that are untrusted/invalid
httpClientHandler.ServerCertificateCustomValidationCallback =
HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
var httpClient = new HttpClient(httpClientHandler);
var channel = GrpcChannel.ForAddress("https://localhost:5001",
new GrpcChannelOptions { HttpClient = httpClient });
var client = new Greeter.GreeterClient(channel);
var response = await client.SayHelloAsync(new HelloRequest { Name = "World" });
I am trying to send a request from a Blazor(client-side) client to a server and i keep getting this error:
Access to fetch at '[route]' (redirected from '[other route]') from
origin '[origin route]' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. If an opaque response serves your needs, set the request's
mode to 'no-cors' to fetch the resource with CORS disabled.
On the server i have already added the CORS extension in the pipeline to no avail:
Server Startup
public void ConfigureServices(IServiceCollection services) {
services.AddCors();
services.AddResponseCompression(options => {
options.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(new[]
{
MediaTypeNames.Application.Octet,
WasmMediaTypeNames.Application.Wasm,
});
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
app.UseCors(x => x.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().AllowCredentials());
app.UseResponseCompression();
app.UseMvc();
app.UseBlazor<Client.Startup>();
}
Blazor Client request
public async Task<Catalog> GetCatalogAsync() {
try {
HttpRequestMessage message = new HttpRequestMessage {
RequestUri = new Uri(BASE_PATH + Routes.GET_CATALOG), //BASE_PATH= 172.XX.XX.XX:8600
Method = HttpMethod.Get
};
var resp = await this.client.SendAsync(message); // client is HttpClient
var resultString = await resp.Content.ReadAsStringAsync();
var result = JsonConvert.DeserializeObject<Catalog>(resultString);
return data;
} catch (Exception ex) {
throw;
}
}
Controller
[HttpGet]
[Route(Routes.GET_CATALOG)]
public async Task<Catalog> GetCatalogAsync() {
try {
var registry = await this.adminService.GetCatalogAsync();
return registry;
} catch (Exception ex) {
throw;
}
}
POCO
[Serializeable]
public struct Catalog{
}
What else can i do to be able to reach my server? Is it due to Blazor ?
As you can see i have already added the UseCors(...).
P.S
I have published my Blazor Server project together with the Client.They are in the same directory.This folder i placed it on a computer,and i am trying from my computer to open blazor : 172.168.18.22:8600/
Update
I have also tried adding headers to my HttpRequestMessage to no avail:
HttpRequestMessage message = new HttpRequestMessage {
RequestUri = new Uri(BASE_PATH + Routes.GET_CATALOG),
Method = HttpMethod.Get,
};
message.Headers.Add("Access-Control-Allow-Origin","*");
message.Headers.Add("Access-Control-Allow-Credentials", "true");
message.Headers.Add("Access-Control-Allow-Headers", "Access-Control-Allow-Origin,Content-Type");
#Bercovici Adrian, why do you add CORS support to your App ? Do you make cross origin requests ? If you don't, don't try to solve the issue by adding unnecessary configuration that may lead to more subtle bugs.
As usual, without seeing a repo of this app, can't help you any further.
Update:
What is this UseBlazor ?
You should upgrade your app to the latest version...
New Update:
Sorry, but I'm using the current preview version of Blazor
Startup class
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().AddNewtonsoftJson();
services.AddResponseCompression(opts =>
{
opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
new[] { "application/octet-stream" });
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseResponseCompression();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBlazorDebugging();
}
**// Instead of UseBlazor**
app.UseClientSideBlazorFiles<Client.Startup>();
app.UseStaticFiles();
app.UseRouting();
**// This configure your end points**
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
endpoints.MapFallbackToClientSideBlazor<Client.Startup>("index.html");
});
}
}
Note that I've removed the configuration of CORS as your client and server share the same domain. Please use the docs how to configure CORS appropriately.
Try this and see if it is working for you (I guess your issue is related to the configuration of the endpoints. Somehow, it seems to me that because you did not configure the endpoints, your request is redirected, and thus you get the message displayed by you above.)
Next to do is to check if your http request was appropriately cooked. But first checks the end points.
Somehow the problem was due to a very old client version that was cached on the browser.Never again will i forget to clear the browser cache after this problem.
Thank you all for your help and support !
Check that you do not send HTTP requests when running from HTTPS. For example if you send requests to http://172.168.18.22:8600 when your application was opened in https://172.168.18.22:8600 you may have an issue.
you need to specify your policy name in the middleware.
builder.Services.AddCors(policy =>{
policy.AddPolicy("Policy_Name", builder =>
builder.WithOrigins("https://*:5001/")
.SetIsOriginAllowedToAllowWildcardSubdomains()
.AllowAnyOrigin()
);});
// Configure the HTTP request pipeline.
app.UseCors("Policy_Name");
I've devloped a chat bot application using the Facebook Messenger platform.
I used Spring Boot with embedded Tomcat for the web platform.
The application should run on Amazon aws, open to the WWW, and to be used as a webhook for recieving callbacks from Messenger over https.
I need an advice how to secure the application, so it won't be hacked or flooded with requests that are not coming from Facebook.
I thought to make the application require secured (ssl) connection, but using the "security.require_ssl=true" in application.properties didn't do the work. Perhaps I don't know what is the meaning of this and how to configure it propertly.
Is there a best practice how to block requests which are not https requests? Or a way to block requests which are coming outside Messenger in the application level?
Thank you very much!
EDIT
In the meantime, I blocked requests from other IPs in application layer using the handler interceptor:
#Configuration
public class MyWebApplicationInitializer implements WebApplicationInitializer, WebMvcConfigurer{
#Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new HandlerInterceptor() {
#Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
if (! (request.getRemoteAddr().equals("173.252.88.66") || request.getRemoteAddr().equals("127.0.0.1")|| request.getRemoteAddr().equals("0:0:0:0:0:0:0:1"))){
logger.warn("Request is not coming from authorized remote address: " + request.getRemoteAddr()+". Rejecting");
response.getWriter().write("Unauthorized Address");
response.setStatus(401);
return false;
} else {
return true;
}
}
}
You should check the X-Hub-signature HTTP header available in the requests sent by Facebook to your webhook URL.
In your case, you may define a filter or interceptor for the verification of the signature. You can also do it in your controller as in the this example I found in RealTimeUpdateController.java from the spring social project.
private boolean verifySignature(String payload, String signature) throws Exception {
if (!signature.startsWith("sha1=")) {
return false;
}
String expected = signature.substring(5);
Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
SecretKeySpec signingKey = new SecretKeySpec(applicationSecret.getBytes(), HMAC_SHA1_ALGORITHM);
mac.init(signingKey);
byte[] rawHmac = mac.doFinal(payload.getBytes());
String actual = new String(Hex.encode(rawHmac));
return expected.equals(actual);
}
a lot to say so I am sure I will miss some points.
setting SSL is a first good thing but make sure you get a certificate. lets encrypt is a good thing if you dont want to pay for SSL certificate.
Just seeing aws provides an alternative to letsencrypt
Security Group You can see Security Group as something similar to a firewall so you can control which port is opened, external and internal flows.
Look at IAM which control who and how can get access to your AWS account
obvious : change your password. do not let default password for installation you could make on the instance
read some of https://aws.amazon.com/security/security-resources/ to get more information about what you can do
it won't be hacked or flooded with requests
sorry to say but most probably it will be - It does not need to be an advanced hacker to run scanner and scan IPs and check open ports / brute force login etc ...
Thanks to Guy Bouallet help I added the signature check.
I added it in my controller and not in the interceptor, to avoid the problem of How to read data twice in spring which seems a little complicated.
So here is it:
#RequestMapping(path = "/")
public void doHandleCallback(#RequestBody String body, #RequestHeader(value = "X-Hub-Signature") String signature) throws IOException {
if (!verifyRequestSignature(body.getBytes(), signature)){
logger.error ("Signature mismatch.");
throw new MismatchSignatureException(signature);
}
MessengerCallback callback = mapper.readValue(body, MessengerCallback.class);
logger.info("Incoming Callback: " + body );
for (EventData entry : callback.getEntry()) {
for (ReceivedMessagingObject message : entry.getMessaging()) {
if (message.isMessage() || message.isPostback()) {
doHandleMessage(message);
}
else if (message.isDelivery()){
doHandleDelivery(message);
}
}
}
}
private boolean verifyRequestSignature(byte[] payload, String signature) {
if (!signature.startsWith("sha1="))
return false;
String expected = signature.substring(5);
System.out.println("Expected signature: " + expected); //for debugging purposes
String hashResult = HmacUtils.hmacSha1Hex(APP_SECRET.getBytes(), payload);
System.out.println("Calculated signature: " + hashResult);
if (hashResult.equals(expected)) {
return true;
} else {
return false;
}
}
And this is the Exception handling class:
#ResponseStatus(value=HttpStatus.BAD_REQUEST, reason="Request Signature mismatch")
public class MismatchSignatureException extends RuntimeException {
private String signature;
public MismatchSignatureException(String signature) {
this.signature = signature;
}
#Override
public String getMessage() {
return "Signature mismatch: " + signature;
}
I have a GWT module and in it I navigate to a different URL via:
Window.Location.assign(url);
The navigated url is then handled by a servlet, up until this point if there was an error it was handle by the resp.sendError methode
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed.");
Which would then navigate to the browsers error page. However I wanted to know is there away I can not navigate to an error page? i.e. I would be able to check in my GWT code if there was an error and then do something? Like resend the request ect.
Thanks!
When you navigate away from your webapplication that's that. Instead of using Window.Location.assign you should make an HTTP request still from your webapplication, for example using RequestBuilder.
Example from the docs mentioned earlier:
import com.google.gwt.http.client.*;
...
String url = "http://www.myserver.com/getData?type=3";
RequestBuilder builder = new RequestBuilder(RequestBuilder.GET, URL.encode(url));
try {
Request request = builder.sendRequest(null, new RequestCallback() {
public void onError(Request request, Throwable exception) {
// Couldn't connect to server (could be timeout, SOP violation, etc.)
}
public void onResponseReceived(Request request, Response response) {
if (200 == response.getStatusCode()) {
// Process the response in response.getText()
} else {
// Handle the error. Can get the status text from response.getStatusText()
}
}
});
} catch (RequestException e) {
// Couldn't connect to server
}
Note that this will work only if your servlet and webapplication are on the same address (domain, port, protocol), because of Same Origin Policy. If that's not the case, there are still some options, like JSON with padding (which GWT supports via JsonpRequestBuilder).