I am building a Symfony2 project, using FosUserbundle and have a serious security issue. When a user tries to connect, it correctly redirects to the home page when the credentials are correct, but most of the time without actually loading the user, still with the anonymous token, not logged.
It sometimes logs me successfully at the first try, usually after 2-4 attempts, sometimes more. It seems to fail 70 to 80% of the time.
There is no error message at all, everything seems to work just fine, except it doesn't. I cloned my project without FosUser, using the login and security system in the cookbook in the documentation on the Symfony website, still the same.
The application has been developed with Symfony 2.3, but upgrading to 2.6 and 2.7 doesn't solve the problem.
The security code is completely vanilla except to extends my template in one twig file, and the behaviour is still the same without the extends.
The config files have been modified according to the FosUserBundle doc.
I am obviously missing something, but no idea what.
After a couple of week, it stopped doing weird stuff, that is good, but no idea why, that is not so good.
As i have said, the config files are straight out off the official doc. If they were at fault, i think that dozens would have had the same issue.
For the curious, it started doing weird stuff while i was playing with websockets and Ratchet. I don't know if it give an idea to someone as to the why.
Related
I am setting up a web api for the first time and I have another project for reference. It is a .NET framework project that will have a React frontend. I am running it using Visual Studio and IIS Express.
I have no build errors when I start the api project. It has swagger added so I can test database calls, so I know the api itself is working. But I am missing adding something as I am looking to add more security to it.
I am trying to verify authentication and I want to use integrated Windows authentication. When I set a break point, the user in the HttpContext.Current is never set and is never authenticated, so I can't add any authorization filters.
I went back to just the basic empty api project that has the frontend web pages removed to see if I removed something and it shows the same issue. So I either removed it again or I am actually missing adding something.
I am not sure where to look for what is missing, so any pointers would be appreciated.
The left browser is what I am expecting and the right browser is what I am seeing.
I don't need the directory browse turned on, so seeing a 403.14 - Forbidden is fine. But I am clearly missing something to get to that point. Is there a better way to figure out which resource/dependency is causing this error?
I can also see the working version requested url is what I am expecting, but the other is just a /.
Is there a way to resolve that if this is the error?
I can add code snippets if needed, but I haven't yet as I am not sure where the issue is.
I ended up finding the answer using blank test web apis to see what I may have left in that wasn't needed. The project was set up using this option:
After removing the views, etc., to make it strictly an api project. I started removing references (and clearing the associated errors) and seeing what happened with the build after each change.
Under the App_Start folder, there were some additional files that weren't present in the project I had for comparison - FilterConfig, and RouteConfig - which were also called in the Global.asax.
I removed the call in Global.asax for all three and I was able to see the expected http error page.
I dont have enough reputation for a comment, but you got 404 error, which, as you know, means there is nothing on that url. So check the route config and startup.cs Edit: I am on the phone so I didnt saw you already solved it. Good :)
I'm trying to test a DAG I wrote in Astronomer/Airflow but I'm getting a really peculiar behavior that has me totally stuck.
Airflow's webserver comes up, and then after login as admin it redirects to http://localhost:8080/home which doesn’t appear to exist.
The specific error I get in the browser is ‘too many redirects’. I’m sure something is wrong in my configuration, but it’s not obvious (to me) what. Can you suggest steps for further diagnosis?
Thanks,
Keith
I thought I would share the resolution of this problem in case anyone else encounters it.
This problem came about while developing a DAG to test a part of our pipeline. The repo I was working with used a Dockerfile which was designed for automated testing and was not suitable for a DAG. Once I reverted to the stock Dockerfile the problem went away and I can now load localhost:8080/home just fine.
I have had similar issues when the username or the password is incorrect. I am expecting you are either entering wrong login credentials or your configuration is checking some external authentication server and it is not configured correctly.
I have a problem when placing an App module(v 8.4.8) on a page. When I placed an App module on a page I got a pop up saying "Had an error talking to the server (status 404). if you are an advanced user you can learn more about what went wrong - discover how on 2sxc.org/help?tag=debug".
This error happens on whatever action I try to do: trying to add and app, refresh page etc.
I checked a communication to the server using Firebug and seems that one of APIs are missing:
~/desktopmodules/2sxc/api/view/Module/GetSelectableApps
Referer: ~/desktopmodules/tosic_sexycontent/dist/dnn/ui.html?sxcver=8.4.8.19191
Did I missed something? Should I make some configuration after SexyContent module install (v 8.4.8)?
I just checked a video by Daniel Mettler where he showed how to install a module and seems that process is simple. Nothing to worry about.
Does anybody has any idea what might went wrong here?
The same actually happens when I install and Content module: Error about missing APIs:
~/desktopmodules/2sxc/api/view/Module/GetSelectableContentTypes
~/desktopmodules/2sxc/api/view/Module/GetSelectableTemplates
Thanks a lot for your time
My best guess is that it's an issue with the dnn domain/path configuration. So basically my guess is that
you have multiple domains, and if this is configured incorrectly, the paths in the js-calls won't fully match the original one
you have sub-portal (with paths like /products/) or something, and this isn't configured correctly in dnn
languages in portal-paths are causing similar issues.
So please compare EXACTLY the full base path and see if that's the issue.
I'm currently working on symfony2 projects. Each time, the deployment process is a real pain in the back (even with the cookbook advices).
I have this strange feature that I can't explain. My post variables are always empty in some bundles of symfony 2, no matter how I access them ($_POST['foo'] or request->get('foo')). This feature is online only. On my local server, it works perfectly well.
Example 1: coresphere console bundle
I'm using the coresphere console bundle to run command line on my ovh remote server. But the bundle commands were never working (no matter what my installation was) ie my post variables were always empty causing each command to crash. I thought that may be an error in some of my other installed bundles was causing the post variables of the console bundle to be empty. So I installed it on an empty symfony2 project (I even removed Acme and of course I tested that everything was working on my local server before uploading the project). The console still didn't work. My only solution (a bad one though) was to hack the javascript console.js of the bundle and transform the post request into get request. It then worked fine. At this stage I thought: "ok may be the problem comes from ajax post request on ovh?"
Example2: A home made bundle for a project
I build a bundle for a project. In this project I don't use ajax post request at all. And still, my post variables are always empty (I remind that locally, everything works just smoothly). For this bundle I'm using FOSUserBundle with HWIOAuthBundle for authentication (if it has anything to do with that?)
Summary
I'm clueless about what is going on and I would like to have some sort of track to follow. Just as a reminder: I'm using an OVH shared server with the performance package. I can use git up there. But I can't really use console command (even in ssh). So that's why I'm using the coresphere console bundle.
Thank you for your help.
I got a solution for my home made bundle:
The problem was coming from my routing.yml file (in app/config). I was using fosjsrouting and it seems that the routing of fosjsrouting needs to be called at the very end of the routing.yml file (in app/config).
See below:
app/config/routing.yml:
... and at the very end:
fos_js_routing:
resource: "#FOSJsRoutingBundle/Resources/config/routing/routing.xml"
However, I still don't understand the problem with the coresphere bundle. This doesn't solve it.
I have an incredibly frustrating problem cleaning up my site at the moment. On the same hosting space I have Umbraco (ASP.NET) and Blab Lite (PHP Chatroom) installed. The former talks to SQL 2005, and the latter to MySQL 5.
On my Umbraco site I had a guestbook with an entry form. Upon postback it does an Akismet check and skips the creation/saving of the corresponding Umbraco document if it is verified by Akismet as spam.
However, recently I started getting entries created under my guestbook node which are verified as spam, and yet the document is still saved. I have even gone as far as hiding the form using "display:none" and yet these entries are still created! I have modified the DLL to include logging to Umbraco document event logs and somehow the creation of these still does not trigger any entries to the logs. I've even created an eventhandler for Document.BeforeSave event in a separate assembly and this event handler is not catching the saving of these entries.
I'm really stumped as to how the spammers can create these entries. Has anyone got any ideas how this can be done, and how I can secure my site to prevent this kind of attack?
Thanks,
Dany.
This seems like an old post but it's not marked as answered so I'll give it a go. I havnt used Umbraco in a while so I'm not sure if they've fixed this in the latest version, but the problem is with Umbraco it self. Document.BeforeSave() gets fired AFTER the node is created, that's why your spam filter is not working. Marking the form as not visible wont work because the bot will look at the source code and just pattern match the form fields it finds. Have a look here for more details on the Umbraco problem:
http://forum.umbraco.org/yaf_postst9312_BeforePublish-and-BeforeSave-Event-Handlers.aspx
Like I said I haven't used Umbraco in ages, but hopefully it will help someone even if you've found a fix.
Paul
My guess is that there is a bug in your code to skip the creation/saving of the Umbraco document... although it is strange that the Document.BeforeSave event is not triggered. Are you sure that your event listeners are also working (i.e. do they register the saving of non-spam entries?)
By the way, setting "display:none" won't stop spammers as bots will generally ignore CSS anyway.
Yup, the event listeners are working indeed. This lead me to think something else is odd here. I finally took the plunge and went through it all with a finer-toothed comb. First I compared the content of the bin folder between standard Umbraco 4 distribution and the one on my host. I figured it was easiest to overwrite each one with a fresh one. Then I went through each Umbraco package I've installed and made sure the DLLs are also fine. Well, there was 1 DLL that didn't match anything else in Umbraco or packages I've installed - EO.Web.dll!
It seems there's a legit thing out there by EssentialObjects but I don't think Umbraco, my code, or any of the packages actually uses it! I deleted it and every part of my Umbraco install still works! I've now set visibility of of the form in ascx markup so it's not rendered - now we wait and see if that was the offending piece of malware!