I have an application where I am doing OAUTH 1.0 and I am getting redirected to the redirect URL that I send in the OUTH call. Now, I am also geting "code" parameter in the callback URL which is normal OAUTH behaviour which I can understand. Now, I want to have this callback URL page as an dummy page so that I can process the "code" that I get and then I can redirect the response to the actual page I want. I would like to do it this way as I would not like to expose the "code" credentials to the endusers as it can be security issue. Now - when I am doing this, after processing the "code", I am redirecting the same reponse to the actual page from dummy page, however, it is giving IllegalState Exception while redirecting. Has anyone face this senario especially in OAUTH ?
exception
java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
The issue here was I had lots of JSP code below response.sendRedirect(url) which made it to throw this error as after redirection the response should be considered to be committed and should not be written to.
So I added a dummy page such that there is no JSP code after response redirection
documentation
Related
I have configured an OpenID Connection application on OneLogin (not sure the provider matters) with a configured post MFA authentication redirect uri of
http://localhost:4200/LoginResponse.aspx?
The code behind my LoginResponse.aspx page grabs the returned id_token and processes it.
The issue is that after my initial redirect to the MFA login and successful login/MFA validation, the redirect is coming to
http://localhost:4200/LoginResponse.aspx#id_token=12345678987...........
Note the "#" symbol after my .aspx extension. This is corrupting the parameter string that is returned and not allowing me to grab the value of id_token from the Response.
After the redirect comes back, if I simply manually replace the "#" with a "?" and hit enter, my LoginResponse.aspx page loads fine and finds the id_token and processes it with my business logic.
My question is, how can I get the redirect to actually return to "LoginResponse.aspx?" so that I can grab the parameters.
On my OpenID Application I have tried the following options as Redirect URIs
LoginResponse
LoginResponse.aspx
LoginResponse.aspx?
LoginResponse.aspx?action=test
Did that last one to see if I could get around the ? not being there. But that just redirected the page to "LoginResponse.aspx?action=test#id_token=..............." So again, I could not grab the "id_token" variable out of the URL Response/QueryString.
I just cannot figure out how to get rid of this unwanted "#" sign and have a "?" after my .aspx extension.
Any help would be greatly appreciated!
I assume you are using the implicit flow to retrieve the tokens and in this flow you can either get back the tokens in the URL with the #. The # is added to make sure the tokens are not sent back to the server, instead they just stay in the browser. If it was a #, then the secret tokens would be sent back to the server and end up in various logs and creating various security issues.
I don't know how you implemented the client, but in OpenID Connect, if you add this parameter "&response_mode=form_post" to the initial authorization request, then you will get back the token using a POST request instead. just like this picture shows:
PS, I doubt you can get back the tokens using a ? instead of #.
On making a POST call to a ASP.NET Web API 2 . I get the PostAUthorize_Request fired repeatedly . This results in an error . What could the problem here be ?
Failed to load resource: net::ERR_TOO_MANY_REDIRECTS [http://localhost/FT/API/V2/AuthenticateUser/validate]
This can happen when the application is setup in a way where an original incoming request ends up in a redirect loop. One example that I have myself managed to create (and subsequently had to fix) is this:
The login page for the application is buggy and causes an Exception to be thrown
All unhandled exceptions are caught at the application level and shown through a redirect to an error page
But the error page itself requires you to be logged in first
When an unauthenticated request first comes in, it gets redirected to the login page, which throws an exception, causing a redirect to the error page, which requires an authenticated user so it redirects to the login page. And so on forever until the browser just stops the madness.
There are other similar redirect loops that can occur, so you need to investigate what the loop is (if indeed it is a loop). Personally I would use a third party tool like Fiddler to do this. Many other options are, I'm sure, also available.
I am currently building a website and I want to add the HTTP 404 not found Error page. I designed the bad request page and its link is this, for example:
www.mysite.com/badr.cshtml
The problem is, I want to show the contents of this page on every invalid request without redirecting to that link. For example, if I type www.mysite.com/noexistingpage, the contents of badr.cshtml should load without redirecting to it.
And for your information, I am using Webmatrix2.
you do this via the web.config and the custom errors section.
http://www.localwisdom.com/blog/2010/08/how-to-setup-custom-404s-for-iis-and-asp-net-through-web-config/
I'm a noob when it comes to ASP.NET. I know few basic commands such as Response.Redirect("URL") to redirect my application web page to a different location.
However i receive HTTP Error 400 - Bad Request, whenever i try to use the code shown below
Response.Redirect(Server.UrlEncode(this.Downloadlink));
where this.Downloadlink is a user defined property which returns something like this
http://mdn.vatsag.net/fp;files/DOWNLOAD/VTSetup.exe
If i post this link in the browser, the .exe file pops up (means the link is good)
However this error comes when i use the ASP.NET code.
Any form of response on this issue/reason is deeply appreciated.
See here: http://www.kirit.com/Response.Redirect%20and%20encoded%20URIs
In short: if you quickly want to fix the issue, remove the part of your code that is UrlEncoding the URL!
I have several web services that are being called using AJAX requests from Asp.Net page. If the user's authorization fails, i want to redirect him to the login page.
The problem i am facing is i have to manually redirect the user in the errorHandler function of AJAX request.
I was wondering if there is a way i can throw HttpException with proper error code from my webserivce (i dont know which) so that browser understands the response and redirects user to the login page?
I tried throw new HttpException(401,"Unauthorized access request); in my service call, but my errorHandler handles this exception and browser doesnt redirect user back to login page.
Also i was thinking if i can achieve this using HttpModule, will that be a better solution rather than having Authorization check in the service constructor?
--Update--
After adding HttpContext.Current.Response.RedirectLocation = "login.aspx"; and HttpContext.Current.Response.StatusCode = 307;, it now gives me an error saying "Resource cannot be found". This is what it shows in the RequestedURL: /Web/Services/svcSomething.asmx/login.aspx.
How do i tell browser that redirect location is a new page and not the webmethod?
IMO - you need to handle the error (401) on the server side & redirect the user to the login page. Since you don't have any handler on the server side, the error is passed on to the client as a response & so you are seeing the code on the client-side to redirect the user...