I have several <intercept-url> in my spring-security XML. I just have this small doubt. Suppose I have something like :
<intercept-url pattern="/data/**" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
Since the below <intercept-url> has a pattern of /** I was wondering if the second URL over-rides the first one. E.g. I gt acess to /data/** even if I am a USER.
Quote from the reference documentation:
You can use multiple <intercept-url> elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.
As long as the rule for /** is listed later, it won't override the more specific rule for /data/**.
As jpprade suggested already, if you get access to /data/** as a plain user with the above rules, there must be some other problem with your configuration. In that case share your web.xml and the whole security config to troubleshoot that.
The second doesn't overides the first one, in theory it is the first matched rules which is applied.
if you can access /data/** as USER maybe it is because your miss something in the configuration, maybe the filter declaration ?
Related
I'm currently using the NLog.Web package for writing my .Net logs in my application.
After reading the NLog.Web I've noticed that unlike the ${windows-identity} layout renderer, the ${aspnet-user-identity} layout renderer got no domain parameter for it.
For example, if I want to log the current running windows identity, it logs out: domain\user, but when specifying domain=false, it logs only user.
How do I implement this kind of ability with the ${aspnet-user-identity}? Because when I configured ${aspnet-user-identity:domain=false} it didn't work.
The WindowsIdentity.Name, used in NLog, will always give the full name, including domain.
The logon name is in the form DOMAIN\USERNAME.
https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.name(v=vs.110).aspx
I think you need a custom layout renderer, and split it by-hand on the /.
Something like this: (maybe also add soms checks for outOfIndex)
using NLog.LayoutRenderers;
....
//register ${my-aspnet-user-identity}
LayoutRenderer.Register("my-aspnet-user-identity",
(logEvent) => HttpContext.Current?.User?.Identity?.Name?.Split('/')[1]);
Register it as soon as possible.
I found a different way to solve this issue #Julian
in the NLog.config file, i created a variable:
<variable name="aspnetIdentity" value="${replace:searchFor=^\\w+\\\\:replaceWith=:regex=true:inner=${aspnet-user-identity}}" />
As defined in the variable, the regex searches for at least one word (at the start) and finally searching for a backslash.
the other backslashes are written to escape special characters and also double backslashing. Finally, what was found (it's the domain name) will be replaced with an empty string and therefore I got only the username and not the Domain\Username
Thanks for the help #Julian
I have created multiple target-end points based on my back-end servers. Each target end point has a fixed URL.
URL is configured as -
<HTTPTargetConnection>
<URL>https://example.com/test/</URL>
</HTTPTargetConnection>
I noticed that "proxy.pathsuffix" is automatically getting added to url (https://example.com/test/). How can I avoid this?
A bit outdated in reply - but, Assign Message works for this (to avoid JavaScript):
<AssignVariable>
<Name>target.copy.pathsuffix</Name>
<Value>false</Value>
</AssignVariable>
You'll need to create a new JavaScript callout policy in your proxy request flow. In this JavaScript callout, simply add a single line:
context.setVariable("target.copy.pathsuffix", false);
I've been using config transformations a lot, but I'm struggling with one bit: the changing of "inner text" as opposed to attributes.
As an example, I've got the following in a config file (Sitecore's webforms for marketers if anyone's interested):
<param desc="connection string">Database=sitecore_webforms;Data Source=CHANGEME;user id=CHANGEME;password=CHANGEME;Connect Timeout=30</param>
and I want to change it to the proper connection string. Usually that would be part of an attribute which I can do fine but in this case it's not.
Is this possible using either the "vanilla" transformations or Sayed Ibrahim Hashimi's SlowCheetah?
You need to use the Replace transform. In your case, something like
<param desc="connection string" xdt:Transform="Replace">new connection string here</param>
You'll need to also add the right xdt:Locator attribute, to select the element.
I have a Resource in aSpring MVCapplication loaded from the classpath.
<bean id="myController" class="com.MyController">
<property name="myTemplate" value="classpath:myTemplate.txt"/>
</bean>
And I am trying to load it as a freemarker Template using this code:
private Resource myTemplate;
...
Configuration cfg = new Configuration();
cfg.setClassForTemplateLoading(this.getClass(), "/");
Template tpl = cfg.getTemplate(myResource.getFilename());
But I keep ending up in: java.io.FileNotFoundException: Template classpath:myTemplate.txt not found.
I tried implementing what wassuggested here however it doesn't seem to help.
The only hack I could findso far was to remove the "classpath: prefix from the filename String but I prefer not to do it
Any ideas...?
So what you are saying is that you don't want to remove "class:" from the template name, and according to this question you don't want to teach FreeMarker understanding it via a custom TemplateLoader either. I mean, if you bar these, what else could possibly solve this? I can only advice you to do the last; implement a custom TemplateLoader (either one that just removes the "class:" prefix then delegates to ClassTemplateLoader, or, even better, one that just delegates to a Spring ResourceLoader). That's how you configure FreeMarker to do what you want. It's not something extreme to do, implementing your own TemplateLoader.
Update: It might by useful to know that by default there's a mismatch between the FreeMarker template name syntax and Spring's resource name syntax. According the Spring syntax, you can write "classpath:foo.ftl" or "classpath:/foo.ftl". But FreeMarker assumes that the scheme part always ends with ://, and a lonely : or :/ is nothing special. So all these resource paths will be seen as relative paths, and so the current template directory will be prepended before them before the actual template resolution. To solve this, since FreeMarker 2.3.22, you can use Configuration.setTemplateNameFormat(TemplateNameFormat.DEFAULT_2_4_0) (template_name_format=DEFAULT_2_4_0 in Properties), which does consider : as scheme separator.
I want to display a message in my homepage (default.aspx), which is different for each "installation" of my web app. I would like to avoid making a call to the database to show this message.. so I thought of using web.config to store something like this
<add key="WelcomeString" value="lorem ipsus <b>doloret sit amen</b>" />
But I've noticed I can't use html markup in the web.config ...
Is there a better approach, or is there a way to insert html markup into web.config?
Thank you again stack overflow guru's... i'm learning from you a lot of things !
You need to XML encode it, to store it in the XML as a valid attribute value. eg:
<add key="WelcomeString" value="lorem ipsus <b>doloret sit amen</b>" />
Use "<" and ">" instead of "<" and ">":
<add key="WelcomeString" value="lorem ipsus <b>doloret sit amen</b>" />
You have a couple of examples of how to add it to the web.config file, but I would suggest that you consider adding a "localization" XML file to App_Data and read it from there rather than polluting the web.config file with customizations for each installation. You could read this file during application start up and store the values in the HttpRuntime.Cache by key, retrieving them from there as needed. Note that you need a way to regenerate them if they get flushed from the Cache (or mark them as not removable). Use the same technique to encode it for an attribute in the XML file or, if longer, store it in CDATA in the node value.
I use a technique like this with two XML files, defaults and localizations. Defaults supplies default values for the localizable aspects of the application. Localizations, if present, will override the defaults. These are loaded, in my case, into a Singleton object for the application that has strongly-typed properties for the values. Note that this encompasses much more than simply localized strings; they can be arbitrarily complex. The Singleton object has methods to read and apply both defaults and localizations given the path to the XML file.