Grails - SSL and Spring security core - http

I would like to have my application running exclusively with SSL turned on.
I am using the Spring Security core plugin.
This is how I attempt to do it in Config.groovy:
grails.plugins.springsecurity.portMapper.httpPort = 8080
grails.plugins.springsecurity.portMapper.httpsPort = 8443
grails.plugins.springsecurity.secureChannel.definition = [ '/**' : 'REQUIRES_SECURE_CHANNEL']
I was expecting this to cause redirects every time I would try to access a Url using HTTP.
However, I am never redirected, and can navigate through both HTTP and HTTPS. I may add I am starting my application using grails run-app -https
Am I getting this all wrong ?
Any suggestion is most welcome.

Do you have a custom filterchain declared in your config?
you might need to add 'channelProcessingFilter' to your chain in that case
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/security-filter-chain.html

You can also try using the forceHttps option
grails.plugins.springsecurity.auth.forceHttps = true

You don't have any wildcards, so the definition is literally matching the root URL (/), but nothing below it (/foo). What you want is:
grails.plugins.springsecurity.secureChannel.definition = [ '/**' : 'REQUIRES_SECURE_CHANNEL']
^^
(You can clearly see the wildcards in the documentation :-)
Finally, if your server is behind a load balancer or other firewall that hides the protocol, check that same page for instructions on checking the header.

Related

Stuck with woocommerce_rest_authentication_error: Invalid signature - provided signature does not match

Below issue was posted by me on https://github.com/XiaoFaye/WooCommerce.NET/issues/414 but since this may not be related at all to WooCommerce.Net but on a lowerlevel to Apache/Word/WooCommerc itself I am posting the same question here
I am really stuck with the famous error:
WebException: {"code":"woocommerce_rest_authentication_error","message":"Invalid signature - provided signature does not match.","data":{"status":401}}
FYI:
I have two wordpress instance running. One on my local machine and one on a remote server. The remote server is, as my local machine, in our company's LAN
I am running WAMP on both machines to run Apache and host Wordpress on port 80
The error ONLY occurs when trying to call the Rest api on the remote server. Connecting to the local rest api, the Rest Api/WooCommerceNet is working like a charm :-)
From my local browser I can login to the remote WooCommerce instance without any problem
On the remote server I have defined WP_SITEURL as 'http://[ip address]/webshop/ and WP_HOME as 'http://[ip address]/webshopin wp-config.php
Calling the api url (http://[ip address]/webshop/wp-json/wc/v3/) from my local browser works OK. I get the normal JSON response
Authentication is done through the WooCommerce.Net wrapper which only requires a consumer key, consumer secret and the api url. I am sure I am using the right consumer key and secret and the proper api url http://[ip address]/webshop/wp-json/wc/v3/ (see previous bullet)
I already played around with the authorizedHeader variable (true/false) when instantiating a WooCommerce RestApi but this has no effect
Is there anybody that can point me into the direction of a solution?
Your help will be much appreciated!
In my case, the problem was in my url adress. The URL Adress had two // begin wp-json
Url Before the solution: http://localhost:8080/wordpress//wp-json/wc/v3/
URL Now, and works ok: http://localhost:8080/wordpress/wp-json/wc/v3/
I use with this sentence.
RestAPI rest = new RestAPI(cUrlApi, Funciones.CK, Funciones.CS,false);
WCObject wc = new WCObject(rest);
var lstWooCategorias = await wc.Category.GetAll();
I hope my answer helps you.
Had the same issue. My fault was to define my url incorrect: http:// instead of https://.

Configure the http client of httpbuilder ng to not follow 302 redirects

I try to write some regression tests for my web application with Groovy and http-builder-ng.
To check all the headers for every request I would like to turn off
the auto redirection. To do this with http-builder there are BasicHttpParams, but I think BasicHttpParams are not working with http-builder-ng.
Is there another way to turn off auto redirection?
I didn't use http-builder-ng before, but from the docs I don't see a way to configure this directly. But you use some variant with client implementation, by default core, apache or okhttp. I guess you need to configure the underlying client library you are using to not follow redirects using clientCustomizer as described at https://http-builder-ng.github.io/http-builder-ng/asciidoc/html5/#_client.
E. g. with the core variant:
http = configure {
request.uri = 'test.com'
client.clientCustomizer { it.followRedirects = false }
}

How to Check Proxy

I have a Web app calling a Web Service by IP with the following code:
ws.Proxy = System.Net.HttpWebRequest.DefaultWebProxy;
ws.Credentials = System.Net.CredentialCache.DefaultCredentials;
ws.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
I believe this uses the IE proxy settings. I'm trying to troubleshoot a separate issue and want to confirm the default proxy details being used.
How do I do that?
I tried making sense of this:
How to AutoDetect/Use IE proxy settings in .net HttpWebRequest
I failed to get the proxy uri back using Scotty's link in the comments or this one:
https://msdn.microsoft.com/en-us/library/vs/alm/system.net.iwebproxy.getproxy(v=vs.110)
So had to use another approach to troubleshoot my app. Not an answer, just closing this out.

Creating a url in controller in asp.net mvc 4

I am trying to send activation mail to the currently registered user.In mail body,I need to send a link like http://example.com/account/activation?username=d&email=g.Now, for debugging on local machine, I manually write it as localhost:30995/account/activation?username=d&email=g. But, when my port number changes, I need to rewrite it.
I tried another question
on this website,but, compiler gives error like url.action doesnot exist.
Please give me fresh solution as I am confused with that solution.
Use a Url.Action overload that takes a protocol parameter to generate your URLs:
Url.Action("Activation", "Account", new { username = "d", email = "g" }, "http")
This generates an absolute URL rather than a relative one. The protocol can be either "http" or "https". So this will return http://localhost:XXXXX/account/activation?username=d&email=g on your local machine, and http://example.com/account/activation?username=d&email=g on production.
In short, this will stick whatever domain you're hosting your app on in front of your URL; you can then change your hostname/port number/domain name as many times as you want. Your links will always point to the host they originated from. That should solve the problem you're facing.
Try using IIS / IIS-Express instead of Casinni web server that comes with visual studio.
You could add bindings to have the right URL (with host entries of course).
This will avoid the port numbers in your links.

symfony2 behind Amazon ELB: always trust proxy data?

I'm running a Symfony2 web application on AWS, and am using an Elastic Load Balancer.
In a controller method, I need to do the following to get the IP of a user requesting a web page:
$request->trustProxyData();
$clientIp = $request->getClientIp(True);
Does this present any security risks? I'm not using the client IP for privilege escalation, I'm just logging it.
Is there some way to force trustProxyData() always, or otherwise reconfigure $request->getClientIp() to DWIM? My app will always be behind a load balancer (except while I do development on my desktop).
Related: http://fabien.potencier.org/article/51/create-your-own-framework-on-top-of-the-symfony2-components-part-2 (but it doesn't say if there's some global config so I don't have to call trustProxyData() everywhere).
You can configure the framework bundle to do this: http://symfony.com/doc/2.0/reference/configuration/framework.html#trust-proxy-headers
framework:
trust_proxy_headers: true
I am not sure about any general security risks, but I can give you a tip how to avoid calling this method in each controller action.
In your app.php just before the $kernel->handle(...); you should set:
Request::trustProxyData();
Cheers ;)
Note:
The trust_proxy_headers option is deprecated and will be removed in Symfony 2.3.
See a trusted_proxies and a Trusting Proxies for details on how to properly trust proxy data.
I used
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));
in web/app.php to solve the problem.
See my answer here: https://stackoverflow.com/a/28793609/2030937
In modern symfony versions: https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly
If your elb is behind a cloudfront proxy you should take a look at this package too:
https://packagist.org/packages/fmaj/cloudfront-trusted-proxies

Resources