Hybris remove specific cookie when logout - cookies

I've created a custom cookie via Javascript and every time I logout, I want to remove this cookie from the browser. How/Where is the best place to perform this operation in the Hybris/Sap Commerce ecosystem?

You can use Spring MVC Interceptors like this.
<alias name="defaultBeforeControllerHandlersList" alias="beforeControllerHandlersList"/>
<util:list id="defaultBeforeControllerHandlersList">
<!-- List of handlers to run -->
<bean class="xyz.CheckUrlsBeforeControllerHandler">
<property name="checkedUrls" ref="checkUrlsList"/>
</bean>
</util:list>
Then Inside CustomHandler use guidCookieStrategy.deleteCookie(request, response);
to delete cookies.

Related

update local entry in wso2 esb via servce

Is there any way by which, I can update local entry from esb service. I have to store a token in global variable and need to update it when it is expired. I want to keep it in local entry. Looks like I can not update it from ESB service/sequence.
<localEntry key="TestLocalEntry" xmlns="http://ws.apache.org/ns/synapse"><![CDATA[TestValue]]></localEntry>
If you requirement is to store a global variable and not really update a local entry, you can use esb registry
Try this js to create / update an entry in governance registry (and store current payload xml in this sample) :
<script language="js"><![CDATA[
importPackage(Packages.org.apache.synapse.config);
mc.getConfiguration().getRegistry().newResource("gov:/trunk/test/MyEntry.xml",false);
mc.getConfiguration().getRegistry().updateResource("gov:/trunk/test/MyEntry.xml",mc.getPayloadXML().toString());
]]></script>
Try this xpath expression in your mediation to read the entry :
get-property('gov:/trunk/test/MyEntry.xml')
I have managed to fix this problem with java script.
To get property value use :
<script language="js"><![CDATA[var Token = mc.getEnvironment().getServerContextInformation().getProperty("TokenVal");
mc.setProperty("TokenVal",Token);]]></script>
<property expression="$ctx:TokenVal" name="TokenValue"
type="STRING" xmlns:ns="http://org.apache.synapse/xsd"/>
and to update value use:
<script language="js"><![CDATA[var TokenValue = mc.getProperty("TokenValue");
mc.getEnvironment().getServerContextInformation().addProperty("TokenVal",TokenValue);
]]></script>
but even then, I want to use registry resources if we have any in wso2 esb

Struts 1.2 Servlet Filter and web.xml filtering url-pattern

I have a URL in the following form...
htts://www.mysite/admin/userprofile.do
Using a servlet filter I want to prevent certain things in part of the URL. Using the following in web.xml...
<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
With an appropriate servlet-filter how could I change url-pattern to only manage the /admin/ portion of the URL (this is an old app that for whatever reason allows an XSS injection only in that portion). Is this possible?
<url-pattern>/admin/*</url-pattern>
You can achieve this like below :
<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>

Cas Ticket Issue in Jmeter

I have a web application which uses CAS Ticket for user authentication purpose which is different for every login. I recorded the script in JMeter. Also I correlated the pages by filling up the Regular Expression Extractor as follows:
Recorded script has url: https://foo.com/j_spring_cas_security_check?ticket=ST-3101-QDTyjbbHoOHvgPMdRBIg-cas.
After applying all above I ran the script but got status fail displaying https://foo.com/j_spring_cas_security_check?ticket=Ticket_Not_Found.
It would be very helpful if someone could tell me what did I miss in my script?
There is two ways for this,
if you have multiple username and password and you can use those with Jmeter,
you can use those to generate CAS ST(Service ticket).
Another:
default when CAS create ticket, it can be just used for one time.
you have to change values in ticketExpirationPolicies.xml of your cas server
to use same ticket multiple times.
default location is:
WEB_INF/spring-configuration/ticketExpirationPolicies.xml
change this to if you want 50 users to use same ticket
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="100000" />
</bean>
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="7200000" />
</bean>
Answer given by: VIVEK ADHIKARI
It seems that an error happened when fetching ticket value from url's parameter list. Maybe you can add a hidden field on your page and set its value from this parameter.
<input type="hidden" id="ticket_key" value="ST-3101-QDTyjbbHoOHvgPMdRBIg-cas" />
Then you can get it by Regular Extractor ticket_key=(.+)
Hope it helps.

Spring Security with REST web services - cannot authenticate via header when testing with Curl

I'm new to Spring and spring security and I can't seem to get this working. I'm securing a web service with Spring security. I'm getting the appropriate responses back - 401, 200, etc - for the secure requests and when I explicitely login to the URL I defined. However, when I try to test the actual url providing data via curl or poster sending the authentication in the header, I can't get it to work.
Here's my servlet-security.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/services/schedule/**" access="ROLE_USER, ROLE_ADMIN"/>
<custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>
<!-- Adds a logout filter to Spring Security filter chain -->
<logout logout-url="/api/logout" delete-cookies="true" invalidate-session="true"
success-handler-ref="restLogoutSuccessHandler"/>
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>
<beans:property name="filterProcessesUrl" value="/api/login"/>
<beans:property name="usernameParameter" value="username"/>
<beans:property name="passwordParameter" value="password"/>
<beans:property name="postOnly" value="true"/>
</beans:bean>
<!-- Configures a custom authentication success handler that returns HTTP status code 200 -->
<beans:bean id="mySuccessHandler" class="com.touchvision.pilot.security.RestAuthenticationSuccessHandler"/>
<!-- Configures a custom authentication failure handler that returns HTTP status code 401 -->
<beans:bean id="restAuthenticationFailureHandler" class="com.touchvision.pilot.security.RestAuthenticationFailureHandler"/>
<!-- Configures a custom logout success handler that returns HTTP status code 200 -->
<beans:bean id="restLogoutSuccessHandler" class="com.touchvision.pilot.security.RestLogoutSuccessHandler"/>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<beans:bean id="customUserDetailsService" class="com.touchvision.pilot.services.CustomUserDetailsService"/>
</beans:beans>
As I said, I can login fine via posting the creds to the /api/login. However, when I try to send the authentication in the header with an actual data request, I get an error that says "This request requires HTTP authentication." The curl command I'm using is:
curl -u admin#touchvision.com:admin123 "http://local.touchvision.com/services/schedule/list"
Thanks for any and all help.
You only have a form-login filter (UsernamePasswordAuthenticationFilter) configured that processes form parameters passed in a HTTP POST request, but there is nothing on the server side that would process the header of a request.
Try configuring a BasicAuthenticationFilter that will authenticate requests based on info passed in the header.
Have you tried using %40 intead of the # sign in the user ID. Also, depending on your version of CURL, you may want to try quotes around the entire -u parameter.

FormsAuthentication.SetAuthCookie

hi we are using FormsAuthentication.SetAuthCookie(profile.Id, false);
Now the question is when does this cookie expires?
It of course expires once I close all the browsers but it doesn't I keep the browser open and I don't know the timelimit.
It will depend on the Timeout property in web.config.
In the system.web attribute of your web.config file, you must set the following:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
then your cookie will expire depending on the value you have set in the timeout attribute.