external url as request parameters - spring-restcontroller

We are building a PDF report using OpenPDF which prints client logo dynamically based on the url passed by the calling client.
Scenario:
A print request is received, it also has logoURL as a parameter.
Then in one of the steps while processing the request, this url is passed to Image.getInstance(logoURL) of the OpenPDF's Image class, which either returns a proper image or an exception. If exception occurs we fall back to a locally stored standard logo.
I wanted to know if this approach is secure to let the calling api or client send a url, and then we use that internally to download an image. If this is not the right approach, what is a standard way of achieving this.

Related

Getting generic page error in response, using JMeter in .NET site

When using .Net application,
and checking error logs,
getting below error: Object reference not set to an instance of an object.
Most probably you're sending the wrong request due to missing or improperly implemented correlation
So if you have recorded a request using HTTP(S) Test Script Recorder most probably there is at least one parameter there which is supposed to be dynamic, to wit
extracted from the previous response using a suitable JMeter Post-Processor
stored into a JMeter Variable
and the dynamic variable to be sent along with the request instead of recorded hard-coded value
In .NET web applications the most commonly used parameter is ViewState, however other may also be required like EventValidation
so given you properly handle these dynamic parameters you should start getting "good" responses, see ASP.NET Login Testing with JMeter for example handling of the dynamic parameters.
Also don't forget to add HTTP Cookie Manager to your test plan.

OpenID Connect Persist ID Token to Server-side Callback Function

Suppose that I invoke the following HTTP request:
https://accounts.example.com/oauth2/auth?
scope=openid+email&
nonce=53f2495d7b435ac571&
redirect_uri=https%3A%2F%2Foauth2demo.appspot.com%2Foauthcallback&
response_type=id_token+token&
client_id=753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com
Which yields the following redirect response:
https://oauth2demo.appspot.com/oauthcallback#
access_token=ya29.AHES6ZSzX
token_type=Bearer&
expires_in=3600&
id_token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY...
What is the point of the callback parameter, given that the returned metadata, containing id_token, etc., is positioned after a hash fragment in the URI, and are therefore not persisted as parameters to the callback function? How can a server-side callback receive the various tokens?
The response type that is used here is a so-called "Implicit" response type which is primarily meant for in-browser (e.g. Javascript) clients, in which case the Javascript code that is served on the callback URL can access the parameters in the fragment. Web applications should do either one of:
stick to the code flow which is meant for web application clients
use the Form Post response mode (http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) if supported by the OP
serve Javascript on the callback URL that parses out the parameters from the fragment and POSTs them to the server
Bottom line is that if you need the tokens server-side, you should most probably use the code response type.

which tokens/codes/ids actually need to be exchanged for google oauth

i'm trying to follow the example code on google's website here, but it seems a little broken - the javascript references getting a list of people from the server, but in the server-side code there's no reference to calling those functions of the api, it just returns an HTTP status code and a text status, so i'm wondering if there's a step missing and i'm exchanging the wrong code at the wrong time.
my current flow is
login button button clicked, magic happens, my callback gets passed an object with a whole bunch of properties in it
I take the code property from that object, and post it back to my server in an ajax request
on my server, i run the following python, where auth_code_from_js is the data of my post request:
oauth_flow = client.flow_from_clientsecrets('client_secrets.json', scope='')
credentials = oauth_flow.step2_exchange(auth_code_from_js)
python throws a FlowExchangeError with the message invalid request and no other useful information
am i missing a step? is that initial 'code' property what i'm supposed to be passing in to the 'step2_exchange' method?

Jmeter : How to test a website to render a page regardless of the content

I have a requirement where the site only needs to respond to the user within certain seconds, regardless of the contents.
Now there is a option in Jmeter in HTTP Proxy Server -> URL Patterns to exclude and then to start recording.
Here I can specify gif, css or other content to ignore. However before starting the recording I have to be aware of what are the various contents that are going to be there.
Is there any specific parameter to pass to Jmeter or any other tool which takes care about loading the page only and I can assert the response code of that page and no the other contents of the page are recorded.
Thanks.
Use the standard HTTP Request sampler with DISABLED (not checked) option Retrieve All Embedded Resources from HTML Files (set via sampler's control panel):
"It also lets you control whether or not JMeter parses HTML files for
images and other embedded resources and sends HTTP requests to
retrieve them."
NOTE: You may also define the same setting via HTTP Request Defaults.
NOTE: See also "Response size calculation" in the same HTTP Request article.
Add assertions to your http samplers:
Duration Assertion: to tests if response was received within a defined amount of time;
Response Assertion: to ensure that request was successfull,
e.g.
Response Field to Test = Response Code
Pattern Matching Rules = Equals
Patterns to Test = 200
You want to run test that would ignore resources after certain number of seconds?
I don't understand, what are you trying to accomplish by doing that?
Users will still receive those resources when they request your url, so your tests wont be accurate.
I don't mean any disrespect, but is it possible that you misunderstood the requirements?
I assume that the requirement is to load all the resources in certain number of seconds, not to cut off the ones that fail to fit in that time?

How can I pass data to the success callback of an ExtJS-based AJAX file upload?

So, I've read a lot about using ExtJS's fileuploadfield to submit a form via an IFRAME. I understand that I'm supposed to reply with a JSON object indicating success or failure; fine. What I want to know is, how can I get more information back to the calling code? I don't want to simple send a file and say "yup, that worked fine" -- I want to submit a document, act on it, and return a result.
Say I have the user upload an XML document -- I might want to do a lookup or conversion based on it and update the contents of a form on my page accordingly. Is this even possible? I'd strongly prefer to avoid involving Flash or embedded applets if at all possible. If need be, I could even restrict this behavior to HTML5-compliant browsers...
I honestly thought I wasn't seeing the response I sent, but it was a server-side error. My success callback is now firing, with the full text of my server's response available as f.responseText (where f is the first argument to the success callback). My mistake!