Environment: Microsoft Visual Studio 2019 Community, ASP.NET v4.8 web application/web api project using VB.NET
I can find lots of C# answers to this but no vb.net answers. I have added the CORS Nuget packages to my project and added this code (it compiles and runs ok but makes no difference on localhost or prod ie any origin domain can still call the POST method):
WebApiConfig.vb
Imports System
Imports System.Collections.Generic
Imports System.Linq
Imports System.Web.Http
Imports System.Web.Http.Cors
Public Module WebApiConfig
Public Sub Register(ByVal config As HttpConfiguration)
' Web API configuration and services
Dim corsAttr = New EnableCorsAttribute("http://example.com", "*", "*")
config.EnableCors(corsAttr)
Controller:
' POST: api/Notification
<EnableCors("https://www.somedomain.com", "*", "*")>
Public Function PostValue(<FromBody()> ByVal value As Object)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here's a very quick rundown of a CORS controlled, in a normal, honest browser just installed fresh off Mozilla/Google's website:
page is served from acme.com
page contains script
script wants data from foobar.com, asks browser to GET the data
browser first says "hey foobar.com, what are the list of websites that you will let download your data?"
foobar.com says "foobar.com and barbaz.com"
browser denies script's attempt to get, because script was served from acme.com and acme.com is not in the list of permitted sites
If foobar.com had responded nominating acme.com as being in the list of sites, then the browser would have proceeded to actually perform the GET
Postman doesn't care about any of that; if you ask Postman to get data from foobar.com it will make the request, foobar.com will probably* serve it and postman will show it..
*technically it could be possible for the server to refuse to serve it but CORS is not a server side security feature; it relies on decent, honest browsers blocking the request if told to do so
Related
Question is the following: we have an ASP.NET Core application which sits behind nginx, with public url https://public and private url https://private. When the user hits an application, there is a login redirect to Identity Server, which contains private url as redirect url. Can anyone suggest how to rewrite this url to be a public one?
Regards
Actually some days ago I had the same issue with identityserver. I ordert to work quite different depending on the version of identityserver. Until 4.0 version you can set
Public origin = your public url
From 4.0 you have to setup your proxy in order to pass X forwarded headers.
In order to work you need to use dotnet Middleware described in the docs https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1
I have read something about TDD. My field is web development.
Namely server side (Python + Django).
In a book I read: let's check whether our local web page has a 'html' tag.
I would say that for learning purposes it is ok. But a real web page should be validated by https://validator.w3.org/
They say that even for famous web sites not every page passes the validation. Well, let us assume that we decided to develop a nice web site and our policy is 100 % passing of the validation.
Well, the plan seems to look like we should automatically submit our web page to the validator and check for errors. How can it be done?
By the way, I don't have a public IP.
Is it a good plan to:
1) Pay more to ones Internet provider and get a public IP.
2) Run a webserver in debug mode. In this case at the development stage the web site will be visible from a real world.
3) Pass the address of the web page being developed to the validator via Selenium?
4) Check for errors via Selenium again.
Is it a good idea or is there a better plan? Can I get by without a public IP?
You can download a copy of the W3C validation program and run it locally.
There are also a number of other offline HTML validators such as HTML Tidy and Total Validator.
You might also consider running the validation as a part of continuous integration. There are plugins for Jenkins and other CI servers such as the Unicorn Validation plugin.
I had Magento SOAP API working perfectly until the client said Doh! We need it on this url instead, after I moved it it to that new url API will not run no matter what, I've made all the necessary url changes in the API script, Configuration, the DB and the site files.
Is there somewhere the old url may be encoded where I'm not finding it using a find and replace?
For instance, I created a full cPanel back up of the site, restored it to another server, whet back through and changed all the instances of the new url back to the old url in the db, site files and configuration and WHALA! SOAP starts working again..
Thanks!
I have successfully configured my SWT Browser application to use the proxy by setting VM arguments -Dnetwork.proxy_host and -Dnetwork.proxy_port to the according values.
However the proxy needs authentication, but the username / password prompt does not open. Futhermore when registering an authentication listener, the listener is never triggered.
The problems occured with a Linux Debian 64 Bit distribution. When compiling the same application for windows, all works fine, i.e. the password promt opens. The SWT Browser is configured to use MOZILLA, not WEBKIT. Unfortunatelly I cannot test with WEBKIT as I am limited to a given environment.
Temp solution: When starting the Linux Mozilla Browser, the prompt comes up. If entering there correct values and afterwards starting the SWT Browser application, then no authentication is needed at all and internet access is possible. But this is not a good solution.
When I register a location listener with "addLocationListener" to look whats going on with url calls, then I can see that the initial url (for example www.google.de) results to call a certain http site of the proxy server. And this http site is a redirect to a https site of the proxy. Then the https site results in calling the http redirect page again. This is then an endless loop.
I would guess that somewhere in the JAVA code of the SWT Browser class there is a routine that calls setUrl with those pages (what results in an
endless loop) and skip to call any authentication listener for some reason.
Maybe someone has an idea whats going wrong in this authentication process?
I have no solution but a hint: I'm not sure what you mean by "Linux Mozilla Browser" - I know Firefox and Xulrunner. But your workaround suggests that profile information is shared somehow and that shouldn't happen.
I tried to find some information how to define the profile (where the web browser keeps its cache, config, SSL certificates, plugins, ...) but to no avail.
This entry in the FAQ shows how to set the proxy host: How do I set a proxy for the Browser to use?
Try to find a way to add the user/password information into the request sent to the proxy server. If that fails, create a local proxy which connects to the real proxy as upstream and which can authenticate itself.
Looking at the bug database, there is no support for Browser profiles: Flexible Mozilla profile support - new API request
Here is how our Tomcat webserver is currently setup. We are using jsp for the webpages.
/webserverpath/main (all public pages and the login page)
/webserverpath/secure1 (private pages)
/webserverpath/secure2 (private pages)
/webserverpath/secure3 (private pages)
I recently discovered that the authentication is very minimal. For instance once a user is logged in they can bookmark any private page, close the browser, open the browser back up and go to the bookmark and is never asked to sign in again (which turns out to be bad since we recently started disabling users). All of this was setup before I arrived. I'm wondering what can I do to add the proper security? Should I have all the folders under one main folder (ie /webserverpath/main/secure1, etc.) or just leave it alone?
Let me add that I'm newish to the whole website authentication stuff, having multiple websites in different folders like this and JSP itself.
You might start here: Declarative Web Application Security with Servlets and JSP
Generally, you probably want some session-based authentication that kicks people out of the private parts of the site if they aren't authenticated.