If i test this in my localhost the file it's embeded like it's expected, but once that the server goes public this message shows up in the console:
Load denied by X-Frame-Options:
http://x.x.x.x/app/resources/pdf/somePDf.pdf does not permit framing.
That file is stored in the same server so i'm not violating the cross origin.
i load the file with angular, but then again loading it with angular it's not the problem.
What is the cause of the problem?
Edit:
I added to the spring security 4 file these lines:
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
Still not working as intended.
NOTE: Turns out it's only a firefox thing, chrome and explorer are working fine.
Related
Had some pen testers test an ASP.NET MVC4 site, and they found I was showing a "raw" error with the URL: /%20/ e.g. https://example.com/%20/
Server Error in '/' Application.
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: The configSource file 'Web_ConnectionStrings.config' is also used in a parent, this is not allowed.
Source Error:
Line 17: <!-- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -->
Line 18: <!-- these settings can be found in external files - this prevents application restart when they are changed -->
Line 19: <connectionStrings configSource="Web_ConnectionStrings.config" />
Line 20: <appSettings configSource="Web_AppSettings.config" />
Line 21: <!-- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -->
Although it should be, this isn't a normal 404 error, I already catch those and display a custom page. I also catch 500's and display them nicely too. This error happens earlier than the Application_Error() in global.asax.cs so it's not caught there.
This seems to be caused by the slash-space-slash confusing IIS or the application, and it's trying to load the web.config's include files more than once or something.
If I include those sections the normal way (not external files - just normal XML sections in the web.config) then everything works as expected and the custom 404 page shows.
If you removed the %20 and just do two slashes, everything works fine. It seems like it has to be this specific URL.
I've seen other posts about IIS configuration with Default Site or virtual paths pointing to the same file location. But I don't think that applies, as I have the Default Site stopped, and I don't see any problems on any other URLs - the site seems to be working fine.
Does anyone know what IIS is trying to do with a /%20/ URL? Or how to handle this more gracefully?
I like having these config sections split out so changes don't recycle the app pool, but if this is a problem with doing this (why are external files allowed then?) then I guess I'll bring all the settings into the web.config itself.
I inherited an existing project without its development environment. I have UAT code and a backup of the Production database. I can run up the site locally via Visual Studio but have hit an authentication problem trying to setup a fresh standalone DEV server on AWS (single server, no load balancer). The doco indicates the Prod server is a dual server setup with a load balancer.
The front end site pages do display, although some search is not working. On trying to log into the backend pages, Chrome returns "The xxx page isn't working. xxx redirected you too many times." Using developer tools, I can see the page redirects back and forth between SWT?realm=... and sitefinity?wrap_defalted=true&wrap_access_token... On the second redirect response header there is "X-Authentication-Error:Missing configuration for the issuer of security tokens 'https://xxx/Sitefinity/Authenticate/SWT' "
I tried different values in the web.config lines:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
<cookieHandler requireSsl="false"/>
</federatedAuthentication>
but that actually made things worse so I have reverted.
I checked all the settings mentioned in http://docs.sitefinity.com/administration-switch-to-claims-based-authentication and they seem to be set correctly. I don't really know what else I can check to get this working.
I found http://docs.sitefinity.com/administration-configure-security, but it does not seem like these settings are set (I don't have access to Prod server so can't confirm if it is actually setup with load balancing). I am currently using a 30 day trial license so am not sure if this is contributing to the problem. The official license is in the process of being transferred by the client. The domain name associated with the official license would be different to the domain my new server is currently running on.
I am also running version 8 code on a version 9 install of Sitefinity. I wanted to get it working before I tried to upgrade the code. I think there was also an assembly load to manifest mismatch when I tried upgrading my local version.
Found the solution: Don't mess with the SecurityConfig.config file.
<securityTokenIssuers>
<add key="B886AA7BFB5515BA63F577A44BBEB5C7AE674035514D128BC397346B11F4C97A" encoding="Hexadecimal" membershipProvider="Default" realm="http://localhost" />
</securityTokenIssuers>
<relyingParties>
<add key="B886AA7BFB5515BA63F577A44BBEB5C7AE674035514D128BC397346B11F4C97A" encoding="Hexadecimal" realm="http://localhost" />
</relyingParties>
Even though it is running on a server, the above lines should still point to localhost. It seems like these only need to be edited if you have a multi-server setup with an entirely separate STS.
I initially changed it to match the new domain name, but after some experimentation around adding localhost and HTTP variations, it seems like it works best with just localhost.
Even when I changed the web.config entry above to use the new domain as the issuer instead of localhost and the SecureConfig.config to specify only the new domain as the realms, it didn't seem to work. I guess the authentication must try to hit localhost specifically.
I'm using *, but apparently that's not enough. I'm trying to upload a file from a client browser. It works when the client's URL is localhost:3000 or foo.com. It's not working when the URL is http://meteor.local. I've tried changing the third line to <AllowedOrigin>http://meteor.local</AllowedOrigin>, but get the same error.
The browser error:
The error text was misleading – error was not due to the header sent by s3. Adding an access rule to Cordova fixed it. (In meteor, add it with App.accessRule('http://meteor.local'); in mobile-config.js.)
I am having this error when I try to download LINQPad sample libraries: Error while unpacking sample queries: C:\Documents and Settings[user]\Local Settings\Temp\LINQPad\TempSampleQueries849247.zip is not a valid zip file.
I use LinqPad 4 (installed version). The weird thing is I also have LINQPad 4 (licensed standalone executable) at home and I didn't encounter any problems in downloading. Do I need to have license to be able to download the sample files?
Edit:
I am also having problems in activating my LINQPad. The error says: Unable to contact licensing server: The remote server returned an error: (407) Proxy Authentication Required. I pretty much sure I'm not using any proxies. Please help! Thanks.
Are you certain you're not going through a proxy? I don't see any other way you could be getting a 407 error. Entering the proxy username/password into LINQPad's proxy dialog (Edit | Preferences | Updates) should fix it.
If you're still unable to proceed, you can perform an offline activation here and download the sample libraries via a web browser here. After downloading a samples zip file, click 'Download more samples' and type in the local file path to import it.
Simple solution to prevent the proxy 407 authentication needed error when licensing or updating Linqpad: Add the following to Linqpad's config file
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
I am streaming out data (sometimes png, sometimes json, sometimes xml) and I get the following error in Chrome:
Error 321 (net::ERR_INVALID_CHUNKED_ENCODING): Unknown error.
I do not get this error when apache is not in front of my Tomcat web application (servlet), only when I deploy it to our test environment which has apache running.
I've looked everywhere for an answer to this question, I'm going to put the answer here:
The header entry:
Transfer-Encoding:chunked, chunked
was causing this error when the response was returned through Apache. Without Apache in front everything worked fine.
Should be:
Transfer-Encoding:chunked