WSO2 Identity Server - Cannot Configure Custom Catch-all Exception Page - error-handling

WSO2 Identity Server 5.0.0
For things such as a 500 errors and anything unforeseen, I'd like to configure my Identity Server instance to have our own branded error page to hide the server technology for security reasons and also just allow the error a little confusion.
At any rate, this no help: https://docs.wso2.com/display/IS500/Customizing+Error+Messages
I tried editing /repository/conf/tomcat/carbon/WEB-INF/web.xml and added the standard way to define an error page for exceptions:
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/NiceError.jsp</location>
</error-page>
and then placed NiceError.jsp in /repository/conf/tomcat/carbon/
So when I make a 500 error reoccurr, things change, but I'm sent to the carbon management console login page. If I decide to login, I get served up with an 405 error like so:
HTTP Status 405 - HTTP method GET is not supported by this URL
type Status report
message HTTP method GET is not supported by this URL
description The specified HTTP method is not allowed for the requested resource.
Apache Tomcat/7.0.55
The URL looks like: https://hostname:9443/NiceError.jsp?sessionDataKey=eabd6c25-7c79-40a9-af87-3cd80a68367e&loginStatus=true
That doesn't help.
How can this kind of thing be setup to work? It can't be hard with the right information. Right? :)

The referred documentation page is to customize error messages for identity related errors as its name sounds. It is not to create custom error pages.
By the way if you need to create custom error page, which is applicable to all web applications in your server instance, you may need to add your error page to web.xml in /repository/conf/tomcat/ directory. It defines default values for all web applications loaded into your instance of Tomcat. As each application get deployed, above file is processed, followed by the /WEB-INF/web.xml deployment descriptor from your own applications.
Thanks

Related

How do I configure stand alone Blazor WebAssembly app to allow incoming cross origin redirect?

Objective is to integrate payment gateway to from Stand alone Blazor WebAssembly application. My payment page component has a form that submit directly to the payment gateway like this:
<form action="https://gateway.bank.com" method="POST">
Clicking submit button in the form redirects correctly. After the user complete payment transaction on the bank page, user is redirected back to my app along with response header. Although the redirected url is correct, browser throws 404. Reading more, I found out that since the request is originated from another domain, it gets blocked by CORS. Read many articles about configuring CORS policy for server, but how do I configure it on the client app to allow incoming requests?
Tried the following:
Added Nuget package Microsoft.AspNetCore.Cors
Inserted [DisableCors] attribute on the page
Added CORS policy on Main()
builder.Services.AddCors(options =>
{
options.AddPolicy("Open",
builder => builder.AllowAnyOrigin().AllowAnyHeader());
});
None of these worked though.
Just to ensure the approach is correct I have implemented solution using razor pages with [IgnoreAntiforgeryToken] on page model; it is successful. Help appreciated to find where am I going wrong with WebAssembly. Kindly note that I don't have a server project, only a stand alone WebAssembly project.
If the request is being blocked by CORS, there is nothing you can do on your website to avoid this. CORS is a security mechanism of browsers inspecting the response from a server. If the server does not add the proper CORS header to the response, the browser blocks the response from getting to the site loaded in the browser.
This is an intentional and good (if sometimes frustrating) part of the internet. You would need to contact the bank and request your website be added to the list of allowed origins. They would add your website's URL to the Allow-Access-Allow-Origin header. Because your URL is now part of the cool-kids list, the browser will allow the response to reach your site and will no longer throw a CORS error.

[Spartacus ]Posting from Iframe to OCC endpoint configuration issue

I am integrating 3ds for spartacus. The payment provider requires a POST back from an iframe they serve. I post back to an endpoint in OCC. I have added the origin to the allow-from corsfilter.commercewebservices.allowedOrigins=http\://localhost\:4200 https\://localhost\:4200 https\://test.domain.com
The XSSFilter is blocking the request because of this configuration xss.filter.header.X-Frame-Options=SAMEORIGIN, this property is set in hybris platform. When I remove this property manually, the POST is working properly. When set it to an empty string (xss.filter.header.X-Frame-Options=) chrome rejects the requests because of an erroneous header.
How I can I remove this property in configuration, without manually removing the property every time the server restarts?
I am running locally at the moment, but should run on both ccv2 and on custom infrastructure. Hopefully without changes to the http server (nginx/apache) as this is part of a library that we want to publish for spartacus.

Can't update app registered in Microsoft Application Registration Portal

I have an already registered app in the site https://apps.dev.microsoft.com. I want to add another redirect URL but when I tried saving I get this error:
There's a temporary problem
There's a temporary problem with the service. Please try again. If you continue to get this message, try again later.
I have also tried using a different browser and clearing my cache but I still get the error.
I also tried registering a new app and I still get the same error. I have been getting the error for several days now and I was wondering if anybody knows a solution.
Thanks!
There are several restrictions on the format of the redirect URI that is allowed
Currently, apps that are registered in the Application Registration Portal are restricted to a limited set of redirect URI values. The redirect URI for web apps and services must begin with the scheme https, and all redirect URI values must share a single DNS domain. For example, you cannot register a web app that has one of these redirect URIs:
https://login-east.contoso.com
https://login-west.contoso.com
The scenarios that are accepted are when the DNS name matches exactly. Examples:
https://login.contoso.com
https://login.contoso.com/new
https://new.login.contoso.com
See all the v2.0 limitations

Error: redirect_uri_mismatch

I've been looking for this answer and the other pages didn't help me.
I'm trying to use the google drive api for php. I am trying to test on my local environment and receive this error.
Error: redirect_uri_mismatch
The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob did not match a registered redirect URI
Request Details
scope=https://www.googleapis.com/auth/drive
response_type=code
redirect_uri=urn:ietf:wg:oauth:2.0:oob
access_type=offline
display=page
prompt=consent
client_id=735129338633-0epug8n80jsg0t50ijn7our4a661nnk6.apps.googleusercontent.com
Here is the page for the api:
The url is in
localhost:8888/Spreadsheets/driver.php
What am I doing wrong?
Looks like the current Google OAuth2 integration requires enabling
Contacts API
Google+ API
from the Google Developers Console for the associated Project. In my log I noticed errors liek 403, Access Not Configured. Please use ....
The redirect URI (where the response is returned to) has to be correct and exactly as you registered in the APIs console, and the error is indicating that you haven't done that or you haven't done it correctly.
To get the redirect URI from console:
Go to the console for your project and look under API Access.
Open Credentials section (in left side)
You should see your client ID & secret there, along with there is a
list of redirect URIs. If you want to change it or it was wrong,
click edit settings and modify.
Even if your redirect uri is properly set in the console, a lot of times, when you've recently changed settings in the google dev console, it will still tell you there's a redirect mismatch. It's a surprisingly common occurrence.
You can try...
Waiting; some have had luck with this, indicating that google takes some amount of time to register recent changes.
If you don't mind reconfiguring your app, creating a new client id in the google dev console tends to fix this problem with consistent results.

http 403.4 error when using https

I'm getting the http error 403.4 - Forbidden: SSL is required to view the resource error using IIS6, even though the url starts with https.
It's a classic asp site, that used to work until the path to the files was changed. The path had to be changed because the site had to be upgraded. After getting the error; putting back the original path doesn't either.
Does anyone have any idea what I should check to resolve the above mentioned error?
Try following Configuring SSL on a Web Server or Web Site (IIS 6.0) from Microsoft. It specifically mentions the error you get:
If you set your Web site to require
SSL, as in step 6 above, and you have
not completed setting up SSL for the
site, then users browsing your site
will receive this error: "HTTP Error
403.4 - Forbidden: SSL is required to view this resource." To avoid this
condition, either complete all the
steps in the list above, or go back
and clear the Require Secure Channel
(SSL) check box (see step 6).