Results 1 to 10 of 15

Thread: Redirection with parameters in Spring MVC + Spring Security

Hybrid View

  1. Nov 26th, 2012, 07:17 AM #1
    diminuta
    diminuta is offline Junior Member
    Join Date
    Jul 2008
    Posts
    19

    Default Redirection with parameters in Spring MVC + Spring Security

    Hi, I'm developing an app with Spring MVC + Spring Security 3.1 and my app is called through a certain URL that contains a parameter that is a XML file as a string.

    I'm developing on a test-environment so I built a test controller and I do:

    Code:
    String parameter = "<Usuario>\n\t<ID>primaria</ID>\n</Usuario>";
return "redirect:/autenticacion/primaria?parametro=" + parameter;
    And I get the following exception:

    Code:
    org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.IllegalArgumentException: Invalid characters (CR/LF) in redirect location
    org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:894)
    org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:88)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
    org.springframework.security.config.debug.DebugFilter.doFilterInternal(DebugFilter.java:45)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    What can I do to simmulate the external call with that parameter?
    Last edited by diminuta; Nov 26th, 2012 at 07:41 AM.
    Reply With Quote Reply With Quote
  2. Nov 26th, 2012, 08:32 AM #2
    Marten Deinum
    Marten Deinum is offline Senior Member
    Join Date
    Jun 2006
    Location
    The Netherlands
    Posts
    13,632

    Default

    Hvae you actually looked at the stacktrace?!

    Also you shouldn't redirect in the way you do... Spring caches views based on the view name and now for each user a view is created and cached not something you probably want... Return a ModelAndView and add your parameter as a parameter to the model, spring will then append it and encode it. That way your redirection should work.

    Code:
    String parameter = "<Usuario>\n\t<ID>primaria</ID>\n</Usuario>";
ModelAndView mav = new ModelAndView("redirect:/autenticacion/primaria");
mav.addObject("parametro", parameter);
return mav;
    Something like that... If you are using spring 3.1 you can also simply return the view name and add the objects to the Model. Spring will then still append it to the URL.

    Edit: I also suspect that you haven't posted the full stacktrace, I would expect a message from the dispatcher servlet to appear somewhere in your stacktrace...

    Edit2: Why is this in the security forum? It isn't related to security it is all about encoding your parameters...
    Last edited by Marten Deinum; Nov 26th, 2012 at 08:50 AM.
    Marten Deinum
    Java Consultant / Pragmatist / Open Source Enthousiast / Author

    Pro Spring MVC: With Web Flow
    Conspect

    Have you read the reference guide.
    Use the [ code ] tags, young padawan
    Reply With Quote Reply With Quote
  3. Nov 26th, 2012, 09:34 AM #3
    diminuta
    diminuta is offline Junior Member
    Join Date
    Jul 2008
    Posts
    19

    Default

    Quote Originally Posted by Marten Deinum View Post
    Have you actually looked at the stacktrace?!
    Yes, why?

    Quote Originally Posted by Marten Deinum View Post
    Also you shouldn't redirect in the way you do... Spring caches views based on the view name and now for each user a view is created and cached not something you probably want... Return a ModelAndView and add your parameter as a parameter to the model, spring will then append it and encode it. That way your redirection should work.
    Altough I redirect in the test controller like you say it won't prevent the error as I don't control and obviously am not the person who develops the other app that calls mine... so this doesn't solve the problem for me...

    Quote Originally Posted by Marten Deinum View Post
    Edit: I also suspect that you haven't posted the full stacktrace, I would expect a message from the dispatcher servlet to appear somewhere in your stacktrace...
    I thought I had pasted the full stacktrace, but here it is, I think it doesn't add any significant information :S

    Code:
    26-nov-2012 16:31:38 org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: Servlet.service() para servlet Spring MVC Dispatcher Servlet lanzó excepción
java.lang.IllegalArgumentException: Invalid characters (CR/LF) in redirect location
	at org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:23)
	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:126)
	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
	at org.springframework.web.servlet.view.RedirectView.sendRedirect(RedirectView.java:555)
	at org.springframework.web.servlet.view.RedirectView.renderMergedOutputModel(RedirectView.java:281)
	at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:262)
	at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1180)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:950)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:88)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.security.config.debug.DebugFilter.doFilterInternal(DebugFilter.java:45)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:662)
    Quote Originally Posted by Marten Deinum View Post
    Edit2: Why is this in the security forum? It isn't related to security it is all about encoding your parameters...
    Because it throws the exception only when I activate Spring Security... If I get rid of security it works...
    Reply With Quote Reply With Quote
  4. Nov 26th, 2012, 10:33 AM #4
    diminuta
    diminuta is offline Junior Member
    Join Date
    Jul 2008
    Posts
    19

    Default

    In the end I haven't changed my test controller and I built a filter that rewrites the request URL:

    Code:
    @Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest httpRequest = (HttpServletRequest) request;

		String incomingUrl = httpRequest.getRequestURI();
		// Se comprueba si la url original tiene caracter de retorno de carro
		if (incomingUrl.indexOf('\r') >= 0) {
			//Sustituye todos los caracteres retorno de carro por caracter vacío.
			String newUrl = incomingUrl.replaceAll("\n", "");
			//Asigna una nueva url a la petición.
			RequestDispatcher requestDispatcher = request
					.getRequestDispatcher(newUrl);
			requestDispatcher.forward(request, response);
		}
		//Sique adelante la cadena de filtros.
		chain.doFilter(request, response);
	}
    And now it works... and it will work also in their production environment...
    Last edited by diminuta; Nov 26th, 2012 at 11:25 AM.
    Reply With Quote Reply With Quote
  5. Nov 27th, 2012, 02:36 AM #5
    Marten Deinum
    Marten Deinum is offline Senior Member
    Join Date
    Jun 2006
    Location
    The Netherlands
    Posts
    13,632

    Default

    Because it throws the exception only when I activate Spring Security... If I get rid of security it works...
    That wasn't apparent from your initial stacktrace, the full stacktrace does indeed show this. That shows the framework servlet throwing an exception not a spring security filter...

    I wouldn't do it the way you dit... I would create a request wrapper which does this instead of forwarding the request... It basically saves you a request but alas.

    However it still is a hack as your parameters should be properly encoded and that is something you aren't doing...
    Marten Deinum
    Java Consultant / Pragmatist / Open Source Enthousiast / Author

    Pro Spring MVC: With Web Flow
    Conspect

    Have you read the reference guide.
    Use the [ code ] tags, young padawan
    Reply With Quote Reply With Quote
  6. Nov 27th, 2012, 02:38 AM #6
    diminuta
    diminuta is offline Junior Member
    Join Date
    Jul 2008
    Posts
    19

    Default

    Quote Originally Posted by Marten Deinum View Post
    However it still is a hack as your parameters should be properly encoded and that is something you aren't doing...
    The thing is that I'm not the one who encodes it... a 3rd party app is calling my app with that parameter, I don't have any control over it...
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules