Static Asset Security Issue in Current Heat Clinic

Suggest features you would like to see in Broadleaf Commerce

Moderator: jocanas

phillipuniverse
Team Member
Team Member
Posts: 1563
Joined: Tue Dec 20, 2011 12:11 pm

Static Asset Security Issue in Current Heat Clinic

Postby phillipuniverse » Fri Dec 07, 2012 1:09 pm

Since this effects everyone currently running the demo site, I thought it would be a good idea to mention it here. The main cause for this is when you have assigned a static asset as the primary image for a product, and is manifested when you add that product to the cart and go to checkout. Common symptoms include:

  • Session being reset on an incorrect form submission on the checkout page, which will then invalidate your session (and cause CSRF exceptions if you try to resubmit the form)
  • SSL warnings when viewing /checkout as the static asset is being served over http (the browser first requests the image over https, but the application then redirects to actually serve the image over http)
  • NullPointerExceptions in SessionFixationProtectionCookie when requesting static assets

The main cause of this is that there is no explicit mapping defined for the static assets, and thus the application treats them as though they should be served over http, based on this snipping in applicationContext-security (in site and combined):

Code: Select all

<!-- All URLs not explicitly specified as https will be served under http -->
<sec:intercept-url pattern="/" requires-channel="http"/>
<sec:intercept-url pattern="/**" requires-channel="http"/>


The fix is to ensure that static assets are treated just like any other static resource. So in applicationContext-security.xml in site and applicationContext-security-combined.xml add the following lines underneath where the other asset paths are defined (like /img/** and /robots.txt):

Code: Select all

<sec:http pattern="/**/${asset.server.url.prefix.internal}/**" security="none" />


This will prevent any static assets from going through Spring Security, and correctly serve the assets over http or https depending on what the browser is requesting. This has been updated on the Heat Clinic and it is recommended that you add this to your application ASAP.

For more information, you can view the Jira ticket at http://jira.broadleafcommerce.org/browse/BLC-798

limebot
Junior
Junior
Posts: 37
Joined: Mon Jul 30, 2012 12:20 pm
Location: Columbus, Ohio
Contact:

Re: Static Asset Security Issue in Current Heat Clinic

Postby limebot » Thu Jan 03, 2013 4:58 pm

My version of the Demo Application is missing the combined folder for the applicationContext-security-combined.xml file.
Can I just add the line to only the applicationContext-security.xml file only?
DWetherell

phillipuniverse
Team Member
Team Member
Posts: 1563
Joined: Tue Dec 20, 2011 12:11 pm

Re: Static Asset Security Issue in Current Heat Clinic

Postby phillipuniverse » Fri Jan 04, 2013 10:27 am

Yes.

angilena
Newbie
Newbie
Posts: 1
Joined: Mon Sep 08, 2014 1:15 am

Re: Static Asset Security Issue in Current Heat Clinic

Postby angilena » Mon Sep 08, 2014 1:18 am

While I really think that the framework you've created is a wonderful thing, so far I can't say the same about the timeliness of the forum. To date I have asked three separate questions, but I still have yet to get a single reply to any question. I think that to make the forum successful, you need to put a timeout on each question. If not answered by another forum member then one of the Broadleaf team members should step in and make an attempt. In order for me to be successful, and I imagine most others who would use this framework, I need to get timely answers to basic questions. Thanks.
angilena

phillipuniverse
Team Member
Team Member
Posts: 1563
Joined: Tue Dec 20, 2011 12:11 pm

Re: Static Asset Security Issue in Current Heat Clinic

Postby phillipuniverse » Mon Sep 08, 2014 7:30 am

@angelina what questions? I looked at your post history and this is your only post. It also looks like you just created this account today.

Also, we do our best with the forums but it is free support. If you need a higher level of support, we offer premium support that you can take advantage of with a support contract. There are many ways that we can deliver support and we can tailor something specifically to your needs (bucket of hours, email support, priority forum/GitHub issue response, etc). Send us an email at info AT broadleafcommerce.com if this is something that you need.

aslogipen
Newbie
Newbie
Posts: 1
Joined: Mon Nov 16, 2015 10:22 am
Location: Australia
Contact:

Лечение в Южной Корее

Postby aslogipen » Mon Nov 16, 2015 10:25 am

Лечение в Южной Корее - это гарантированное качество обслуживания в сочетании с точной диагностикой, современными технологиями лечения и применением сертифицированных медикаментов. Современная корейская медицина - это профессиональные и высококвалифицированные специалисты международного уровня, знания и опыт которых подкреплен сверхновым и высокотехнологичным оборудованием и передовыми методами диагностики, профилактики и лечения. Наша компания SE Medi Direct организует высококачественное медицинское обследование, лечение за рубежом и реабилитацию в ведущих медицинских учреждениях Южной Кореи. Мы поможем подобрать наиболее подходящую клинику в соответствии с Вашими пожеланиями. Компания «SE Medi Direct» – лицензированное министерством здравоохранения Южной Кореи учреждение в сфере предоставления координационных медицинских услуг. Наша компания с готовностью организует для Вас необходимое лечение, встретит в аэропорту, забронирует отель, предоставит высококвалифицированного переводчика и будет сопровождать Вас на всех этапах лечения. Ваши преимущества: прозрачность счетов - оплата за лечение производится напрямую в клинику. индивидуальная обработка запросов лечение высшим медицинским составом Свяжитесь с нами для получения необходимой информации.
Блефаропластика в корее


Return to “Suggested Features”

Who is online

Users browsing this forum: No registered users and 2 guests