Hdiv CE | Application Self-Protection

Related tags

Security hdiv
Overview

Build Status Maven Central GitHub license

Hdiv

New to Hdiv? Check this out

Hdiv: Application Self-Protection

Hdiv is a leading provider of open source software for real-time, self-protected applications. Hdiv solutions are built into applications during development to deliver the strongest available runtime application self-protection (RASP) against OWASP Top 10 threats. Since 2008, Hdiv has pioneered self-protection cyber security software, and today its solutions are used by leading commercial software providers and global enterprises in banking, government, retail, technology, and aerospace.

Official Site: https://hdivsecurity.com

Online documentation: https://hdivsecurity.com/docs/

Community Technical documentation: https://hdivsecurity.com/docs/installation/library-setup/

April 20th, 2018 - Hdiv v3.4.0 released!

How does Hdiv help?

Hdiv repels 90% of application security risks included in the OWASP Top 10—a broad consensus of the most critical web application security flaws —such as SQL injection, cross-site scripting, cross-site request forgery, data tampering, and brute force attacks. Hdiv offers higher effectiveness than any of the solutions currently available to fight web application security risks.

  • Want to ensure strong security without having to know and understand all current security threats.

  • Want strong security without compromising application performance or the user experience.

  • Want to build security into applications while in development, instead of having to go back and patch and tweak applications later.

Editions

Hdiv Community

Is an open-source web application security framework that includes read-only data protection and editable data risk mitigation. It is appropriate for customers who have less stringent security requirements but want protection from cyber threats.

Hdiv Enterprise

Is a commercial all-in-one solution integrating the best of AST (Application Security Testing), RASP (Runtime application self protection), and WAF (Web application firewall) approaches with enterprise-class security, exclusive functionality, scalability, and enterprise-level support services. For more information, contact us at [email protected]

Hdiv

Installation

Spring MVC

-

https://www.youtube.com/watch?v=6-BNTh8AqQY

Steps

Thanks to the new extension point included in Spring 3.1, Hdiv installation and configuration for Spring MVC is cleaner and easier than previously.

  1. Add Hdiv Jars.

     <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-spring-mvc</artifactId>
     <version>3.3.0</version>
 </dependency>

  2. Add Hdiv listener and filter within web.xml file.

     <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <!-- Spring MVC Servlet name-->
     <servlet-name>SampleMvc</servlet-name>
 </filter-mapping>

  3. Multipart configuration. Replace Spring MVC's MultipartResolver with the one from Hdiv. If commons-fileupload library is used for multipart processing:

     <bean id="multipartResolver" class="org.hdiv.web.multipart.HdivCommonsMultipartResolver">
     <property name="maxUploadSize" value="100000" />
 </bean>

    If Servlet 3 standard multipart processing is used:

     <bean id="multipartResolver" class="org.hdiv.web.multipart.HdivStandardServletMultipartResolver"></bean>

  4. Editable data validation. In order to add editable validation errors into Spring MVC binding and validation errors, configure hdivEditableValidator as application wide validator.

     <mvc:annotation-driven validator="hdivEditableValidator"/>

If you are using a Spring MVC version prior to 3.1, it is necessary to introduce an additional step, replacing Spring MVC tlds with Hdiv tlds according to the specific version. The next example shows the code for Spring MVC 3.0.4:

    <jsp-config>
        <taglib>
            <taglib-uri>http://www.springframework.org/tags/form</taglib-uri>
            <taglib-location>/WEB-INF/tlds/hdiv-spring-form-3_0_4.tld</taglib-location>
        </taglib>
        <taglib>
            <taglib-uri>http://www.springframework.org/tags</taglib-uri>
            <taglib-location>/WEB-INF/tlds/hdiv-spring.tld</taglib-location>
        </taglib>
    </jsp-config>

Spring MVC and Thymeleaf

Thanks to the implementation of RequestDataValueProcessor interface in Thymeleaf, Hdiv support is straightforward.

  1. Follow configuration steps for Spring MVC installation.

  2. Add Hdiv jar for Thymeleaf

     <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-thymeleaf</artifactId>
     <version>3.3.0</version>
 </dependency>

Grails

With the plugin architecture and Hdiv Plugin implementation supported by Grails, Hdiv installation is implemented using the BuildConfig.groovy configuration file adding the Hdiv plugin to it:

compile ':hdiv:1.0-RC2'

JSTL

  1. Add Hdiv jars.

     <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-jstl-taglibs-1.2</artifactId>
     <version>3.3.0</version>
 </dependency>

  2. Add Hdiv Listener and Filter within web.xml file

     <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <!-- Spring MVC Servlet name-->
     <servlet-name>SampleMvc</servlet-name>
 </filter-mapping>

 <!-- Replace JSTL tld with Hdiv tld-->
 <jsp-config>
     <taglib>
         <taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
         <taglib-location>/WEB-INF/tlds/hdiv-c.tld</taglib-location>
     </taglib>
 </jsp-config>

Struts 1

  1. Add Hdiv jars.

     <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-struts-1</artifactId>
     <version>3.3.0</version>
 </dependency>

  2. Add Hdiv listener and Filter within web.xml file.

     <!-- Hdiv Initialization listener -->
 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <url-pattern>*.do</url-pattern>
 </filter-mapping>

 <!-- Replace Struts 1 tld with Hdiv tlds -->
 <jsp-config>
     <taglib>
         <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-html.tld</taglib-location>
     </taglib>
     <taglib>
         <taglib-uri>/WEB-INF/struts-nested.tld</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-nested.tld</taglib-location>
     </taglib>
     <taglib>
         <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-logic.tld</taglib-location>
     </taglib>
 </jsp-config>

Struts 2

The latest Struts 2 version supported by Hdiv is Struts 2.0.11. Higher versions are supported by Hdiv Enterprise Edition.

  1. Add Hdiv jars.

     <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-core</artifactId>
     <version>2.0.4</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-struts-2.0.11</artifactId>
     <version>2.0.4</version>
 </dependency>

  2. Add Hdiv Listener and Filter within web.xml file.

     <!-- Hdiv Initialization listener -->
 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->

 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <url-pattern>*.action</url-pattern>
 </filter-mapping>

 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <url-pattern>*.jsp</url-pattern>
 </filter-mapping>		

 <!-- Replace Struts 2 tld with Hdiv tlds -->

 <jsp-config>
     <taglib>
         <taglib-uri>/struts-tags</taglib-uri>
         <taglib-location>/WEB-INF/hdiv-tags.tld</taglib-location>
     </taglib> 	
 </jsp-config>

JSF

  1. Add Hdiv jars.

     <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-config</artifactId>
     <version>3.3.0</version>
 </dependency>
 <dependency>
     <groupId>org.hdiv</groupId>
     <artifactId>hdiv-jsf</artifactId>
     <version>3.3.0</version>
 </dependency>

  2. Add Hdiv listener, Hdiv Filter and define your custom faces-config (with Hdiv configuration, see the next point) within web.xml file.

     <!-- Define the hdiv-faces-config -->
 <context-param>
      <param-name>javax.faces.CONFIG_FILES</param-name>
      <param-value>/WEB-INF/hdiv-faces2-config.xml</param-value>
 </context-param>

 <!-- Hdiv Initialization listener -->
 <listener>
     <listener-class>org.hdiv.listener.InitListener</listener-class>
 </listener>

 <!-- Hdiv Validator Filter -->
 <filter>
     <filter-name>ValidatorFilter</filter-name>
     <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
 </filter>
 <filter-mapping>
     <filter-name>ValidatorFilter</filter-name>
     <servlet-name>Faces Servlet</servlet-name>
 </filter-mapping>

  3. This is the content of /WEB-INF/hdiv-faces2-config.xml file:

     <?xml version="1.0" encoding="UTF-8"?>
 <faces-config xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
     version="2.0">

     <component>
         <component-type>javax.faces.HtmlOutcomeTargetLink</component-type>
         <component-class>org.hdiv.components.HtmlOutcomeTargetLinkExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.HtmlOutcomeTargetButton</component-type>
         <component-class>org.hdiv.components.HtmlOutcomeTargetButtonExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.Parameter</component-type>
         <component-class>org.hdiv.components.UIParameterExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.HtmlInputHidden</component-type>
         <component-class>org.hdiv.components.HtmlInputHiddenExtension</component-class>
     </component>
     <component>
         <component-type>javax.faces.HtmlOutputLink</component-type>
         <component-class>org.hdiv.components.HtmlOutputLinkExtension</component-class>
     </component>

     <lifecycle>
         <phase-listener>org.hdiv.phaseListeners.ComponentMessagesPhaseListener</phase-listener>
         <phase-listener>org.hdiv.phaseListeners.ConfigPhaseListener</phase-listener>
         <phase-listener>org.hdiv.phaseListeners.ValidatorPhaseListener</phase-listener>
     </lifecycle>

     <factory>
         <external-context-factory>org.hdiv.context.ExternalContextFactoryWrapper</external-context-factory>
     </factory>

 </faces-config>

Configuration

Hdiv configuration is based on Spring configuration. Hdiv has a custom schema to reduce the configuration tasks. First of all we need a Spring configuration file to add Hdiv configuration.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:hdiv="http://www.hdiv.org/schema/hdiv"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">

From Hdiv version 2.1.7, it is possible to configure Hdiv in Java instead of XML.

@Configuration
@EnableHdivWebSecurity
public class HdivSecurityConfig extends HdivWebSecurityConfigurerAdapter {

    @Override
    public void configure(SecurityConfigBuilder builder) {

        // Configuration options
    }
}

All the configuration options are on the technical documentation.

How to build your own Hdiv jar

Clone this repository and build jar files (you'll need Git and Maven installed):

git clone git://github.com/hdiv/hdiv.git
cd hdiv
mvn install

The jars will be created in a folder named target and installed in local Maven repository.

Do you need help?

If you have questions or problems, please open an issue on this repository (hdiv/hdiv) or contact us at [email protected]

License

Hdiv is released under version 2.0 of the Apache License.

Profiler

JProfiler is kindly supporting Hdiv open source project with its full-featured Java Profiler. Take a look at JProfiler's leading software products: Java Profiler

Comments
  • how to avoid some parameters from HDIV validations

    how to avoid some parameters from HDIV validations

    I am using Primefaces Datatable component. <p:dataTable id="activitydescription" var="type" value="#{activityBean.activityList}" rows="#{activityBean.rowNo}" rowKey="#{type.activitySchemeId}"

    This data table component creates a hidden field dynamically on the browser.

    HDIV prevents and display the error page by sending this on console org.hdiv.logs.Logger log INVALID_PARAMETER_NAME;/hseadmin/pages/secured/admin/Layout.xhtml;formId:activitydescription_selection;;0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;anonymous

    so how we an avoid using validation for these type of parameters... i have used hdiv:paramsWithoutValidation <hdiv:mapping url=".*" parameters="formId:activitydescription_selection"/> /hdiv:paramsWithoutValidation bu still no luck..can somebody provide some pointers

    opened by jchowdhary 10
  • File upload fails on using Multipart File Upload in HDIV 2.1.9

    File upload fails on using Multipart File Upload in HDIV 2.1.9

    I am using HDIV 2.1.9 in my application containing Struts 1.3.8 and Spring 3.2. HDIV works fine in all modules except in Multipart file upload.

    Initially while working on struts multipart upload forms, I got the following error when my page renders.

    'HTTP Status 500 - In order to enable HDIV multipart processing, MultipartResolver must be of org.hdiv.web.multipart.HdivCommonsMultipartResolver or org.hdiv.web.multipart.HdivStandardServletMultipartResolver type'.

    I was using 'org.springframework.web.multipart.commons.CommonsMultipartResolver' previously and when I chaged that to 'org.hdiv.web.multipart.HdivCommonsMultipartResolver', the page rendered properly without any issues.

    But When I browse any of the file and click Upload button, the upload is not successful and always throws the validation message 'Please select a file to upload'.

    On Debugging I could find that in my Struts Action, the request contains the file object which is always null.

    Am I missing any Multipart configuration or anything else here ?

    Below is the log trace once I click the Upload button.

    "10 Apr 2015 12:08:26 DEBUG org.hdiv.web.multipart.HdivCommonsMultipartResolver - Found multipart file [formFile1] of size 11574 bytes with original filename [yyyyyyyyyyy.jpg], stored at [D:\tomcat-blue\tomcat_7\7.0.42\work\Catalina\localhost\xxxxx\upload_c0091696_2af2_422b_8d8e_b119ab2dc039_00000014.tmp] 10 Apr 2015 12:08:26 DEBUG org.hdiv.util.HDIVUtil - Stripping jsessionid from url /xxxxx/element/uploadFiles.do 10 Apr 2015 12:08:26 DEBUG org.hdiv.session.SessionHDIV - Getting page with id:25 10 Apr 2015 12:08:26 DEBUG org.hdiv.session.SessionHDIV - Getting page with id:25 10 Apr 2015 12:08:26 DEBUG org.hdiv.session.StateCache - Page with [28] added to the cache. 10 Apr 2015 12:08:26 DEBUG org.hdiv.session.SessionHDIV - Added new page with id:28 10 Apr 2015 12:08:26 DEBUG org.hdiv.session.SessionHDIV - Added new page with id:28 10 Apr 2015 12:08:26 DEBUG org.hdiv.web.multipart.HdivCommonsMultipartResolver - Cleaning up multipart file [formFile1] with original filename [celebrations. jpg], stored at [D:\tomcat-blue\tomcat_7\7.0.42\work\Catalina\localhost\xxxxx\upload_c0091696_2af2_422b_8d8e_b119ab2dc039_00000014.tmp] 10 Apr 2015 12:08:26 DEBUG org.hdiv.filter.RequestWrapper - New RequestWrapper instance. 10 Apr 2015 12:08:26 DEBUG org.hdiv.filter.ResponseWrapper - New ResponseWrapper instance."

    Please share your thoughts.

    Thanks in Advance.

    opened by dhinesherode91 10
  • Issue in Integarting HDIV to my Spring -MVC application

    Issue in Integarting HDIV to my Spring -MVC application

    Hi, i am trying to integrate HDIV to my application ,have referred hdiv-reference document.

    getting following Exception

    Mar 11, 2013 7:32:09 PM org.apache.catalina.core.StandardContext filterStart SEVERE: Exception starting filter ValidatorFilter org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'application' is defined at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:504) at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1041) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:273) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:189) at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1004) at org.hdiv.util.HDIVUtil.getApplication(HDIVUtil.java:231) at org.hdiv.filter.ValidatorFilter.initFilterBean(ValidatorFilter.java:73) at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:179) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:275) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397) at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:108) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3696) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4343) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:566) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Mar 11, 2013 7:32:09 PM org.apache.catalina.core.StandardContext start SEVERE: Error filterStart

    This error is thrown at startup of my server... have added

    • HDIV: core library (hdiv-core-2.0.4.jar) and tags library (hdiv-spring-mvc-2.5-2.0.3.jar).
    • Spring: spring-2.0.1.jar or higher
    • Commons codec: commons-codec-1.3.jar
    • Commons fileupload: commons-fileupload-1.1.1.jar
    • Commons io: commons-io-1.1.jar

    is their any error in mapping?? any help would be highly appreciated!!!

    opened by xyz12 10

  • "UTF-8" Encoding problem

    Hi,

    We encounter a problem that we have observed recently, with “UTF-8” encoding. This problem is obviously related to the integration of HDIV Framework to our “Spring MVC / Spring Security” application.

    Concerning the management of “UTF-8” encoding, we proceeded as follows:

    1- We have activated the Spring Character encoding filter "org.springframework.web.filter.CharacterEncodingFilter" and we have positioned it as the first filter in our deployment descriptor "web.xml" like this:

    <!-- Spring Security Char Encoding Filter--> <filter> <filter-name>characterEncodingFilter</filter-name> <filter-class> org.springframework.web.filter.CharacterEncodingFilter </filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <!-- Spring Security Filter-->
    <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter>

    <!-- the Filter’s mappings -->
    <filter-mapping> <filter-name>characterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

    <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

    2- Then we set up Tomcat to handle "UTF-8" encoding, by changing the file "sever.xml" like this: … <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/> ….. <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/>

    Without the integration of HDIV Framework, i.e.: only with Spring MVC and Spring Security (+ tomcat setup / and Spring character encoding filter) we have no problem with "UTF-8" encoding.

    With the activation of HDIV Framework (Filter + RequestDataValueProcessor, JSTL-HdIV Taglib, etc.) the problem occurs.

    Our Spring configuration files: • HDIV (hdiv-config.xml : https://gist.github.com/4672835), • Spring Security(security-config.xml : https://gist.github.com/4672833), • Spring MVC(presentation-config.xml : https://gist.github.com/4672840), • And our deployment descriptor (web.xml :https://gist.github.com/4672821).

    You will also find screenshots of a use case (domain entity update), that permit to reproduce the encoding problem.

    In advance, thanks’ for your help!

    Regards,

    Youssef

    hdiv_bug_utf8_detail_screen hdiv_bug_utf8_edit_screen hdiv_bug_utf8_edit_screen_error

    opened by youssefguenoun 10
  • Problems when using HDIV with Spring-mvc and RESTful urls.

    Problems when using HDIV with Spring-mvc and RESTful urls.

    I am trying to integrate HDIV in an existing RESTful application. I would like all the GET requests to be start pages, and POST, PUT and DELETE requests to be HDIV protected pages.

    I am using HDIV 1.2.4-SNAPSHOT and I am using this configuration:

    <hdiv:config 
    strategy="hash"
    excludedExtensions="css,png,gif,jpeg,jpg,js"
    confidentiality="true"
    errorPage="/error.jsp">

    <hdiv:startPages method="get">.*</hdiv:startPages>

    <hdiv:paramsWithoutValidation>
        <hdiv:mapping url=".*" parameters="_method"/>
    </hdiv:paramsWithoutValidation>
</hdiv:config>

    The problem is that when proccessing fields HDIV only takes into account the action of the form, ignoring the method. This leads to several problems, e.g. confidentiality is not applied to readonly fields but is checked in the filter, resulting in validation errors.

    opened by undo76 8
  • HDIV and Spring: nesting <spring:url> tag in Spring's form tag breaks

    HDIV and Spring: nesting tag in Spring's form tag breaks

    When creating a form like this:

    <form:form method="POST" modelAttribute="bulkSelection">
<input type="submit" name="test" value="testbutton"/>
                    <form:checkbox path="pathvalue" value="${backingObject.path}"/> 
</form:form>

    everything works as expected, and a hidden field is appended to the form containing the CSRF token. However, when I use a <spring:url> tag inside the form, the hidden CSRF token is suddenly not appended to the form anymore:

    <form:form method="POST" modelAttribute="bulkSelection">
<input type="submit" name="test" value="testbutton"/>
        <form:checkbox path="pathvalue" value="${backingObject.path}"/> 
        <a href="<spring:url value ='/some/link' />">
                <img src="${pageContext.request.contextPath}/pic.png"/>
        </a>
</form:form>

    It seems that something is going wrong in the DataComposerMemory class. Because in the first situation, in the getExtraHiddenFields method (see https://github.com/hdiv/hdiv/blob/master/hdiv-spring-mvc/src/main/java/org/hdiv/web/servlet/support/HdivRequestDataValueProcessor.java#L150) sees true when it calls DataComposer.isRequestStarted(), but in the second situation with the nested <spring:url> tag, it returns false!

    When the <spring:url> tag is moved outside of the form, everything works correctly again:

    • the form gets its hidden CSRF token
    • the link gets the HDIV state parameter appended

    Therefore the nesting causes the issue it seems.

    opened by sandermak 8
  • Restricting the validation to a set of URL

    Restricting the validation to a set of URL

    Hi,

    I need to tell HDIV framework to protect only a set of URL (against CSRF attacks)

    So for the ValidatorFilter I was trying the following url pattern: /functional/* but it seems not worikng because I'm getting a NullPointerException just like in issue #45.

    With the global pattern /* it works fine but this is not my wish.

    I will really appreciate your help to get this working

    opened by camlizo 7
  • Problem while loads a JSF page

    Problem while loads a JSF page

    Greetings

    We have a JSF application running with HDIV 2.1.4 which has a problem when a page is loaded. In the HDIV log we have this:

    "HDIV_PARAMETER_NOT_EXISTS;/webtest/home/home.xhtml;HDIV_STATE;null;0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;user"

    I don’t know if this is relevant but a lot of this also comes:

    "The page [n] has no states, is not stored in session"

    The exception goes as a null object and we got NullPointerException in the backing bean. Thanks in advance!

    opened by joelxr 7
  • MultipartFile Upload SPRING and HDIV

    MultipartFile Upload SPRING and HDIV

    Hi,

    I have trouble with file upload and hdiv. My problem is very simple. I followed the showcase example. I don't have problem when the JSP not need to be authenticated (security none on Spring security).

    If I activate the security, HDIV parse the request parameters and do a ClassCastException because the "html input type="file" is recognize as . HDIV cast label of parameters into String. So ClassCastException.

    Why HDIV does not understand input type="file" ? How can I do to solve this problem ?

    Thanks.

    opened by Net1dsang 6
  • One of the default validation rules can cause stackoverflow error

    One of the default validation rules can cause stackoverflow error

    In file hdiv-config/src/main/resources/org/hdiv/config/validations/defaultEditableValidations.xml

    There is a rule

    This can cause stackoverflow error on certain input text.

    Here is a short test

    @Test
public void test(){
    String text = 
            "The purpose of this communication is " +
            "to publically announce the Department's intention in this regard and to provide " +
            "the appropriate contact information for any inquiries or for those wishing to " +
            "submit comments or any new scientific information relevant to the safety of this " + 
            "additive. Health Canada's Food Directorate is committed to reviewing any new " +
            "scientific information on the safety in use of any food additive, including " +
            "urease. Anyone wishing to submit new scientific information on the use of this " +
            "additive or to submit any inquiries may do so in writing, by regular mail or " +
            "electronically. If you wish to contact the Food Directorate electronically, " +
            "please use the words \"Urease Notification\" in the subject line of your e-mail. " +
            "Health Canada is able to consider information received by May 24 2013, " +
            "75 days from the date of this posting."
            ;
    String sqlInjectionPattern = "(\\s|\\S)*((%27)|(')|(%3D)|(=)|(/)|(%2F)|(\")|((%22)|(-|%2D){2})|(%23)|(%3B)|(;))+(\\s|\\S)*";
    Pattern p = Pattern.compile(sqlInjectionPattern);
    Matcher m = p.matcher(text);
    System.out.println(m.matches());
}
    opened by WeichangYang 6
  • Support for login page when integration with Spring Security

    Support for login page when integration with Spring Security

    I have integrated spring-security into my application. HDIV integration is done on top of it.

    When the session expires, if HDIV is not integrated, upon accessing any URL, the redirection happens to the login page. But when HDIV is integrated with the application , the redirection happens to the error page configured in hdiv-config.xml,

    I thin the redirection to error page should be only when there URL is tampered, when the session expires it should be redirected to the login page.

    opened by balasubram 6
  • Bump spring-webmvc from 4.3.5.RELEASE to 5.2.20.RELEASE in /hdiv-services

    Bump spring-webmvc from 4.3.5.RELEASE to 5.2.20.RELEASE in /hdiv-services

    Bumps spring-webmvc from 4.3.5.RELEASE to 5.2.20.RELEASE.

    Release notes

    Sourced from spring-webmvc's releases.

    v5.2.20.RELEASE

    :star: New Features

    • Restrict access to property paths on Class references #28262
    • Improve diagnostics in SpEL for large array creation #28257

    v5.2.19.RELEASE

    :star: New Features

    • Declare serialVersionUID on DefaultAopProxyFactory #27785
    • Use ByteArrayDecoder in DefaultClientResponse::createException #27667

    :lady_beetle: Bug Fixes

    • ProxyFactoryBean getObject called before setInterceptorNames, silently creating an invalid proxy [SPR-7582] #27817
    • Possible NPE in Spring MVC LogFormatUtils #27783
    • UndertowHeadersAdapter's remove() method violates Map contract #27593
    • Fix assertion failure messages in DefaultDataBuffer.checkIndex() #27577

    :notebook_with_decorative_cover: Documentation

    • Lazy annotation throws exception if non-required bean does not exist #27660
    • Incorrect Javadoc in [NamedParameter]JdbcOperations.queryForObject methods regarding exceptions #27581
    • DefaultResponseErrorHandler update javadoc comment #27571

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR25 #27635
    • Upgrade to Log4j2 2.16.0 #27825

    v5.2.18.RELEASE

    :star: New Features

    • Enhance DefaultResponseErrorHandler to allow logging complete error response body #27558
    • DefaultMessageListenerContainer does not log an error/warning when consumer tasks have been rejected #27457

    :lady_beetle: Bug Fixes

    • Performance impact of con.getContentLengthLong() in AbstractFileResolvingResource.isReadable() downloading huge jars to check component length #27549
    • Performance impact of ResourceUrlEncodingFilter on HttpServletResponse#encodeURL #27548
    • Avoid duplicate JCacheOperationSource bean registration in #27547
    • Non-escaped closing curly brace in RegEx results in initialization error on Android #27502
    • Proxy generation with Java 17 fails with "Cannot invoke "Object.getClass()" because "cause" is null" #27498
    • ConcurrentReferenceHashMap's entrySet violates the Map contract #27455

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR24 #27526

    v5.2.17.RELEASE

    ... (truncated)

    Commits
    • cfa701b Release v5.2.20.RELEASE
    • 996f701 Refine PropertyDescriptor filtering
    • 90cfde9 Improve diagnostics in SpEL for large array creation
    • 94f52bc Upgrade to Artifactory Resource 0.0.17
    • d4478ba Upgrade Java versions in CI image
    • 136e6db Upgrade Ubuntu version in CI images
    • 8f1f683 Upgrade Java versions in CI image
    • ce2367a Upgrade to Log4j2 2.17.1
    • acf7823 Next development version (v5.2.20.BUILD-SNAPSHOT)
    • 1a03ffe Upgrade to Log4j2 2.16.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump spring-webmvc from 4.0.9.RELEASE to 5.2.20.RELEASE in /hdiv-config

    Bump spring-webmvc from 4.0.9.RELEASE to 5.2.20.RELEASE in /hdiv-config

    Bumps spring-webmvc from 4.0.9.RELEASE to 5.2.20.RELEASE.

    Release notes

    Sourced from spring-webmvc's releases.

    v5.2.20.RELEASE

    :star: New Features

    • Restrict access to property paths on Class references #28262
    • Improve diagnostics in SpEL for large array creation #28257

    v5.2.19.RELEASE

    :star: New Features

    • Declare serialVersionUID on DefaultAopProxyFactory #27785
    • Use ByteArrayDecoder in DefaultClientResponse::createException #27667

    :lady_beetle: Bug Fixes

    • ProxyFactoryBean getObject called before setInterceptorNames, silently creating an invalid proxy [SPR-7582] #27817
    • Possible NPE in Spring MVC LogFormatUtils #27783
    • UndertowHeadersAdapter's remove() method violates Map contract #27593
    • Fix assertion failure messages in DefaultDataBuffer.checkIndex() #27577

    :notebook_with_decorative_cover: Documentation

    • Lazy annotation throws exception if non-required bean does not exist #27660
    • Incorrect Javadoc in [NamedParameter]JdbcOperations.queryForObject methods regarding exceptions #27581
    • DefaultResponseErrorHandler update javadoc comment #27571

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR25 #27635
    • Upgrade to Log4j2 2.16.0 #27825

    v5.2.18.RELEASE

    :star: New Features

    • Enhance DefaultResponseErrorHandler to allow logging complete error response body #27558
    • DefaultMessageListenerContainer does not log an error/warning when consumer tasks have been rejected #27457

    :lady_beetle: Bug Fixes

    • Performance impact of con.getContentLengthLong() in AbstractFileResolvingResource.isReadable() downloading huge jars to check component length #27549
    • Performance impact of ResourceUrlEncodingFilter on HttpServletResponse#encodeURL #27548
    • Avoid duplicate JCacheOperationSource bean registration in #27547
    • Non-escaped closing curly brace in RegEx results in initialization error on Android #27502
    • Proxy generation with Java 17 fails with "Cannot invoke "Object.getClass()" because "cause" is null" #27498
    • ConcurrentReferenceHashMap's entrySet violates the Map contract #27455

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR24 #27526

    v5.2.17.RELEASE

    ... (truncated)

    Commits
    • cfa701b Release v5.2.20.RELEASE
    • 996f701 Refine PropertyDescriptor filtering
    • 90cfde9 Improve diagnostics in SpEL for large array creation
    • 94f52bc Upgrade to Artifactory Resource 0.0.17
    • d4478ba Upgrade Java versions in CI image
    • 136e6db Upgrade Ubuntu version in CI images
    • 8f1f683 Upgrade Java versions in CI image
    • ce2367a Upgrade to Log4j2 2.17.1
    • acf7823 Next development version (v5.2.20.BUILD-SNAPSHOT)
    • 1a03ffe Upgrade to Log4j2 2.16.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump spring-webmvc from 4.0.0.RELEASE to 5.2.20.RELEASE in /hdiv-spring-mvc

    Bump spring-webmvc from 4.0.0.RELEASE to 5.2.20.RELEASE in /hdiv-spring-mvc

    Bumps spring-webmvc from 4.0.0.RELEASE to 5.2.20.RELEASE.

    Release notes

    Sourced from spring-webmvc's releases.

    v5.2.20.RELEASE

    :star: New Features

    • Restrict access to property paths on Class references #28262
    • Improve diagnostics in SpEL for large array creation #28257

    v5.2.19.RELEASE

    :star: New Features

    • Declare serialVersionUID on DefaultAopProxyFactory #27785
    • Use ByteArrayDecoder in DefaultClientResponse::createException #27667

    :lady_beetle: Bug Fixes

    • ProxyFactoryBean getObject called before setInterceptorNames, silently creating an invalid proxy [SPR-7582] #27817
    • Possible NPE in Spring MVC LogFormatUtils #27783
    • UndertowHeadersAdapter's remove() method violates Map contract #27593
    • Fix assertion failure messages in DefaultDataBuffer.checkIndex() #27577

    :notebook_with_decorative_cover: Documentation

    • Lazy annotation throws exception if non-required bean does not exist #27660
    • Incorrect Javadoc in [NamedParameter]JdbcOperations.queryForObject methods regarding exceptions #27581
    • DefaultResponseErrorHandler update javadoc comment #27571

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR25 #27635
    • Upgrade to Log4j2 2.16.0 #27825

    v5.2.18.RELEASE

    :star: New Features

    • Enhance DefaultResponseErrorHandler to allow logging complete error response body #27558
    • DefaultMessageListenerContainer does not log an error/warning when consumer tasks have been rejected #27457

    :lady_beetle: Bug Fixes

    • Performance impact of con.getContentLengthLong() in AbstractFileResolvingResource.isReadable() downloading huge jars to check component length #27549
    • Performance impact of ResourceUrlEncodingFilter on HttpServletResponse#encodeURL #27548
    • Avoid duplicate JCacheOperationSource bean registration in #27547
    • Non-escaped closing curly brace in RegEx results in initialization error on Android #27502
    • Proxy generation with Java 17 fails with "Cannot invoke "Object.getClass()" because "cause" is null" #27498
    • ConcurrentReferenceHashMap's entrySet violates the Map contract #27455

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR24 #27526

    v5.2.17.RELEASE

    ... (truncated)

    Commits
    • cfa701b Release v5.2.20.RELEASE
    • 996f701 Refine PropertyDescriptor filtering
    • 90cfde9 Improve diagnostics in SpEL for large array creation
    • 94f52bc Upgrade to Artifactory Resource 0.0.17
    • d4478ba Upgrade Java versions in CI image
    • 136e6db Upgrade Ubuntu version in CI images
    • 8f1f683 Upgrade Java versions in CI image
    • ce2367a Upgrade to Log4j2 2.17.1
    • acf7823 Next development version (v5.2.20.BUILD-SNAPSHOT)
    • 1a03ffe Upgrade to Log4j2 2.16.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump spring-webmvc from 3.1.0.RELEASE to 5.2.20.RELEASE in /hdiv-thymeleaf

    Bump spring-webmvc from 3.1.0.RELEASE to 5.2.20.RELEASE in /hdiv-thymeleaf

    Bumps spring-webmvc from 3.1.0.RELEASE to 5.2.20.RELEASE.

    Release notes

    Sourced from spring-webmvc's releases.

    v5.2.20.RELEASE

    :star: New Features

    • Restrict access to property paths on Class references #28262
    • Improve diagnostics in SpEL for large array creation #28257

    v5.2.19.RELEASE

    :star: New Features

    • Declare serialVersionUID on DefaultAopProxyFactory #27785
    • Use ByteArrayDecoder in DefaultClientResponse::createException #27667

    :lady_beetle: Bug Fixes

    • ProxyFactoryBean getObject called before setInterceptorNames, silently creating an invalid proxy [SPR-7582] #27817
    • Possible NPE in Spring MVC LogFormatUtils #27783
    • UndertowHeadersAdapter's remove() method violates Map contract #27593
    • Fix assertion failure messages in DefaultDataBuffer.checkIndex() #27577

    :notebook_with_decorative_cover: Documentation

    • Lazy annotation throws exception if non-required bean does not exist #27660
    • Incorrect Javadoc in [NamedParameter]JdbcOperations.queryForObject methods regarding exceptions #27581
    • DefaultResponseErrorHandler update javadoc comment #27571

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR25 #27635
    • Upgrade to Log4j2 2.16.0 #27825

    v5.2.18.RELEASE

    :star: New Features

    • Enhance DefaultResponseErrorHandler to allow logging complete error response body #27558
    • DefaultMessageListenerContainer does not log an error/warning when consumer tasks have been rejected #27457

    :lady_beetle: Bug Fixes

    • Performance impact of con.getContentLengthLong() in AbstractFileResolvingResource.isReadable() downloading huge jars to check component length #27549
    • Performance impact of ResourceUrlEncodingFilter on HttpServletResponse#encodeURL #27548
    • Avoid duplicate JCacheOperationSource bean registration in #27547
    • Non-escaped closing curly brace in RegEx results in initialization error on Android #27502
    • Proxy generation with Java 17 fails with "Cannot invoke "Object.getClass()" because "cause" is null" #27498
    • ConcurrentReferenceHashMap's entrySet violates the Map contract #27455

    :hammer: Dependency Upgrades

    • Upgrade to Reactor Dysprosium-SR24 #27526

    v5.2.17.RELEASE

    ... (truncated)

    Commits
    • cfa701b Release v5.2.20.RELEASE
    • 996f701 Refine PropertyDescriptor filtering
    • 90cfde9 Improve diagnostics in SpEL for large array creation
    • 94f52bc Upgrade to Artifactory Resource 0.0.17
    • d4478ba Upgrade Java versions in CI image
    • 136e6db Upgrade Ubuntu version in CI images
    • 8f1f683 Upgrade Java versions in CI image
    • ce2367a Upgrade to Log4j2 2.17.1
    • acf7823 Next development version (v5.2.20.BUILD-SNAPSHOT)
    • 1a03ffe Upgrade to Log4j2 2.16.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump spring-web from 4.3.5.RELEASE to 6.0.0 in /hdiv-services

    Bump spring-web from 4.3.5.RELEASE to 6.0.0 in /hdiv-services

    Bumps spring-web from 4.3.5.RELEASE to 6.0.0.

    Release notes

    Sourced from spring-web's releases.

    v6.0.0

    See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

    :star: New Features

    • Avoid direct URL construction and URL equality checks #29486
    • Simplify creating RFC 7807 responses from functional endpoints #29462
    • Allow test classes to provide runtime hints via declarative mechanisms #29455

    :notebook_with_decorative_cover: Documentation

    • Align javadoc of DefaultParameterNameDiscoverer with its behavior #29494
    • Document AOT support in the TestContext framework #29482
    • Document Ahead of Time processing in the reference guide #29350

    :hammer: Dependency Upgrades

    • Upgrade to Reactor 2022.0.0 #29465

    :heart: Contributors

    Thank you to all the contributors who worked on this release:

    @​ophiuhus and @​wilkinsona

    v6.0.0-RC4

    :star: New Features

    • Introduce DataFieldMaxValueIncrementer for SQL Server sequences #29447
    • Introduce findAllAnnotationsOnBean variant on ListableBeanFactory #29446
    • Introduce support for Jakarta WebSocket 2.1 #29436
    • Allow @ControllerAdvice in WebFlux to handle exceptions before a handler is selected #22991

    :lady_beetle: Bug Fixes

    • Bean with unresolved generics do not use fallback algorithms with AOT #29454
    • TomcatRequestUpgradeStrategy is not compatible with Tomcat 10.1 #29434
    • Autowiring of a generic type produced by a factory bean fails after AOT processing #29385

    :notebook_with_decorative_cover: Documentation

    • Reference PDF containing full docs not available #28451

    :hammer: Dependency Upgrades

    • Revisit Servlet API baseline: Servlet 6.0 in the build, Servlet 5.0 compatibility at runtime #29435
    • Upgrade to Context Propagation 1.0.0 #29442
    • Upgrade to Jackson 2.14.0 #29351
    • Upgrade to Micrometer 1.10.0 #29441

    ... (truncated)

    Commits
    • 5a30a43 Release v6.0.0
    • 42856ba Add milestone repo for optional Netty 5 support
    • 9be6cea Polishing deprecated methods
    • 37b4391 Align javadoc of DefaultParameterNameDiscoverer with its behavior
    • 09a58a5 Polish
    • 10f4ad1 Assert fixed in DefaultErrorResponseBuilder
    • 9457ed3 Document AOT support in the TestContext framework
    • 074ec97 Fix section formatting in the testing chapter
    • 9ede4af Revert "Ignore HttpComponents Javadoc"
    • bfc1251 Merge branch '5.3.x'
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump jackson-databind from 2.6.7 to 2.12.7.1 in /hdiv-services

    Bump jackson-databind from 2.6.7 to 2.12.7.1 in /hdiv-services

    Bumps jackson-databind from 2.6.7 to 2.12.7.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
Owner
Hdiv
Application Self-Protection
Hdiv
GitHub https://hdivsecurity.com
JVM runtime class loading protection agent.(JVM类加载保护agent)

JVM类加载监控agent,可配置黑名单,禁止恶意类加载(包括jsp webshell)

threedr3am 43 Sep 28, 2022
Bridging IOTA's self-sovereign identities to existing "Web 2.0" OAuth solutions

IOTA Identity Provider Bridging IOTA's self-sovereign identities to existing "Web 2.0" OAuth solutions. NOTE: This plugin has NOT been audited or test

null 17 Nov 7, 2022
OACC (Object ACcess Control) is an advanced Java Application Security Framework

OACC Java Application Security Framework What is OACC? OACC - pronounced [oak] - is a fully featured API to both enforce and manage your application's

null 103 Nov 24, 2022
This application can recognize the sign language alphabets and help people who do not understand sign language to communicate with the speech and hearing impaired.

Sign Language Recognition App This application can recognize the sign language alphabets and help people who do not understand sign language to commun

Mihir Gandhi 12 Oct 7, 2021
Spring boot application to display number of corona cases

Corona-Cases-Counter Spring boot application to display number of corona cases This application consumes data from a CSV file which was used to docume

Hudson Obai 3 Aug 29, 2021
First Blood Donor Application

Find Blood Donor This is an android application which helps users to find blood donor's in their nearby locality. Why did you made this? My project "F

Kartik Soni 2 Oct 7, 2021
Make a customized list of exercises, create and save workouts, and be led through your routine. This application is currently under development.

HIIT Workout Builder ABOUT This application allows you to create and be led through customized high-intensity interval training (HIIT) sessions. The a

null 1 Nov 28, 2022
Library to easily configure API Key authentication in (parts of) your Spring Boot Application

42 API Key Authentication A library to easily configure API Key authentication in (parts of) your Spring Boot Application. Features Easily configure A

null 2 Dec 8, 2021
Huntress Log4Shell Testing Application

Huntress Log4Shell Testing Application This repo holds the source for the HTTP and LDAP servers hosted here. Both services are hosted under one Java a

Huntress Labs 359 Nov 25, 2022
Log4Shell sample vulnerable application (CVE-2021-44228)

Log4Shell sample vulnerable application (CVE-2021-44228)

StandB 5 Dec 26, 2021
A desktop java GUI application to encrypt your plain text

A desktop java GUI application to encrypt your plain text

Nikhil Narayanan 4 Sep 10, 2022
This App is a command line application, based on Cryptography.

This App is a command line application, based on Cryptography. where a user input a text and its encrypted and can be decrypted as well.

Mohamed Ibrahim 1 Jan 28, 2022
A Basic Java Application Vulnerable to the Log4Shell RCE

This is a basic, minimal, intentionally vulnerable Java web application including a version (2.14.1) of the log4j library affected by the infamous log4shell (CVE-2021-44228) vulnerability.

null 31 Nov 9, 2022
Crypto Eye is an application used to fetch current rates of crypto currency.

Crypto-Eye- Crypto Eye is an application used to fetch current rates of crypto currency. It is fully dynamic application with internet access. This ap

Utkarsh tripathi 2 Sep 2, 2022
A Vaadin example application that use Firebase Authentication as its user database

Vaadin + Firebase Auth example A trivial example to use Firebase Authentication with a Vaadin application. The app is built based on start.vaadin.com

Matti Tahvonen 3 Mar 9, 2022
Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-202

MergeBase 623 Dec 26, 2022
Deephaven Crypto Application

Crypto Application About The crypto application is a multifaceted example that extends the Deephaven Community Core docker images. The publisher conne

Deephaven Data Labs 4 Apr 24, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 29, 2022
JVM runtime class loading protection agent.(JVM类加载保护agent)

JVM类加载监控agent,可配置黑名单,禁止恶意类加载(包括jsp webshell)

threedr3am 43 Sep 28, 2022
SurvivalCore featuring SMP features like claims and land protection for Nukkit!

SurvivalCore SurvivalCore featuring Survival characterstics and claims and land protection for Nukkit! Features: Claims System : Use /claim or /c to c

OP Heroes Development Team 1 Jan 4, 2022