How to handle Multpart file upload with Spring Security CSRF Protection (no xml)

How to handle Multpart file upload with Spring Security CSRF Protection (no xml)

Spring team recommends to use CSRF protection for any request that could be processed by a browser by normal users. If your webapp uploads any file, you should be using spring security csrf protection. Csrf protection is enabled by default so you just have to configure your webapp to handle it.

  1. So, at first, override beforeSpringSecurityFilterChain.
public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
     
     @Override
     protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
	  insertFilters(servletContext, new MultipartFilter()); 
     }
} 

2.Then, edit or create (if you haven’t yet) a bean named “filterMultipartResolver” which is a CommonsMultipartResolver. Make sure bean has this name, because it is commonly named wrong as “multipartResolver” and doesn’t work (as described here).

 @Bean(name = "filterMultipartResolver")
 public CommonsMultipartResolver getMultipartResolver() {
      CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver();
      return multipartResolver;
 }

3. Another approuch is to include the CSRF as a query parameter in the action attribute of the form (shown below), but keep in mind that the query parameter can be leaked, so a best practice is to use the first idea (step 1 and 2).

<form action="/upload?${_csrf.parameterName}=${_csrf.token}" method="post" enctype="multipart/form-data">

GitHub: Complete working example

Advertisements
Script to automatically backup MySQL database

Script to automatically backup MySQL database

Its obvious to say that so much important to keep your data safe when systems are in production, but there are so many ways to this. Here is a simple and good way to do it.

First of all, make a backup folder

mkdir /home/backup

inside the folder, create bash script file

sudo touch backup.sh

and then, edit:

sudo nano backup.sh

Here’s the script content, paste:

#!/bin/bash

# Database credentials, UPDATE THEM:

user=””

password=””

host=””

db_name=””

# Other options

backup_path=”/home/backup”

date=$(date +”%d-%b-%Y”)

# Dump database into SQL file

mysqldump –user=$user –password=$password $db_name > $backup_path/$db_name-$

# Delete files older than 30 days

find $backup_path/* -name *.sql -mtime +30 -exec rm {} \;

save and exit.

Afterwards, change cron file to make daily (or whatever you want) backup routine. Cron is a kind of task scheduler from linux and you can easily schedule scripts into it. So, run:

sudo nano /etc/crontab

at the bottom, type:

@daily /home/backup/backup.sh

which means your script will be executed daily. (more options here)

That’s it! Be safe..

How to deploy an app to remote Tomcat using port 80 on Amazon EC2

How to deploy an app to remote Tomcat using port 80 on Amazon EC2

Let’s suppose you already have a .war file of your application and Ubuntu Ec2 instance configured out with java and tomcat.

1. First of all (and optional): Get a free domain on dot.tk and made a redirect throught the dns manager to ip given by amazon elastic ip.  You can also use a 3rd part dns manager, like ZoneEdit.

2. After that, do a modification in conf/server.xml file of tomcat instalation, to add the application to context path “/” or ROOT. Run sudo nano server.xml and type inside the tag “<Host>”:

<Context path=“/” docBase=”theprojectname”> </Context>

3. For security reasons, Ubuntu has disabled tcp requests with low ports, but as we want our application responding at :80, let’s make a firewall rule to redirect calls from port :80 to port :8080 of tomcat.  type:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

There are many others options to do that, like using ngnix, an Apache Virtual Host or even authbinding the use of :80. As soon as we want to keep it simple, the rule above works like a charm.

4. (important) Amazon’s Instances have its own firewall rule as well. The default mode keeps only port 22 (ssh) opened. So alter amazon ec2 security group adding new rule that allows http port 80.

5. (extra) As the amazon free instance (micro) has only 1gb of memory, you might need some more space to allocate apps. I did this with a swapfile, following this wonderful tutorial from digitalocean:

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

Health insurance sales management system

Health insurance sales management system

This is a demo of an application resquested by a customer for a freelancer job. She used to have a Google Sheet to manage her sales, but we decided to migrate her sheet to a web application adding some new features to it, like email reports and sales balance chart. I used my development skills to make things easy for her and people who work with her.

Backend is Java 8 with Spring framework, frontend is jQuery, Thymeleaf and Bootstrap and the data is stored in a MySql database.

A demo of this application is hosted on Amazon EC2 instance. You can see it working clicking on link below.

Demo: victommasi.tk/salesmanager

GitHub: Sales App


Used Technologies: Java, SpringMVC, Spring Data JPA, Spring Security, Maven, MySQL, jQuery, Thymeleaf, Bootstrap.

RESTful Single Page Application

RESTful Single Page Application

Using a custom template, I built this Angular Single Page Application, which consumes a RESTful service, supported by some Backend Technologies such as Java, SpringMvc, Spring Data JPA and Maven.

Project Directories Structure:

restful-spa-directories

This is what our @RestController does:

  • GET request to /customer/ -> returns a list of customers
  • GET request to /customer/1 -> returns the user with ID 1
  • POST request to /customer/ -> with a customer object as JSON  creates a new customer
  • PUT request to /customer/3 -> with a customer object as JSON updates the customer with ID 3
  • DELETE request to /customer/4 -> deletes the customer with ID 4

GitHub: Restful SPA


Used Technologies: Angularjs, Bootstrap, Java, SpringBoot, Maven, Spring Data JPA.