I am developing a ui5 app using the managed app router to try to consume destinations from the BTP. The destination uses a BasicAuthentication with a technical username and password and the connection works but when I am trying to access the data from my UI5 app I get a 401 Unauthorized response code.
In the xs-app.json of my app is the authenticationType xsuaa. I can provide some file and snippets if this helps.
Does anyone have an idea what the problem is? Thanks for your help.
yes, you need to have your SAPUI5 app send the HTTP Authentication header in the request. You can use Chrome DevTools to see that HTTP header; it should have the name 'Authorization' followed by a 'Basic' + basic64 cipher.
(exemple here How to hide the basic authorization credential in browser response header? )
About Basic Auth : https://learn.microsoft.com/en-US/aspnet/web-api/overview/security/basic-authentication
Instead of setting directly that HTTTP header (with username/password) in your app, I'd recommend to use your server authentication default process.
Related
From an UI5 application I send a request to a server-side via Fetch API and on the server-side I send a response with a redirect to the UI5-app root directory:
import {constants as httpConstants} from "http2";
res.statusCode = httpConstants.HTTP_STATUS_MOVED_PERMANENTLY;
res.header("Location", "/");
The UI5 application gets the response but browser doesn't redirect an user. The only way to redirect an user to the app root is:
sap.m.URLHelper.redirect("/", false);
Is there any way to force a browser to redirect an user to an UI5-app root without using sap.m.URLHelper? I want to make as hard as possible the prevention of redirection, e.g. with a help of browser's DevTools.
UI5 routing is currently using the # part (called fragment or anchor).
This is client side part of the URL and unknown to the server.
You have maybe luck with some backend technologies and browser, but in general this will not work.
As DevTools can manipulate anyways anything… Make sure backend is secure. UI can always be change by the user, no matter what obscure security measurements you make up.
You can try using the HashChanger to route it back to login page!
Once your validation from server is done, use below code!
jQuery.sap.require("sap.ui.core.routing.HashChanger");
sap.ui.core.routing.HashChanger.getInstance().replaceHash("");
I keep receiving the error below when I use Ionic Serve...
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access.
It only occurs with "post" request. The "get" requests I have work with no error. I've seen documentation for proxy's but I was not looking to go that route. I'm currently using the CORS Chrome plugin as a workaround right now, but will be shipping to mobile soon (Ionic view) for testing, which I believe I will still run into the CORS issue using Ionic View.
I have control of the API/server - using nginx.
Any suggestions?
Cors will not affect to mobile phone. The issue is in POST method in web view. In Post methods Browser send OPTIONS Request for security Purpose. It should handle in API. I used ASP.NET WEB API When Using localhost I Used Two Methods for post in Same Name but it's not proper way for doing this. You need to handle in Configuration to Igonre this. If you have API without parameters add headers "content-type x-www-form-urlencoded" to you request header. If there are parameters. use another method without parameters using same name.(Method overloadin). But when you are using livehost don't forget to remove redundant methods.
Im having trouble getting my access token from the uber API.
I get a code back from your server when I click login with uber-
I then put this into my headers in insomnia
.
grant_type:authorization_code (i just type 'authorization_code' here)
code: 0RWlkekK3kXdoKSDlbSuI6HAZHbb0K ( i know this expires after 10 mins but i have tried with different codes )
redirect_uri:http://localhost:3000/auth/uber/callback (the redirect i have on your app)
client_id:my_client_id (whatever it is in manage my app)
client_secret:my_client_secret
But i do not get a response from your server with my token.
What am i doing wrong?
thanks
If you give Uber localhost in your URI it will be trying to connect to itself, not back to your server. Use a hostname or IP address that is valid on the open Internet.
redirect_uri should exactly the same as the one you put on your dashboard.
the code may expire or been consumed (AngularJs $location redirection will make it expire for some reason)
Post the data body may need to jQuery: $.param(data) or AngularJs: $httpParamSerializer(data)
I have written my own API which requires basic authentication, such as:
user:james
pass:1111
I can call resources using urls such as:
http://api.james.com/myapi/orders/get
I wish to be able to use the REST client in PHPStorm but I cannot work out how to send my authentication details. Does anyone know how to do this? Do you have to setup a Proxy server, or can you pass the authentication somehow in the URI above?
Any help would be appreciated.
Regards
James
For usage Basic Auth you will need send header 'Authorization', for example:
Authorization: Basic amFuc29uQG1haWwucnU6MTIzNDU2
Value of this header you can get from debug console of your browser (firebug in FireFox or developer tools in Chrome). Start GET request from your browser, when you will need authorize - do it. Than open debug console 'network' tab and try this request one more time.
Now you will find in headers new one 'Authorization', that formed by browser when you was authorized.
Just copy content of this header and use it in PhpStorm REST-client.
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.