Cannot preserve POST request in PingAccess - single-sign-on

I am getting this error when trying to authenticate to my application.
Log extract: level":"ERROR","message":"Cannot preserve POST request with content type 'application/json; charset=UTF-8' (only 'application/x-www-form-urlencoded' is supported)
My question: Is there a way to configure PingFederate, so it can handle POST requests?

That's not a PingFederate error, that's a PingAccess error.
This issue is typically seen on AJAX requests from a Single Page Application, where that Application definition in PingAccess has not been appropriately defined as "Web+API" with the "SPA Support" box checked. It happens when the PingAccess web session has expired, and the application tries to POST an update to the backend.
It must be understood, however, that the application will need to be coded so that it either handles the 401 or follows the 302 redirect that it gets back, once you add SPA Support.

Related

Swagger Inspector version of C# call failing when using token

I have the following code:
string tokenValue = "221e0a91-6530-4790-a969-d1da75b0afd2";
// Configure httpClient to use the above token.
httpClient.DefaultRequestHeaders.Add("token", tokenValue);
The subsequent calls (HEAD, POST, GET) all work fine.
When I try to do the same thing using Swagger Inspector, it fails. I am able to get a token using Swagger Inspector site, and I place the token into a HEAD call as follows:
But as I said, the call fails, with "Authorization has been denied for this request." message returned as an XML file.
I also tried the two other options available on the same page: Basic Authentication, and OAuth 2.0/JWT, all with HTTPS. They all fail.
How can I go about understanding why it's failing?
Also: Is what I am using above called "Bearer Authentication"?
I have below 2 things to mention from your screenshot:
Response for HEAD method never contains the response body, it always contains the response headers
for more details of HEAD: HEAD Request
But in your case response-body is also present (maybe of CML content type).
You should use OAuth 2.0/JWT option on the same page to pass the token along with your request.
To answer your question related to Bearer Authentication:
No, the one you are trying to use is not at all Bearer Authentication.
In your case, "token" will be considered as Custom/User HTTP Header.

Ajax call to Zomato API is not working

I am trying to access zomato api.
URL: https://developers.zomato.com/api/v2.1/categories
Headers: 'X-Zomato-API-Key':'myapikeyhere-763demoapi434'
If I use chrome's postman extension or curl then I can access the url & getting 200 status code.
But if I run it through my angular2 app or simple ajax, it is giving error at preflight OPTIONS request, error code is 501. I have tried otherways too, error is same. Need help
Zomato API's can only be accessed from server to server calls, the error message you have reported is a security policy implemented by Chrome to prevent cross site request forgery on the client side.
A way you can get around this is to write a handler on your server end to make handler which the ajax call will use, this handler in-turn makes a request to the Zomato's server to retrieve the data required.

Neo4j REST API Get request from browser vs Get method from REST Client

Neo4j API url is: http://localhost:7474/db/data
When I use Chrome visiting this url, which is a GET request. This is the response I got
But when I use the restful client such as POSTMAN to make a g request.
This is the response I got.
My questions are
Both are GET request to the same url. Why Chrome browsing get a html page in return but Postman Request get JSON Response in return.
How Neo4j does that?
Is Neo4j using user agent detection, and if it is a browser visiting, it will give HTML page as response. And if it is a rest client request, it will give json response?
Thanks!
They use media type negotiation header. For example when requesting this site my browser sends a header like that:
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
As you can see it accepts primarily html, if that's not available then xhtml, then pure xml, and if that's not available - it accepts whatever the server can throw at it. Neo4j's website tries to serve content in that order. Postman likely just specifies application/json, or nothing at all (the application determines the default media type then), hence the response.

How to capture redirect response header

I am trying to record a simple login and logout flow for a .Net application. After I submit the login credentials the welcome page's URL has a large alpha numeric number. This number is required to continue to the next steps.
On Fiddler I have noticed that the login credential submission request results in a 302 response and this response contain an a=129characterstring that i need in my subsequent requests.
On JMeter I have added a recording controller and on the HTTP(S) Test Script Recorder I have Follow Redirects and Use KeepAlive checked (See below screenshot)
I have also recorded with Follow Redirects unchecked and different options for Grouping and HTTP Sampler Settings.
But with none of them I am able to record/capture the 302 response that i see on fiddler. Instead the login credential submission request always returns a 200 response, even if the login fails.
It is not as if that JMeter is not recording redirect requests, further down the scenario flow I have another redirect request which is captured.
I can't be the only one who is/has faced this problem. Does anyone have any suggestions on what I should be doing differently to get the 302 response?
To do this:
Record with default options, the redirect Http Request triggered by 302 will be disabled by default.
Then you will need after this to uncheck "Follow Redirect" in the first one, and add a Regular Expression Post Processor to extract the data you want.
Then enable the commented second request and inject the extracted variable.

Handling HTTP 302 error and redirecting in Backbone.JS "sync" method

I've got a secured Backbone.js app (that uses Spring security atm.), so a logged-in user must have a valid session-cookie (JSESSIONID). Now, if this session is invalidated (deleted, expired, whatever) and the user attempts to make a request, Spring security will return a 302 Error as an attempt to redirect the user to a login-form.
As is explained in this answer, this 302 response gets handled by the browser (it doesn't reach my app) so what is returned to my app is a 200 OK response with contenttype="text/html" (containing the login form).
Thats an issue, because when my Backbone model attempts to do a sync to a url, it expects JSON. If this sync happens without a valid session, the 200 "text/html" response is returned when "application/json" is expected, giving me a JSON parse error in jQuery.extend.parseJSON.
With great help from this question/answer, I've overridden the Backbone.sync method in order to use my own error handling. However, since the 302 never reaches my error handler I cannot override the redirect myself.
My situation is very similar to this question, however a final solution to the problem was never posted. Could someone please help me figure out the ideal way to ensure a redirect to the login page happens?
Instead of returning the login page with HTTP 200 OK, you should configure Spring Security to return HTTP 401 Unauthorized for unauthenticated AJAX requests. You can detect an AJAX request (as opposed to a normal page request) by checking for the X-Requested-With: XMLHttpRequest request header.
You can use the global $.ajaxError handler to check for 401 errors and redirect to the login page there.
This is how we've implemented it and it works nicely. I'm not a Spring guy, though, so I can't really help with the Spring Security configuration.
EDIT. Instead of custom coockie it will be better to use solution provided by #fencliff.
I think you can use some other field of XHR to detect this situation. A special coockie may do the trick.
You can define your own authentication failure handler from Spring Security side. At the moment when redirect to login page occurs you will be able to add some coockie to HttpServletResponse. Your custom Backbone.sync method will check this cookie. If it is present, it will launch your custom handler for this case (do not forget remove the coockie at the same time).
<sec:http ... >
<sec:form-login login-page='/login.html' authentication-failure-handler-ref="customAuthenticationFailureHandler" />
</sec:http>
<bean id="customAuthenticationFailureHandler" class="com.domain.CustomAuthenticationFailureHandler" />
CustomAuthenticationFailureHandler must implement org.springframework.security.web.authentication.AuthenticationFailureHandler interface. You can add your coockie and then call default SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure(...) implementation.