I have setup my first REST API and I am new to using the Taffy framework.
I have a site which is working on ColdFusion 10, IIS and using ColdBox. I have setup a hello world example in a directory. I am getting // two slashes in the response. Here is an example of the response:
//["hello","world"]
My hello.cfc looks like this:
component extends="taffy.core.resource" taffy_uri="/hello" {
function get(){
return representationOf(['hello','world']);
}
}
My application.cfc looks like this:
<cfcomponent extends="taffy.core.api">
<cfscript>
this.name = hash(getCurrentTemplatePath());
this.mappings["/resources"] = listDeleteAt(cgi.script_name, listLen(cgi.script_name, "/"), "/") & "/resources";
variables.framework = {};
variables.framework.reloadKey = "reload";
variables.framework.reloadPassword = "test";
variables.framework.serializer = "taffy.core.nativeJsonSerializer";
variables.framework.returnExceptionsAsJson = true;
function onApplicationStart(){
return super.onApplicationStart();
}
function onRequestStart(TARGETPATH){
// reload app to make any envoirnmental changes
if(structkeyexists(url,'reloadApp')){
applicationStop();
location('index.cfm');
}
// load Taffy onRequestStart before our stuff
super.onRequestStart();
if (request.taffyReloaded) {
// reload ORM as well
ORMReload();
}
}
function onTaffyRequest(verb, cfc, requestArguments, mimeExt){
return true;
}
function onError(Exception)
{
writeDump(Exception);
abort;
}
</cfscript>
</cfcomponent>
Can anyone tell me where I am going wrong?
Does this have something to do with using ColdBox?
That is coming from a server side setting in the ColdFusion admin, under settings. Prefix serialized JSON with. Beginning with ColdFusion 10 it is enabled by default for security. (I believe the feature was added with ColdFusion 9.) Protects web services, which return JSON data from cross-site scripting attacks by prefixing serialized JSON strings with a custom prefix. You could turn it off there but I do not recommend that. Instead you should handle it with your code.
See this post from Raymond Camden - Handling JSON with prefixes in jQuery and jQueryUI
NOTE: this setting can also be set per-application by setting secureJSON and secureJSONPrefix in your Application.cfc file. See the documentation about that here - Application variables.
secureJSON - A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.
The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to false). You can override this value in the cffunction tag.
secureJSONPrefix - The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.
The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to //, the JavaScript comment character).
Related
My server is built on top of Akka HTTP. If I don't set the Server header, the externally configurable default of akka-http/10.1.8 will be automatically added by Akka. I know how to override that with my own server by adding the respondWithHeaders directive around my entire routs tree:
respondWithHeaders(Server(myProductVersion)) {
// my routs here
}
This works as expected; the Server response header now reads my product. What I want though is to include akka's header as well, as I like it and don't mind telling the world about my server stack. Given the signature of the Server.apply method, I should be able to do that like so:
respondWithHeaders(Server(myProductVersion, akkaProductVersion)) {
// my routs here
}
... my problem is that I can't figure out how to get at that akkaProductVersion object!
Try reading akka.http.version configuration property like so
system.settings.config.getString("akka.http.version")
so you could try
Server(
myProductVersion,
system.settings.config.getString("akka.http.version")
)
According to default configuration
# The default value of the `Server` header to produce if no
# explicit `Server`-header was included in a response.
# If this value is the empty string and no header was included in
# the request, no `Server` header will be rendered at all.
server-header = akka-http/${akka.http.version}
We can see how akka-http reads server-header when constructing ServerSettings here:
c.getString("server-header").toOption.map(Server(_)),
I have a REST service in Groovy on Grails; basic service that takes data and transforms it. It works fine except when the data being passed in has forward or back slashes. In those cases the browser tries to navigate to a directory based on the data:
localhost/traverse/map/321 64 fourth <<< this works fine
localhost/traverse/map/321/64/fourth <<< tries to find localhost/traverse/map/321/64/fourth and throws an http status 404
My urlmapping:
"map/$id" (controller: "map", action: "transform", formats=['text/plain'], method: "GET")
My controller. aside from the class declaration and class import nothing else going on:
def transform = {
//println params.id
if (param.id) {
DataMap dm = new DataMap();
render dm.hostNodeLookup(params.id)
}
}
Most of the data that will be passed to the REST service will have slashes and the number of slashes per "data being passed in" will vary from 1-N but I haven't been able to figure out how to escape/parse/other wise get around that issue. I've read up on this site but I didn't find it too helpful for this problem.
I do not have access to the web server to adjust encoding or how browsers render URL mappings and strings. The data doesn't get to the controller so I haven't been able to parse out the strings there. Anyone have ideas?
After reading this post I tried it and it worked like a charm.
In the urlmapping file I added this ** to the id variable:
"map/$id**" (controller: "map", action: "transform", formats=['text/plain'], method: "GET")
I am following the directions in the docs, here:
http://grails.org/doc/2.3.8/guide/webServices.html#hypermedia
Why won't grails produce HAL-formatted output, as shown in the documentation?
I have a domain object which I have mapped with the #Resource annotation:
#Resource(uri='/documentCatalogs', formats = ['json', 'xml'], readOnly = true)
class DocumentCatalog {
String entityType
String actionCode
...
}
...and in my conf/spring/resources.groovy, I have configured the HAL JSON renderer beans:
import com.cscinfo.platform.api.formslibrary.DocumentCatalog
import grails.rest.render.hal.HalJsonCollectionRenderer
import grails.rest.render.hal.HalJsonRenderer
// Place your Spring DSL code here
beans = {
halDocumentCatalogRenderer(HalJsonRenderer, DocumentCatalog)
halDocumentCatalogCollectionRenderer(HalJsonCollectionRenderer, DocumentCatalog)
}
Using the debugger, I confirmed that the initialize() method on HalJsonRenderer is called and that it is constructed with the correct targetType.
I send a rest call using Postman:
http://localhost:8080/formslibrary/documentCatalogs/3
Accept application/hal+json
And I get back a response which is regular JSON and doesn't contain any links:
{
"class": "com.cscinfo.platform.api.formslibrary.DocumentCatalog",
"id": 3,
"actionCode": "WITH",
"entityType": "LLP",
...
}
What did I miss? Is there some plugin or configuration setting I have to enable for this behavior? Is there some additional mapping property somewhere that's not documented?
Figured it out! There are multiple aspects of the fix...
I had to add "hal" as one of the listed formats in the #Resource annotation:
#Resource(uri='/documentCatalogs', formats = ['json', 'xml', 'hal'])
Some hunting around in the debugger revealed that Grails will blithely ignore the Accept header, based on the UserAgent string that is sent from the client. (In my case, since I'm using Postman, it was the Google Chrome UA string.)
One workaround for the Accept header issue is to add ".hal" to the end of the URL:
http://localhost:8080/formslibrary/documentCatalogs/3.hal
This isn't a very good solution IMO, since the HAL URLs generated by the renderer don't end in ".hal" by default.
A better solution is to fix Grails' handling of the accept header by updating the config. In Config.groovy, you will see a line that says:
grails.mime.disable.accept.header.userAgents = ['Gecko', 'WebKit', 'Presto', 'Trident']
Change it to:
grails.mime.disable.accept.header.userAgents = ['None']
This forces Grails to honor the Accept header, regardless of the user agent.
Hope this helps somebody else who's hitting the same issue.
P.S. It's really helpful to put a breakpoint in the ResponseMimeTypesApi#getMimeTypesFormatAware(...) method.
I have a Web API app, initialized thusly:
app.UseCookieAuthentication();
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOAuthBearerTokens(OAuthOptions);
app.UseGoogleAuthentication();
For calls to most controllers, it works great. However, it also requires a bit of javascript before client-side service calls are made:
function getSecurityHeaders() {
var accessToken = sessionStorage["accessToken"] || localStorage["accessToken"];
if (accessToken) {
return { "Authorization": "Bearer " + accessToken };
}
return {};
}
The problem is that we have a certain type of controller (one that accesses files) where no javascript can be run during the call. For example, the call might be to:
http://mysite/mycontroller/file/filename.jpg
...where the value is assigned as the src attribute of an img tag. The call works, but Thread.CurrentPrincipal.Identity is unauthenticated with a null name, so there's currently not a way to enforce security.
I'm new to Web API, so it may be a dumb question, but what's the way around this? What switches do I need to flip to not require javascript to add security headers? I was considering trying to find a way to force an authorization header in an IAuthorizationFilter or something, but I'm not even sure that would work.
So I figured out the solution to my problem.
First, I needed to configure the app to use an authentication type of external cookies thusly:
//the line below is the one I needed to change
app.UseCookieAuthentication(AuthenticationType = DefaultAuthenticationTypes.ExternalCookie);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOAuthBearerTokens(OAuthOptions);
app.UseGoogleAuthentication();
Second, it turned out there was a line of code in my WebApiConfig file that was disabling reading the external cookie:
//this line needed to be removed
//config.SuppressDefaultHostAuthentication();
After that, I could see the external cookie from Google, which passed along an email address I could identify the user with.
ADFS 2.0, WIF (WS-Federation), ASP.NET: There is no http modules or any IdentityFoundation configuration defined in a web.config (like most WIF SDK samples show), instead everything is done via program code manually using WSFederationAuthenticationModule, ServiceConfiguration and SignInRequestMessage classes. I do http redirect to ADFS in a code and it seems to work fine, returning claims and redirecting user back to my web site with serialized claims in http request. So the question is how to parse this request using WIF classes, properties and methods and extract claims values from there? Thanks
Just in case want to share my experience, it might help somebody in the future. Well, solution I finally came to looks like this:
var message = SignInResponseMessage.CreateFromFormPost(Request) as SignInResponseMessage;
var rstr = new WSFederationSerializer().CreateResponse(message, new WSTrustSerializationContext(SecurityTokenHandlerCollectionManager.CreateDefaultSecurityTokenHandlerCollectionManager()));
var issuers = new ConfigurationBasedIssuerNameRegistry();
issuers.AddTrustedIssuer("630AF999EA69AF4917362D30C9EEA00C22D9A343", #"http://MyADFSServer/adfs/services/trust");
var tokenHandler = new Saml11SecurityTokenHandler {CertificateValidator = X509CertificateValidator.None};
var config = new SecurityTokenHandlerConfiguration{
CertificateValidator = X509CertificateValidator.None,
IssuerNameRegistry = issuers};
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("MyUri"));
tokenHandler.Configuration = config;
using(var reader=XmlReader.Create(new StringReader(rstr.RequestedSecurityToken.SecurityTokenXml.OuterXml)))
{
token = tokenHandler.ReadToken(reader);
}
ClaimsIdentityCollection claimsIdentity = tokenHandler.ValidateToken(token);
I found few similar code that uses SecurityTokenServiceConfiguration (it contains token handlers) instead of Saml11SecurityTokenHandler to read and parse token, however it did not work for me because of certificate validation failure. Setting SecurityTokenServiceConfiguration.CertificateValidator to X509CertificateValidator.None did not help coz Security Token Handler classes uses their own handler configuration and ignores STS configuration values, at least if you specify configuration parameters through the code like I did, however it works fine in case configuration is defined in web.config.