The SpringXDTemplate is the SpringXD java client. Build around the REST API it doesn't support Basic Authentication required by the same API:
the REST endpoints will require Basic authentication for access;
Furthermore the RestTemplate used undernet is not accessible cutting the possibility to implement the Basic Auth at lower level.
Perhaps i'm missing something? Advices are suggestions are appreciated!
I don't know this API but looking at javadocs, I see a constructor of template that accepts ClientHttpRequestFactory. So maybe if you try to pass your own implementation that will append HTTP Authorization header with basic authentication when createRequest is invoked, that may solve your problem. Otherwise I don't see other way how to "get into" the process of template.
Related
I'm building a React.js application that will interact with my REST API built in Go.
React will use Javascript Fetch API to send requests to my API.
The problem is I would like to secure my API from being requested from elsewhere. No one should directly be able to access my API either through the URL or through any other client like Postman.
I know what JWT is but this does not solve my problem because anyone can access the token through the browser and then continue to request the API outside the React client using the token.
I have researched extensively but nothing has really fit my description.
Thanks a lot for you help, in advance.
This is an inherently unsolvable problem. React runs on the client. The client controls the code that it executes. Hence, any mechanism you use to restrict the API usage to just your React client will be discoverable and reusable in other client contexts. You cannot control the client, and attempts to do so will be broken if the payoff is valuable enough.
You can attempt to harden it somewhat by using short-term authorization tokens, but there is nothing preventing that token from being grabbed and reused in another context.
If you have to restrict access to an API, you should have a public API which is less dangerous or privileged, and the public API should make use of your private API, effectively proxying the calls to hide the private API, as well as to ensure that only validated queries are executed against the more privileged API.
If you could describe the problem you're trying to mitigate, though, there may be other solutions available.
I am trying to use Dropwizard as a full web server, combining serving public pages, protected pages and data through REST API. So, I am validating the ability to protect some routes by applying a custom authorization scheme based on a computed token and a realm to manage different security areas.
I have difficulties to understand how to achieve the purpose. The sequence I was expecting is the following :
display an HTML login page with a user form
user enters its credentials
call an authenticate route to validate credentials and create a token for the user. Send back a welcome page with an Authorization header like : MyScheme token="TYGDF655HD88D098D0970CUCHD987D897", realm="SUPER SECRET STUFF"
user click a link to list its invoice : /html/invoices
this route is protected by DropWizard #Auth annotation
no header is sent by the browser so the server answer with a 401 response with a header : WWW-Authenticate MyScheme realm="SUPER SECRET STUFF", challenging the browser to give it an authorization header matching the challenge
Unfortunatly, the browser didn't send it this header. According to many articles, I thought browser managed authorization cache for all received credentials, their scheme and parameters (such as realm).
It seems browser have this behavior for well known schemes such as Basic authentication, but not for custom scheme (by the way, it's usually an issue for basic auth since browser can't "logout" a user since he does not erase the web history or close the browser).
How do you think it's possible to tell a browser to cache authorization credentials and to add them each time a server request is challenging it with the right scheme / realm ?
I could display here all the example codes I use to make this example run.
A reference (good to read) : RFC1945 at https://www.rfc-editor.org/rfc/rfc1945#section-11
Thank you for your help.
Running dropWizard 0.9.2 on Jdk Oracle 1.8 / Debian 8.
Browser doesn't manage authorization. It never does, or at least never should.
Server should always keep its cache, and verify input from the browser.
At a basic level, all of the fields you need, are part of the HTTP Header. If you inject the request, you'll have access to them.
If dropwizard doesn't have things you need, you can always ignore everything, and simply read the request headers and do the custom processing you need.
For instance, add a Filter which sets the realm, something like WWW-Authenticate: Basic realm="myrealm:"
Authorization: MyScheme Ceasar-cipher-password. You'll need to parse it and process it yourself, perhaps set up an incoming Filter on all requests, or selective requests.
Is it a good idea, I'll let you be the judge. Perhaps, in your use case it makes sense.
If you have a look at the source code and how the BasicCredentials are used, perhaps, it can provide insight in a potential solution you may adapt yourself.
Hope it helps.
I'm trying to call the SAP BI/BO REStful webservices using basic authentication. I enabled basic authentication in the WACS and tested with this service:
http://host:6405/infostore/16422
This works! I can get the report metadata as either xml or json. However, whenever I try an url with "raylight" in it, I get an authentication problem:
http://host:6405/biprws/raylight/v1/documents/16422/parameters
{
error_code: "1"
message: "No session found in HTTP header X-SAP-LogonToken"
}
Why do some services work with basic authentication and others absolutely require the logontoken? I would like to avoid the logontoken if possible. I tested by logging on with the token and that does work, so it's not like my credentials are wrong.
I suspect you asked the same question on SCN which was answered by one of the SAP developers, Anthony Muller.
He stated that:
Raylight doesn't support basic authentication because it required a
permanent session to work. Internally, we have to manage a "cache" to
support subsequent REST calls and this is not possible using basic
authentication.
I have setup FORM-authentication within web.xml (java-webcontainer) successfully.
I did not find a way to sent the username/password within the get-request of the restful-uri from my client when using FORM-Authentication. So I have to use BASIC-Authentication only for the restful-uri.
So I have this question:
How can I set up both form-based authentication and basic authentication?
Basic authentication should only be enabled for the restful-uri.
I was also facing a similar problem and I realized that if you are using Wildfly then its possible to configure multiple mechanism using web.xml:-
<auth-method>BASIC?silent=true,FORM</auth-method>
Using this silent basic authentication will be tried first, which is basic authentication that only takes effect if an Authorization header is present. If no such header is present then form authentication will be used instead.
Maybe its too late for a reply but I just updated this in case someone finds this useful :P
There were no responses here for a while, so I did a quick servlet refresher myself. Servlet specs indeed allow only one <login-config> element per web application, so there is no way to have an entry point with BASIC authetication for the REST API and another with FORM-based authentication for the UI. The only option is to build them as two independently deployable applications. To avoid code duplication, it might be a good idea just to let the UI application talk to the REST API the same way the third-party clients are supposed to.
I have a scenario where I am trying to combine spring security with jersey for my REST API.
My need is rather complicated (I think) and it is as follows:
Spring security is being used to intercept urls and forcing basic authentication in order to access a REST resource. This seems to be ok as I am using http client to test this.
However what I want to do is somehow access the User object that is loaded to check some additional permissions that hang off the user (a map object with boolean flags to indicate if object properties are visible or not). The code that does the loading works, but after spring authenticates how do I then access the User object in the actual REST Resource method itself?? Is this possible?
So the steps are:
1) Client makes a REST API call
2) Spring intercepts URL checks username and password supplied in the http header
3) The rest resource method is then accessed if valid credentials are present
But before step 3, I want to somehow pass on the loaded User object to the actual Resource method itself so I can further apply some logic to restrict what the user can see based on the permissions that I have loaded??? Is this possible? I think I have seen some code somewhere that checks for User Roles before a method is accessed using Spring and REST but if anyone has any links or ideas that would be excellent.
Please help if you can. thank you so much.
I solved this by using a request-scoped proxy which was constructed by a bean factory.
This allows you to simply inject your currently authenticated user into any spring managed bean, and in my case my Jersey Resources fell into that category. I injected my user into the tier below the resources, but it's all the same.
Someone else elegantly blogged the full solution here.