I wrote a simple application to test a RESTful API (provided by an accounting application). I have installed "Poster" in Firefox to test "GET and POST" XML and the API is behaving as it should. I wrote a simple "GET" test page to call the API from within the test CF8 application and the API returned the results I expected. I cannot POST from within the test CF8 application.
I have inserted the following into my application.cfm:
<!--- fix for HTTPS connection failures --->
<cfif NOT isDefined("Application.sslfix")>
<cfset objSecurity = createObject("java", "java.security.Security") />
<cfset objSecurity.removeProvider("JsafeJCE") />
<cfset Application.sslfix = true />
</cfif>
This is the code that is failing:
<cfprocessingdirective suppressWhiteSpace = "Yes">
<cfxml variable="customerxml">
<?xml version="1.0" encoding="UTFÂ8" standalone="yes"?>
<dataentry>
<interface name="Customer Edit"></interface>
<entity>
<attribute name="Customer Code">REP003</attribute>
<attribute name="Customer Name">Repsol3</attribute>
<attribute name="Address Line 1">El House</attribute>
<attribute name="Address Line 2">El Street</attribute>
<attribute name="Address Line 3">El Town</attribute>
</entity>
</dataentry>
</cfxml>
</cfprocessingdirective>
<cfhttp
method="post"
url="https://***/wsapi/1.1/dataentry/"
username="***"
password="***"
charset="utf-8">
<cfhttpparam type="header" name="Accept-Encoding" value="*" />
<cfhttpparam type="header" name="TE" value="deflate;q=0" />
<cfhttpparam type="header" name="Content-Type" value="application/xml" />
<cfhttpparam name="XML_Test" type="xml" value="#customerxml#">
</cfhttp>
There's a lot published on this topic and I have tried most things but some of the posts are about even older CF versions than mine! Any up-to-date help appreciated.
From the comments
The first thing that I try when receiving a connection failure using <cfhttp> is to verify that you can navigate to the URL using a browser from your ColdFusion server. If that request does not work then it will not work from the ColdFusion call either. Get that issue resolved first before proceeding.
Another common issue when connecting to secure sites using SSL (HTTPS) is that the certificate is not trusted or not known to ColdFusion (Java). In these cases you need to import their certificate into the Java keystore that is in use for ColdFusion.
Here is a great step by step instructions on how to install self-signed certs or other ssl certs that the Java library does not have installed.
http://www.coldfusioncookbook.com/entries/How-Do-I-Consume-SSL-Encrypted-Content-with-CFHTTP.html
Has helped me out a 1000 times.
Matt
Related
I'm working on developing an XMPP Client communicating over an ejabberd community server (version 17.09) that we host ourselves.
I'm having trouble to implement the MucSub Feature (supported since version 16.08 as far as I know).
When I'm sending this XML command (described in the ejabberd documentation for subscribing to a chatroom):
<iq from='hag66#shakespeare.example'
to='coven#muc.shakespeare.example'
type='set'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<subscribe xmlns='urn:xmpp:mucsub:0'
nick='mynick'
password='roompassword'>
<event node='urn:xmpp:mucsub:nodes:messages' />
<event node='urn:xmpp:mucsub:nodes:affiliations' />
<event node='urn:xmpp:mucsub:nodes:subject' />
<event node='urn:xmpp:mucsub:nodes:config' />
</subscribe>
</iq>
(of course entering existing jid's for this server, allow_subscription set to true for this chatroom) I get the result:
<iq xml:lang='de'
to='hag66#shakespeare.example'
from='coven#muc.shakespeare.example'
type='error' id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<subscribe xmlns='urn:xmpp:mucsub:0' nick='mynick'>
<event node='urn:xmpp:mucsub:nodes:messages'/>
<event node='urn:xmpp:mucsub:nodes:affiliations'/>
<event node='urn:xmpp:mucsub:nodes:subject'/>
<event node='urn:xmpp:mucsub:nodes:config'/>
</subscribe>
<error code='503' type='cancel'>
<service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<text xml:lang='de' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>No module is handling this query</text>
</error>
</iq>
When I alter the query to:
<iq from='hag66#shakespeare.example'
to='coven#muc.shakespeare.example'
type='set'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<subscribe xmlns='urn:xmpp:mucsub:0'
nick='mynick'
password='roompassword'>
<event xmlns="http://jabber.org/protocol/pubsub#event" node="urn:xmpp:mucsub:nodes:messages" />
<event xmlns="http://jabber.org/protocol/pubsub#event" node="urn:xmpp:mucsub:nodes:affiliations' />
<event xmlns="http://jabber.org/protocol/pubsub#event" node="urn:xmpp:mucsub:nodes:subject' />
<event xmlns="http://jabber.org/protocol/pubsub#event" node="urn:xmpp:mucsub:nodes:config' />
</subscribe>
</iq>
I get the result:
<iq xmlns="jabber:client"
to="hag66#shakespeare.example"
xml:lang="en"
type="result"
from="coven#muc.shakespeare.example"
id="agsXMPP_8">
<subscribe xmlns="urn:xmpp:mucsub:0" nick="mynick" />
</iq>
which I interpret as the query being successfull. Also when I query the Chatrooms this user is subscribed to the chatroom is listed.
My Problem now is: no matter which of this methods I use, the user does not get notifications for messages in that chat if he is not present in exactly this chatroom.
Now the strangest thing is: if I get DiscoInfo from the server the MucSub Feature (urn:xmpp:mucsub:0) is not listed, which I don't understand as the Feature is supported by the server version I'm using and according to the documentation is enabled by default and can't even be disabled.
Has anyone experienced the same issue and/or knows how to resolve it?
Thanks in advance for your help
So finally we found the issue:
instead of sending the request to "coven#muc.shakespeare.example" we were sending it to "coven#shakespeare.example" which didn't work and was forgotten to change in the questions text
I have made a REST service that receives a ZIP-file, process and check some stuff, and returns an ID. This works fine for smaller ZIP-files, but when sending larger files (currently testing with 17 Mb), and the processing takes longer, the service returns "502 Bad gateway - Web server received an invalid response while acting as a gateway or proxy server".
I have tried to change all the variables I could find in the web config:
<binding name="webHttpTransportSecurity" maxReceivedMessageSize="163840000" maxBufferSize="163840000" closeTimeout="04:00:00" openTimeout="04:00:00" receiveTimeout="04:00:00" sendTimeout="04:00:00">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
</binding>
<requestFiltering>
<requestLimits maxAllowedContentLength="2147483648" />
<httpRuntime maxRequestLength="2147483647" enable="true" requestLengthDiskThreshold="10240" useFullyQualifiedRedirectUrl="true" executionTimeout="1000" appRequestQueueLimit="4000000" />
<serviceBehaviors>
<behavior>
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
Anyone have any idea how to make this work with bigger files? Where is this restriction, in IIS or something?
UPDATE: my code on server continue to run in the background and receives the whole file even though the caller of the service gets 'bad gateway'. So this is a 'false' 502.
For well over a year I've been running the same code to generate subscribe buttons using the BMCreateButton NVP API. For some reason, this recently stopped working. Here is my current HTTP request, written in ColdFusion. request.setup.paypal references a structure of settings, request.user is an object that defines a user session.
<cfset buttonvars = [
'item_name=Membership',
'src=1',
'currency_code=USD',
'no_note=1',
'no_shipping=1',
'rm=0',
'return=#request.setup.paypal('return')#',
'cancel_return=#request.setup.paypal('cancel_return')#',
'notify_url=#request.setup.paypal('notify_url')#',
'custom=#request.user.getUserID()#'
] />
<cfhttp method="post" url="#request.setup.paypal('host')#">
<cfhttpparam type="formfield" name="USER" value="#request.setup.paypal('user')#" />
<cfhttpparam type="formfield" name="PWD" value="#request.setup.paypal('pwd')#" />
<cfhttpparam type="formfield" name="SIGNATURE" value="#request.setup.paypal('signature')#" />
<cfhttpparam type="formfield" name="VERSION" value="65.2" />
<cfhttpparam type="formfield" name="METHOD" value="BMCreateButton" />
<cfhttpparam type="formfield" name="BUTTONTYPE" value="SUBSCRIBE" />
<cfhttpparam type="formfield" name="BUTTONSUBTYPE" value="SERVICES" />
<cfhttpparam type="formfield" name="BUTTONCODE" value="CLEARTEXT" /> <!--- CLEARTEXT, ENCRYPTED --->
<cfhttpparam type="formfield" name="OPTION0NAME" value="Membership Duration" />
<cfhttpparam type="formfield" name="L_OPTION0SELECT0" value="Monthly Membership" />
<cfhttpparam type="formfield" name="L_OPTION0PRICE0" value="20.00" />
<cfhttpparam type="formfield" name="L_OPTION0BILLINGPERIOD0" value="Month" />
<cfhttpparam type="formfield" name="L_OPTION0SELECT1" value="Annual Membership" />
<cfhttpparam type="formfield" name="L_OPTION0PRICE1" value="200.00" />
<cfhttpparam type="formfield" name="L_OPTION0BILLINGPERIOD1" value="Year" />
<cfloop from="1" to="#arrayLen(buttonvars)#" index="buttonvar">
<cfhttpparam type="formfield" name="L_BUTTONVAR#buttonvar-1#" value="#buttonvars[buttonvar]#" />
</cfloop>
</cfhttp>
When I make this request I receive a failure response back saying "You must specify valid values for the A3, P3, and T3 parameters for a subscription button." This clearly corresponds with the API documentation here:
https://developer.paypal.com/webapps/developer/docs/classic/paypal-payments-standard/integration-guide/Appx_websitestandard_htmlvariables/#id08A6HI00JQU
The documentation clearly states those values are required. This wasn't necessary before, the fact that I was specifying options for some reason I assume overrode this. That is no longer the case however. So I've attempted to add A3, P3 and T3 HTML variables and then received this error: "You can't specify A3/P3/T3 and Option selection for Subscriptions." At that point, I tried removing the option formfields and was able to generate a subscribe button but without the pulldown menu, as expected. I followed up by trying to create an option field by using HTML variables on0, os0, option_select0 and option_amount0 but this had no effect, I saw the same button without the pulldown menu.
So how does one generate a Subscribe button with an option pulldown menu using the BMCreateButton NVP API? I have tried creating one using the button manager without a problem, however I need to pass a custom field and wish to do so with an encrypted button. Right now my example above is using CLEARTEXT just for debugging. Is this possible any more?
I have a j2ee web application using spring web flow ang spring security. I want to redirect the user to page(maybe an error page) if the user's role has no access on the page being accessed because currently I get the error
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.
How do I do this redirection.I tried the access-denied-page attribute of security:http but I still get the error. Here's my configuration for security-http.
By the way.I am using Spring Faces and Facelets. Could this have been the cause of the problem?
<!-- Configure Spring Security -->
<security:http auto-config="true" access-denied-page="/deniedpage.xhtml"
session-fixation-protection="newSession">
<security:intercept-url pattern="/main.do"
access="ROLE_SUPERVISOR, ROLE_USER" />
<security:intercept-url pattern="/logoutSuccess.do"
access="ROLE_SUPERVISOR, ROLE_USER" />
<security:intercept-url pattern="/edit.do"
access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/register.do"
access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/admin_main.do"
access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/*"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:form-login login-page="/loginForm.do"
default-target-url="/main.do" authentication-failure-url="/loginForm.do?login_error=1" />
<security:logout logout-url="/logout.do"
invalidate-session="true" logout-success-url="/logoutSuccess.do" />
<security:concurrent-session-control
max-sessions="-1" exception-if-maximum-exceeded="true" expired-url="/loginform.do" />
</security:http>
The access-denied-page attribute of security:http should be enough, show us the Spring configuration you are using.
In the meantime try adding this to web.xml:
<error-page>
<error-code>404</error-code>
<location>notfound.jsp</location>
</error-page>
How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>
See here and here for MSDN documentation of these elements.
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
<authentication>
<forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
</authentication>
</system.web>
That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.
Building upon #Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.
To that end you'd setup your web.Release.config as:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
</system.web>
</configuration>
If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<authentication>
<forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
</authentication>
</system.web>
</configuration>
Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889
Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)
secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.