Basic HTTP Authentication for REST Server on Drupal 7 - rest

I feel like this might be answered already somewhere, but no one seems to have answered this question directly about Drupal and I'm wondering if that might be making all the difference.
I have setup a vanilla Drupal installation with just the necessary modules to use a REST server to handle Push Notifications. In testing the REST server with the CocoaRestClient (found here http://code.google.com/p/cocoa-rest-client/) I am encountering a problem with Basic HTTP Authentication (Authentication is failing). I have tested with Session Authentication and that works perfectly. My username and password are most certainly correct. The Services basic authentication module doesn't provide much in the way of setup, so what could I be doing wrong?
Modules being used:
Push Notifications
Services
Services basic authentication
REST Server
Drupal 7.22 minimal (vanilla install - no themes or any other fancy modules than the ones listed).

Basic auth enables you to GET, POST, PUT, and DELETE, to your endpoints using a Basic Auth Header. I am not sure if it will do anything for the /login end point. The authorization header should be made up of Basic followed by a based-64 encoded string of 'user:password' (not including the quotes).
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
You can quickly test this using Postman or Fiddler.

you need use the content access to restrict the access. This will require users to provide a login and password.

Related

Bitbucket addon - jwt on redirect

We are developing a BitBucket app and found out that in the PostInstallRedirect we also get the JWT as part of the querystring and we think this is a potential security issue, furthermore - we don’t use it as we already authenticate the jwt in the installation webhook.
Is there a way to remove it or at least move it to the header?

How to configure RedHat APIMan Authorization Policy for unprotected endpoints?

We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.

Use two OIDC Auth flows in parallel in Quarkus

I created a Rest-API and a frontend as a self contained system with Quarkus.
The frontend is served statically.
For Authentication i use a kleycloak server and have nearly the same configuration as in this guide from quarkus.
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
With this config i need to authenticate for the rest-api and the frontend. Thats what i want.
If i try to load the index.html i got redirected to keycloak and back. That works perfectly.
The problem is, that the same thing happens with the rest-api. I got redirected to keycloak with a "302 found"-status code. Here I would like to have an authentication with a bearer token and no redirect. Quarkus has the following configuration for this:
quarkus.oidc.application-type=service
That collides with the configuration for the frontend. Is there a way to use both, one for static files and one for the rest-api?
If I'm not wrong you're looking for a multi-tenant oidc setup(even though you're not designing tenants). The guide and example can be found on the official quarkus website here.
This way you'll have similar setup:
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.oidc.restapi.auth-server-url=http://localhost:8180/auth/your/path
quarkus.oidc.restapi.client-id=backend
quarkus.oidc.restapi.application-type=service
P.S you can replace restapi with more likable name.

accessing keberos enabled Rest service using Karate

I am trying to set up Karate test framework for our new project. We will be enabling Kerberos authentication to our Rest microservices. Can you please tell me if Karate supports Kerberos aunthentication
Most projects are able to call a normal HTTP end-point and get a token from it which will be used as an auth header. So look for the OAuth and header authentication demos / in the documentation.
Otherwise, take a look at this approach: https://stackoverflow.com/a/51150286/143475 - so it is possible for you with a little extra work to call into some .NET code for e.g. which you can design to give you the headers / tokens you need.

Apache Camel HTTPS4 Basic Authentication

Does Camel-Http4 supports Basic Authentication?
Followed this and other posts
Camel http4 download file using Basic authentication over Https
I am using camel 2.17.3 version. using camel-http4 component. The route sends a https4 multipart request to a REST endpoint . The REST service is behind the siteminder. Have truststore/ketstore/cert all setup and it works fine, just sending basic auth is causing trouble.
Using postman i was able to call REST services with basic auth. However, all the calls from camel route fails and get HTTP error 403.
I tried below options to get it working:
Added basic auth to the HttpConfiguration - got HTTP error 401
Added "Authorization" header to the route, as mentioned in the above link - got HTTP error 403
and Added method,user,pass to HTTP_Query - 403 also clear text password is visible in the siteminder logs, this is not good, so dropped trying this option.
please help resolve this issue with some working example and explain the cause.
Is camel dropping http headers?
also i now thinking should I consider using other available components netty/jetty/cxf?? But I prefer getting HTTPs4 working :)
thanks
To help others with an working example, here is how I got it...
1) Check the site-minder policy and also ensure the user have correct permissions for the services.
2) Passing user/password as query parameter isn't safe (at least it wasn't in my case) Clear text password was exposed in site-minder.
3) setting header (Authorization)
apache-camel-basic-http-auth