I need to access an asp page running on 'https' protocol.
I am facing problems at authentication part itself. The response object returns "HTTP/1.1 200 OK" but i am getting redirected to Login page itself.
Following is my code:
public FileDownloadHttpWrapper(String url,String username, String password)
{
SchemeRegistry supportedSchemes = new SchemeRegistry();
supportedSchemes.register(new Scheme("https",
SSLSocketFactory.getSocketFactory(), 443));
// prepare parameters
HttpParams params = new BasicHttpParams();
HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(params, "UTF-8");
HttpProtocolParams.setUseExpectContinue(params, true);
ClientConnectionManager ccm = new ThreadSafeClientConnManager(params,supportedSchemes);
mClient = new DefaultHttpClient(ccm,params);
mClient.getCredentialsProvider().setCredentials(
new AuthScope(null,AuthScope.ANY_PORT),
new UsernamePasswordCredentials(username, password)
);
}
private Object getRequest(String url)
{
HttpGet get = new HttpGet("/EvalMuniMKT/mainmenu.asp");
HttpHost target = new HttpHost(url, 443, "https");
try
{
// execute the GET
HttpResponse resp = mClient.execute(target,get);
HttpEntity entity = resp.getEntity();
System.out.println(resp.getStatusLine());
System.out.println(EntityUtils.toString(entity));
}
catch(Exception ex)
{
ex.printStackTrace();
}
finally
{
// release any connection resources used by the method
}
return null;
}
I think the asp site uses form based login (session), not http basic authentication. For that you may need to do login form post and hold cookie in context and pass the context while executing the actual request.
something like :
CookieStore cookieStore = new BasicCookieStore();
// Create local HTTP context
HttpContext localContext = new BasicHttpContext();
// Bind custom cookie store to the local context
localContext.setAttribute(ClientContext.COOKIE_STORE, cookieStore);
hc.execute(httpget, localContext);
Related
We have a registered application in Azure AD and set up client secrets to run it as a daemon app (with no user interaction). We have the API permissions Mail.Send and User.Read admin consented for Microsoft Graph API.
My understanding is to use construct a ConfidentialClientApplication to get an access token for the registered app, by which I can create a GraphServiceClient. Then I can use the client to send email as a user.
But I got the following exception saying there's no permission in the token: (but I did provide a scope for getting permission)
Message: The token contains no permissions, or permissions can not be understood.
Inner error:
AdditionalData:
request-id: omitted-xxxx-xxx-...31c53
date: 2020-03-13T23:41:08
ClientRequestId: omitted-xxxx-xxx-...31c57
at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
at Microsoft.Graph.BaseRequest.SendAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
at GraphCallsFromServiceAccount.MyGraphClient.SendEmail(GraphServiceClient graphClient) in C:\Users\xxxx\source\repos\GraphCallsFromAccount\MyGraphClient.cs:line 109
Relevant Code:
// create a ConfidentialClientApplication:
var app = ConfidentialClientApplicationBuilder.Create(AppClientId)
.WithAuthority(new Uri("https://login.microsoftonline.com/"+ TenantId + "/oauth2/v2.0/token"))
.WithClientSecret(ClientSecretString)
.Build();
var scopes = new string[] { "https://graph.microsoft.com/.default" }; // if changed to "Mail.Send", it throws errors saying invalid scope.
GraphServiceClient graphClient = new GraphServiceClient(
new DelegateAuthenticationProvider(
async (requestMg) =>
{
// add access token to header
var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
requestMg.Headers.Authorization = new AuthenticationHeaderValue("bearer", result.AccessToken);
}));
// send email:
try
{
var toAddress = "john_doe#helloworld.com";
var SenderAddress = "jane_doe#helloworld.com";
var recipient = new Recipient()
{
EmailAddress = new EmailAddress()
{
Name = "John Doe",
Address = toAddress,
}
};
Message email = new Message
{
Body = new ItemBody
{
Content = "<b>hello world</b>",
ContentType = BodyType.Html,
},
Subject = "hello world",
ToRecipients = new List<Recipient>() { recipient },
};
Console.WriteLine("hello 2");
await graphClient.Users["john_doe#helloworld.com"].SendMail(email, false).Request().PostAsync();
}
catch (Exception ex)
{
Console.WriteLine("ex: " + ex);
}
How do I request the correct permissions put in the access token then? Thanks for help
Since you are acquiring a token as an app,
you are most likely not using application permissions.
You cannot use delegated permissions when running as an app,
as those only apply if running in the context of a user.
You'll need to add the Mail.Send application permission on Microsoft Graph API,
and an admin must then consent that.
i'm making a POST request in C# like this:
var request = WebRequest.Create("http://xxx.xxx.xxx.xxx:8080/xxx/obj/data/xxx/commands/GET");
request.ContentType = "application/json";
((HttpWebRequest)request).Accept = "application/json";
request.Headers.Add(HttpRequestHeader.AcceptLanguage, "en");
NetworkCredential myNetworkCredentials = new NetworkCredential("myUser", "MyPass");
CredentialCache myCredentialCache = new CredentialCache
{
{ link, "Basic", myNetworkCredentials }
};
request.Credentials = myCredentialCache;
request.PreAuthenticate = true;
request.Method = "POST";
await request.GetResponseAsync();
When i'm using Postman to check the response, it's all ok, it works every time i send the request.
But programmatically, after 7-8 times, the await request.GetResponseAsync(); is giving me a Exception, "The Operation has timed out".
I don't know how to check this, in postman it's all ok, but in the app it failed after a few test. What can i do?
By default, you have only 10 Connection Limit when you start the App. So you need to setup this in the Uri for your request
ServicePoint sp = ServicePointManager.FindServicePoint(uri);
sp.ConnectionLimit = 1000;
ServicePointManager.DefaultConnectionLimit = 1000;
I have two clients for my SignalR app: Javascript client for web browsers and Android client (Gurgen/SignalR-.net-core-android-client) that use JWT Bearer Authentication.
I added this attribute to my SignalR Hub:
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme + "," + CookieAuthenticationDefaults.AuthenticationScheme)]
public class MyHub : Hub
And my Startup.cs file:
public void ConfigureServices(IServiceCollection services)
{
//…
services.AddAuthentication()
.AddCookie(cfg => cfg.SlidingExpiration = true)
.AddJwtBearer(options =>
{
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = Configuration["Tokens:Issuer"],
ValidAudience = Configuration["Tokens:Issuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Tokens:Key"]))
};
});
services.AddSignalR();
//…
Android client login successfully with header authentication bearer token. But web client comes failed connecting to the hub (401 Unauthorized).
When I remove [Authorize] attribute the javascript client works!
What is default Javascript SignalR Client AuthenticationScheme? Or what is the issue I made?
I use dotnet core 2.1, Microsoft.AspNetCore.SignalR and my IDE is Visual Studio for Mac.
This is from SignalR docs:
In standard web APIs, bearer tokens are sent in an HTTP header. However, SignalR is unable to set these headers in browsers when using some transports. When using WebSockets and Server-Sent Events, the token is transmitted as a query string parameter.
services.AddAuthentication(options =>
{
// ...
})
.AddJwtBearer(options =>
{
// ...
// We have to hook the OnMessageReceived event in order to
// allow the JWT authentication handler to read the access
// token from the query string when a WebSocket or
// Server-Sent Events request comes in.
// Sending the access token in the query string is required due to
// a limitation in Browser APIs. We restrict it to only calls to the
// SignalR hub in this code.
// See https://learn.microsoft.com/aspnet/core/signalr/security#access-token-logging
// for more information about security considerations when using
// the query string to transmit the access token.
options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
var accessToken = context.Request.Query["access_token"];
// If the request is for our hub...
var path = context.HttpContext.Request.Path;
if (!string.IsNullOrEmpty(accessToken) &&
(path.StartsWithSegments("/hubs/chat")))
{
// Read the token out of the query string
context.Token = accessToken;
}
return Task.CompletedTask;
}
};
});
I'm trying to implement integration test using RestAssured library and Spring MVC REST oAuth2 secured endpoint.
This is my test:
#Test
public void testCreateDecision() throws Exception {
File createDecisionJsonFile = ResourceUtils.getFile(getClass().getResource("/json/decisions/create-decision.json"));
// #formatter:off
final String createDecisionRequest = FileUtils.readFileToString(createDecisionJsonFile)
.replace("{{name}}", "Test decision name")
.replace("{{description}}", "Test decision description");
// #formatter:on
String accessToken = getAccessToken("user", "user");
// #formatter:off
given()
.auth()
.oauth2(accessToken, OAuthSignature.HEADER)
.body(createDecisionRequest)
.contentType("application/json; charset=UTF-8")
.when()
.post(format("http://localhost:%d/api/v1.0/decisions/create", port))
.then()
.statusCode(200)
.contentType(ContentType.JSON)
.body("id", notNullValue())
.body("createDate", notNullValue());
// #formatter:on
}
The accessToken is valid but I'm continuously getting 401 http code.
What could be wrong with my code ?
I know this is an old post, but just wanted to document this in case someone else needed the answer.
I was able to implement using the following format:
First retrieve the token (in my case I did not store user tokens, jut got them before each test)
// we need to get the oauth token before we can perform the request
private void authenticateUser(String username, String password) {
String response =
given()
.parameters("username", username, "password", password,
"grant_type", "password", "scope", "read write",
"client_id", "clientapp", "client_secret", "123456")
.auth()
.preemptive()
.basic("clientapp","123456")
.when()
.post("/oauth/token")
.asString();
JsonPath jsonPath = new JsonPath(response);
accessToken = jsonPath.getString("access_token");
}
And them on the test I used the retrieved token:
#Test
public void testGetUserDefaultUserOwner() {
authenticateUser(testData.user1.getLogin(), "1");
User user =
given()
.auth().oauth2(accessToken)
.contentType(ContentType.JSON)
.accept(ContentType.JSON)
.expect()
.log().all()
.statusCode(HttpStatus.OK.value())
.when()
.get(USER_RESOURCE, testData.user1.getId())
.as(User.class);
assertThat(user).isEqualTo(testData.user1);
}
I am using Restassured and AssertJ for the tests, and SpringBoot with OAuth2 for the Rest APIs.
I have reimplemented my test using OAuth2RestTemplate:
ResourceOwnerPasswordResourceDetails resourceDetails = new ResourceOwnerPasswordResourceDetails();
resourceDetails.setUsername("user");
resourceDetails.setPassword("user");
resourceDetails.setAccessTokenUri(format("http://localhost:%d/oauth/token", port));
resourceDetails.setClientId("clientapp");
resourceDetails.setClientSecret("123456");
resourceDetails.setGrantType("password");
resourceDetails.setScope(asList("read", "write"));
DefaultOAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
OAuth2RestTemplate auth2RestTemplate = new OAuth2RestTemplate(resourceDetails, clientContext);
auth2RestTemplate.setMessageConverters(asList(new MappingJackson2HttpMessageConverter()));
Assert.assertNotNull(auth2RestTemplate.getAccessToken());
DecisionRequest decisionRequest = new DecisionRequest(name, description, parentDecisionId);
auth2RestTemplate.postForObject(format("http://localhost:%d/api/v1.0/decisions/create", port), decisionRequest, Decision.class);
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved here.</p>
</body></html>
I'm using Grails version 2.4.3 . I am creating an application that supports RESTful APIs. Since access to these APIs should be authenticated , I tried out the Spring Security REST plugin. I checked out this example and what I could understand is , the /api/login controller is the authentication point which receives the user credentials in JSON format and after successful authentication it provides the acces token as response. I tried sending a POST request to /api/login/ with valid JSON data using the POSTMAN Rest Client. But it gives me the following error.
401 Unauthorized , Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
I also tried using IntellijIDEA's REST Client but doesn't work.
Then i tried by sending AJAX Request to /api/login/ with valid JSON data
, but getting 401 on console. What is the problem here? Is this the correct login end point? How can i get authenticated using JQuery?
Try this
$.ajax({
url: " http://localhost:8080/AppName/api/login",
type: "POST",
crossDomain: true,
data: JSON.stringify({"username":"yourusername" , "password":"yourpassword"}),
contentType: 'application/json; charset=utf-8',
dataType: "json",
success: function (response) {
console.log(response);
},
error: function (xhr, status) {
alert("error");
}
}) });
You can try this code for authentication,I am sending user id and password in request header you can try as you wish :-
inject following services:-
def springSecurityService
def authenticationManager
and use following code
def login = {
final String authorization = request.getHeader("Authorization");
if (authorization != null && authorization.startsWith("Basic")) {
boolean authResult = authenticateUser(authorization)
if (authResult) {
render response.status
} else {
render authFailed(response)
}
} else {
render authFailed(response)
}
}
protected boolean authenticateUser(String authorization) {
// Authorization: Basic base64credentials
def base64Credentials = authorization.substring("Basic".length()).trim();
byte[] credentials = base64Credentials.decodeBase64()
String actualCredential = new String(credentials)
// credentials format like username:password
final String[] values = actualCredential.split(":", 2);
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(values[0], values[1]);
try {
def authentication = authenticationManager.authenticate(authRequest);
def securityContext = SecurityContextHolder.getContext();
securityContext.setAuthentication(authentication);
def session = request.session;
session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
}
catch (BadCredentialsException exception) {
return false
}
return true
}
protected HttpServletResponse authFailedResponse(HttpServletResponse response) {
response.setStatus(401)
response.setHeader("WWW-Authenticate", "Basic realm=\"nmrs_m7VKmomQ2YM3:\"")
return response;
}