import requests
params = {
'apiKey': 'hidden',
'author_id': '36573126000'
}
def main():
r = requests.get('https://api.elsevier.com/content/author', params=params)
print(r.text)
main()
I'm unable to communicate with the API, as it's returning the following error:
<service-error><status><statusCode>AUTHORIZATION_ERROR</statusCode><statusText>The requestor is not authorized to access the requested view or fields of the resource</statusText></status></service-error>
What is / are the issue(s), and how can I resolve this?
There can be two issues that can cause this:
Your API Key does not have the correct level of entitlement to access that resource
You are attempting to access this resource outside of your institutional network and will need an Institutional Token to enable this.
Both can be resolved by contacting Elsevier Support at the following form:
https://service.elsevier.com/app/contact/supporthub/researchproductsapis/
This issue is usually because your current connection/IP is not the same as the one you used to create your Scopus Account; which is usually the Institutional Connection that has been granted access to Scopus.
So if there is a need to access Scopus outside that specific IP (institutional IP), then you need to setup a remote VPN proxy for yourself or Inst tokens might work as well.
Read below for clarity:
The Scopus API recognizes you as a member of your institution via IP
range. For working remotely, Scopus can also grant InstTokens. Thus
one of three things needs to happen:
You are in your instition’s network
You use your instition’s VPN
You use an InstToken
Option 1 is easy and the most common.
Option 2 might require you to additionally set a proxy. You can do so
in the configuration file.
Option 3 is rare. If you have an InstToken, please provide it during
the setup. Alternatively, add it
to the configuration file manually. You may also set the InstToken via
insttoken=”XYZ” in any class. This is the preferred solution if you
possess multiple keys.
Please Note: These suggestions are listed under pybliometrics python wrapper class documentation. However, this issue of accessing Scopus API must be the same regardless of the language and these suggestions might work.
Related
I've got a problem with signing in using near-js. I just call wallet.requestSignIn and it works but always I see that application request Limited access. There is nothing about Limited and Full access in documentation so I just guess that I should do something to request Full access
In order to keep your wallet secure, a web app signing in to NEAR should not request full access keys.
Instead you ask for an access key to the smart contract your web app is going to use, and you can also specify which method names on the contract that should be allowed calling ( see the methodNames property of the SigninOptions )
My webapp has means of abuse, users can access things they're not supposed to, such as 127.0.0.1/users/1 & 127.0.0.1/users/2 & 127.0.0.1/users/3 and so on, within these it reveals the user's registration email, ip, etc (via JSON, so the web server can return customized messages, greetings, and allow users to edit account data within profile settings)
This is what my route looks like:
forum.GET("/users/:user_id", routeFunc(UsersGET))
I'm using Gin-Gonic HTTP framework to create a dummy forum, can someone tell me how to stop users from accessing the /users/ route whilst allowing the actual web server to use freely? and maybe link me to the correct direction. Thanks!
(The server uses it to return things like, Welcome Back, USERNAME).
You need to add authentication and authorization to your server.
Authentication is where a user will prove their identity to you by means of a shared secret (like a password hash) and authorization is where you check if that authenticated user is allowed to take the action they are trying to make.
There are many third party services that might help you with this (e.g. Auth0) where they can handle authentication for you and provide you with libraries for authorization.
Usually people bind authentication into their Gin-Gonic server by means of middleware (e.g. gin-jwt) which is run in front of every http request. Once that middleware authenticates the user, you can add some logic to your handle that states only users can only view themselves.
Hope this helps. Good luck.
Here is my problem:
Context :
-Windows Server 2012 with ActiveDirectory
-Tomcat
-Rest API (Spring)
I'm currently trying to restrict REST request. I want that only specific groups of the AD could access to specific resources. I'm restricted to Kerberos authentication.
System configuration
Create a user in domain "Tomcat"
setspn -a HTTP/apirest.domain#DOMAIN
Generate a tomcat.keytab using ktpass
API rest configuration
I'm using the spring security sample on github that you can find here :
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
I know that there is an EntryPoint and this is not needed in my context (API Rest). I've chosen this sample because it seems to use the windows authentication context and use it to automatically authenticate me in the spring security context. Right after, an ldap request is send to extract all information about the user logged. In my case, I need to extract the group.
I'm also using :
https://github.com/GyllingSW/kerberos-demo
To extract the role of the user with the class "RoleStrippingLdapUserDetailsMapper.java" instead of the "ActiveDirectoryLdapAuthoritiesPopulator". This implementation also offers localhost authentication but the issue with the NTLM token seems to be fixed in last commit of spring security.
I'm not really sure if this is the right way to do what I want.
My authentication seems to fail and I only have one things going wrong in my logs..
"Property 'userDn' not set - anonymous context will be used for read-write operations"
Questions
Do I have to run my tomcat service using the tomcat account ? (Seems to be, yes)
Am I doing the right things with Kerberos security ?
How can I get rid of the anonymous context?
The anonymous context seems to be set just right after Tomcat start. I want to get a context just after that my user (For instance, user1) requests the rest API (EntryPoint or whatever)
If there is something unclear let me know, I will try to reformulate!
Thanks,
You do not need to query LDAP to get information about which groups does user belong to. Active Directory already adds this information to the Kerberos ticket which is sent from browser to Tomcat.
You just need to extract this information from the token for example using Kerb4J library. It comes with Spring integration inspired by spring-security-kerberos project so it should be pretty easy to switch to it.
If you still want to query LDAP you need to authenticate in LDAP before you can make any queries. Again there's no need to use end-user accounts for it - you can use the keytab file for Kerberos authentication in LDAP and query groups using "Tomcat" account
I found a way to fix my issue.
In a REST API context, you have no entry point. I tried to set my entry point to an unmapped URL, just to do the negociation. By doing this, you will receive an HTTP response with the error code 404 (Not found) but with the right header was added by spring security (WWW-Authenticate).
The web browser will not send the ticket service if the error code is not 401.
To solve this problem, you have to create a CustomEntryPoint class (implements AuthenticationEntryPoint) and you need to override the "commence" method to return a 401 HTTP code with the right header.
I hope that could help. If there is a better way, let me know !
Since the Google Search API has been deprecated, I'd like to use the Bing Search API (now a Windows Azure API) in my Ruby apps.
However, Azure has a strange authentication pattern where you build a query URI, paste it into a browser, pass the key into the password box of the standard HTTP authentication box, and make POST to see the results. I assume this generates a signature and passes it in the header somehow. I'd like to do the complete process in Ruby and skip the browser portion if possible.
I found one example in the source of an obscure Windows Azure storage gem, but I can't figure out how tthey're building the signature and make the call. Is there a simple way to do basic HTTP auth in Ruby?
I went ahead and used Faraday's built in basic authentication scheme like so:
connection = Faraday.new "http://api.something.com/1/dudez"
connection.basic_auth "username" "password"
connection.get
I want to recommend the RestClient gem for this. I've used it with great success for GET'ing and POST'ing across domains. If you really have to act like a browser to implement the API, you can always use Capybara.
I'm sorry I haven't tried the Azure API myself, or I would give an example. :)
I recall doing this previously with another Azure API but am unable to find the code.
Look here for the details of the signature process:
http://msdn.microsoft.com/en-us/library/windowsazure/ee395415.aspx
I'm unable to find immediately if the Azure API uses the SharedSignature method
The way to sign a request to Windows Azure blob storage thru the REST API is described here: http://msdn.microsoft.com/en-us/library/dd179428.aspx.
Basically, you don't authenticate by simply adding some credentials in a HTTP header, you have to sign your request with the secret key that is associated to your storage account.
I am designing a web api. I need to let the user authenticate themselves. I am a little hesistant to let the user pass in their username/password in cleartext.. something like: api.mysite.com/auth.php?user=x&pass=y
Another option i read about was Base64 encoding the username/password and then sending a HTTP request. So does that mean that on the server side;I would _GET['user'] and _GET['password'] and then somehow decode them?
Is that what twitter does: http://apiwiki.twitter.com/REST+API+Documentation#Authentication ?
Base64 is no protection at all. Use SSL for real security.
As mentioned by truppo, first use SSL.
What many web services do is have an "authenticate" service that returns a token that is then used later, and can be used in plaintext, since it's only valid for a limited amount of time. When it expires, the client simply does another authenticate.
The key benefit of this is that it reduces the number of SSL requests, which lightens the load on the server.
Just this week the IETF published a new draft discussing security properties of the various authentication mechanisms in HTTP. You should find helpful information there.
Personally I'd recommend at least to read about digest authentication and analyze if that's suitable for you.
Using SSL might also be an option. However, it also addresses additional issues at the expense of performance, cachability and others. It keeps the payload data confidential. If this is a requirement, then it's your way to go.
If this is a webservice, you'd better use more secure form of authentication. Look for example, at the LiveJournal protocol: Challenge-Response.
Please do not use regular usename/password authentication for the api. People really shouldn't be forced to put credentials from foreign services in a mashup service.
Please consider using oauth http://oauth.net/ or at least some challenge-response based system, like Eugene suggested.
One easy way would be to let the guest-service generate a token which is connected to his app and a user. If you put in some work you could even make the tokencreation secure to have only allowed foreign services with some private/public-key mechanisms.
The user has to authorize this token in your app before the guest service can use it to get authenticated.
I've found this article eye-opening.
In short: use a pair of API keys per user. One is for client authentication, one for parameters signing.