I have authentication token as response from rest Template and I'm using this token for another call and everything is working fine
But during Fortify Security test its showing error during header set
HttpHeaders header=new HttpHeaders();
header.setBasicAuth("Authorization",token)-->showing issue
What I understood is before setting this you need to add validator to remove \r\n from the token if available. I tried using regex but nothing worked.
Please if anyone faced this issue in java/spring boot project please help me. I need solution
Thanks in advance
Related
I am using Nuxt.js, Laravel, and Laravel Sanctum for API development learning projects. Now, I have been stuck with this error for a few days. I know that Laravel Sanctum will handle everything on config/cors.php with some changes like I said at Nuxt.js - No 'Access-Control-Allow-Origin' header is present on the requested resource
Then,
Why I am facing this CORS error? Does anyone know something?
Please guide me, it will be helpful for me.
This may or may not help.... but I suffered the same issue not locally, not on test, but on my PROD deployment of a project. What solved it for me is CHOWN'ing the entire Laravel project to 'www-data' . When my user was the owner of the Laravel project I kept getting "No 'Access-Control-Allow-Origin' header is present on the requested resource." like you. After CHOWN'ing it to'www-data' it worked as usual.
I can't tell you why this is the case besides something with PHP being represented as the "www-data" user or something like that ( I'm not that smart ). But hope this helps!
EDIT: my project is React <-> Laravel, my Cors.php was configured correctly the entire time.
When I upload a file through my app that uses Spring framework and spring security, it sends a CSRF token in the request through Spring to prevent CSRF. This token does not seem to be generated as it's left out of the request URL in Firefox. Again, this is happening in Firefox only. Does anyone have any experience with this and/or have any insight as to why this is happening? I've tried accepting cookies from this website in the browser and doing a few hacks in my code to allow it, but none of it seems to work. Thank you.
In case anyone is wondering, it turns out that my async call to retrieve a new CSRF token wasn't firing on time and the form would post without it, hence causing this error message from Spring. Check if you're posting the form prematurely if you're getting this error.
Our application is a Spring Boot application and we have gotten a requirement to implement OAuth2 authorization with the IdentityServer3 as the provider.
However, with everything set up properly, we keep getting the error The client application is not known or is not authorized. when redirected to the login screen of the SSO system.
Using postman, we are able to access the login screen when clicking 'Get New Access Token'
Using AdvanceRestClient, we get the same error as our Spring Boot application.
Checking the log of these 2 tools, i found that on postman, the request will POST to the Access Token URL first, while on both Spring Boot security and the AdvanceRESTClient, it will generate a GET URI to the authorize URL.
Example of POSTMAN:
POST https://login.xxx.com.my/LoginHost/core/connect/token
Example of AdvanceRESTClient first request:
GET https://login.xxxx.com.my/LoginHost/core/connect/authorize?response_type=code&client_id=xxx.web&redirect_uri=https%3A%2F%2Fauth.advancedrestclient.com%2Foauth-popup.html&scope=openid%20email%20profile&state=XXX
This is confusing. Which behaviour is correct? And why is there a difference there?
Hope anyone can help with this. Thanks.
* UPDATE 1 *
POSTMAN settings:
AdvanceRESTClient:
After looking at the console logs of both client, it seems that the issue is caused by the redirect-url. After changing the redirect url on AdvancedRestClient to match with postman settings then it works.
I'm working on an application that requires to authenticate to JIRA using OAuth authentication. However I am facing a problem when trying to obtain a request token (/plugins/servlet/oauth/request-token), the request always fails with the "nonce_used" oauth error (oauth_problem=nonce_used). I am generating the nonce randomly, it is a 32 characters long random string containing only lowercase alphanumeric characters. I tried also with longer nonce but with the same result. I am sending the oauth parameters in the Authorization header of the request, but also tried to send them in the body of the POST request with the same result.
Any help is greatly appreciated if somebody already encountered this problem and managed to resolve it.
Cheers,
Istvan
Finally managed to fix my problem. The problem was that I didn't generate correctly the base string that needed to be signed (didn't URL encode the = and & characters between the oauth parameters)
I'm learning how to develop a website using go and I've decided to try Goji. Everything is working fine except when I'm trying to use CSRF (goji-csrf) on a file upload I keep getting Forbidden - CSRF token invalid but when I removed enctype="multipart/form-data" in the template the csrf middleware is working fine.
Thanks for the answer in advance guys.