Spring boot Cookie versus Authorization in header field - spring

I have a very minimal spring-boot app with dependency spring-boot-starter-web and spring-boot-starter-security. I just learned spring boot yesterday. I noticed that sending a POST request like below even if provided with the wrong basic auth password the request succeeds. Because, of the presence of a cookie in a previous successful request.
curl --location --request POST 'http://localhost:8080/create' --header 'Content-Type: application/json' --header 'Cookie: JSESSIONID=EA39A09B47575D192845148AFFCAD85B' --data-raw '{
"surname":"Murdock",
"givenname":"John",
"placeofbirth":"Slovenia",
"pin":"1234"
}'
Is this the expected behavior? And how do I make spring-boot to always check the provided basic auth password?

Related

Is there a way to set the user in org.springframework.web.client.RestTemplate

I'm trying to migrate a curl command with a username and password to a rest API consumer code of org.springframework.web.client.RestTemplate
curl -i -k --location -u username:userpass \
--request GET http://myserver:80/rest/api/2/project --header 'Accept: application/json' \
--header 'Content-Type: application/json' --data-raw ''
But such parameter username:password is not supported in RestTemplate (correct me if I'm wrong)
What other options can do this?
I'm using spring boot 2.4.3
If you use -u or --user, Curl will Encode the credentials into Base64 and produce a header like this: -H Authorization: Basic <Base64EncodedCredentials>
There is a way to build a RestTemplate with what you want to achieve. To do that just configure a singleton restTemplate bean in your configuration class.
Until version 2.1.0 it was available the basicAuthorization()
previous spring boot versions used basicAuthorization()
#Bean
RestTemplate rest(RestTemplateBuilder restTemplateBuilder) {
restTemplateBuilder.basicAuthorization("username", "userpass").build();
}
From 2.1.0 and forward the basicAuthorization() has been deprecated and in later versions removed. You can use basicAuthentication() instead
newer versions have only basicAuthentication()
#Bean
RestTemplate rest(RestTemplateBuilder restTemplateBuilder) {
restTemplateBuilder.basicAuthentication("username", "userpass").build();
}

X-Cache-Status is always Bypass using Kong proxy-cache plugin

I have service in Kong and I have set proxy-cache plugin for that service.
curl -X POST http://localhost:8001/plugins --data "name=proxy-cache" --data "config.strategy=redis" --data 'service_id=2f0a285d-7b25-48d6-adc3-bbf28ffe5f47' --data "config.redis.host=127.0.0.1" --data "config.redis.port=6379" --data "config.redis.password=my_redis_password"
When I call an API from that service:
curl -i -X GET --url http://localhost:3002/v1/currency --header 'apikey: MY_API_KEY'
everything works correctly but X-Cache-Status is always Bypass
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 3654
Connection: keep-alive
X-RateLimit-Limit-second: 100
X-RateLimit-Remaining-second: 99
X-Cache-Key: 3e18cdfc6e02359fb0f874efdf5788d8
X-Cache-Status: Bypass
X-Powered-By: Express
...
How can I debug Bypass reason?
To avoid Bypass in X-Cache-Status you have to add this config when you create your proxy-cache plugin
--data "config.content_type=application/json; charset=utf-8"
The plugin proxy-cache that comes bundled with Kong community edition only allows in-memory caching. If you want to use Redis for caching, you will have to use Kong Enterprise version. More information here
As an alternative, there is a open source plugin called kong-plugin-proxy-cache available on Github. You will have to first install the plugin from Luarocks and then enable the plugin in Kong config
# Install plugin dependency
sudo luarocks install lua-resty-redis-connector
# install plugin
sudo luarocks install kong-plugin-proxy-cache
# Enable plugin in kong.conf
plugins = bundled,proxy-cache
# After enabling, you can use plugin with any service, route or consumer.
# To enable it for a service
curl -X POST http://localhost:8001/services/<service-name>/plugins \
--data "name=proxy-cache" \
--data "config.cache_ttl=300" \
--data "config.cache_control=false" \
--data "config.redis.host=<redis-host>" \
--data "config.redis.port=<redis-port>"

Content-type header not supported

I am following this link for elasticsearch.
https://www.elastic.co/blog/a-practical-introduction-to-elasticsearch
I am trying following curl to post the json data.
curl -XPOST "http://localhost:9200/shakespeare/_bulk?pretty" --data-binary #D:\data\shakespeare.json
But I am getting error like below:
{
"error" : "Content-Type header [application/x-www-form-urlencoded] is not supported",
"status" : 406
}
You need to set the content type in the header to application/json:
curl -XPOST -H "Content-Type: application/json" "http://localhost:9200/shakespeare/_bulk?pretty" --data-binary #D:\data\shakespeare.json
I received the same error after updating from an older version to 6.x.x. I'm not using curl statements directly, I'm using python's elasticsearch plugin.
In my case, I needed to install the newer version of the plugin that corresponded to the updated elasticsearch server.
pip install elasticsearch==6.3.1
Make sure you run it in the same Python Environment that your code is executing in.
Hope this saves someone some headache.
I found a solution you can set a default header that will overwrite previous header:
RestClient restClient = RestClient
.builder(new HttpHost(url, port, scheme))
.setDefaultHeaders(new Header[]{
new BasicHeader("Content-type", "application/json")
})
.build();

Xcode Server Bots API: Updating a bot with PATCH request

I would like to edit my Xcode bot through the Xcode Server API by sending the blueprint through PATCH.
However, when I send my PATCH request, Xcode Server replies back an unchanged json of my old blueprint.
My request is curl -X PATCH -H "Content-Type: application/json" -d "{\"my\": \"json\"}" https://<username>:<password>#<my_domain>:20343/api/bots/<bot_id>
What am I missing?
There are two missing parameters that will cause the following problems:
Missing xcsclientversion: server will return 400 Bad Request.
Missing overwriteBlueprint=true: server will not change the blueprint.
Your final request should look like the following:
curl -X PATCH -H "Content-Type: application/json" -H "x-xcsclientversion: 18" -d "{\"json goes\": \"here\"}" https://<username>:<password>#<domain>:20343/api/bots/<_id>?overwriteBlueprint=true
Source: radar and Developer Relations (thanks!)

create project for sonarqube with the rest-api / web-api

we try to automate the creation of projects (including user/group Management) in sonarqube and I already found the Web-API-documentation in our sonarqube 5.6-Installation. But if I try to create a project with the following settings
JSON-File create-project.json:
{"key": "test1", "name": "Testprojekt1"}
curl-request
curl --noproxy '*' -D -X POST -k -u admin:admin -H 'content-type: application/json' -d create_project.json http://localhost:9000/api/projects/create
I get the Error:
{"err_code":400,"err_msg":"Missing parameter: key"}
It's a bit strange because if I try e.g. the URL:
http://localhost:9000/api/projects/index
I get the list of the projects I created manuelly and if I try a request like
curl -u admin:admin -X POST 'http://localhost:9000/api/projects/create?key=myKey&name=myProject'
it works too, but I would like to use the new api because it looks like it support much more function that the 4.X API of sonarqube.
Maybe someone here can help me with this problem, if would very thanksful for every useful hint.
best regards
Dan
I found this question because I got the same "parameter missing" error message.
So what we both did not understand: The SQ API expects the parameters as plain URL parameters and not as json formatted parameters as most REST APIs do today.
PS: Would be nice if this could be added to the SQ documentation.

Resources