I encrypt the body on the client side. But when I receive it, the server thinks that I am using ssl and returns an error: "Invalid character found in method name. HTTP method names must be tokens", while in Zuul Filter I decrypt the body and pass it to other services. How do I disable this type of verification?
Related
I am using KrakenD to make a call to a Salesforce endpoint
/services/data/v56/jobs/ingest/{{_jobId}}/batches
This backend endpoint doesn't return any data in the response body and as a result the call fails with a 500. From the logs -
[00] [KRAKEND] 2023/01/27 - 23:39:45.615 ▶ ERROR [ENDPOINT: /ingest/:jobId/batches] EOF
How do I solve this error? How can I tell KrakenD to expect the empty response body?
I am not using any custom plugins.
You should check the encoding defined at the backend section (by default, it's JSON) and select one that suits your backend responses. Here you'll find some recommendations: https://www.krakend.io/docs/backends/supported-encodings/#how-to-choose-the-backend-encoding
If you are expecting empty responses, you could use no-op (https://www.krakend.io/docs/endpoints/no-op/)
I am trying to get an access token via RestTemplate.postForEntity().
myRestTemplate.postForEntity(authBaseUrl, request, Object.class);
I have a specific class for it, but let's use now a simple Object as type. It contains an access_token field.
It works, because I can get response, but the length if the access tokens (which is a string)
is 1196 character long. And I can get the same length in Postman too.
But if I use the intelliJ built-in REST client, the length is 1199.
Only the token from the intelliJ rest client works (So the longer).
Because I always get a new access token, it is impossible to get the same token twice.
How can I debug it?
What could be the problem?
Is the code that generates the response available to you? if so in your response add a header content-length so you can see what the server sent and what you received. Also, debug the server side and see what is being generated. In addition take another 3d party Http client and test it with this client see if you see a difference. The Http clients that you can try are Apache Http client, OK Http client, or my favorite - a very simplistic client written by me as part of my own Open Source MgntUtils library. Here is the Javadoc for my http client Here is a link to a similar question where you can get the references for any of above mentioned Http clients: How to check the status of POST endpoint/url in java
I'm using IBM API connect & IBM DataPower 2018.
I have a SOAP web service, and I need to do some customized logging for it by capturing the request\response payload.
When the service returns a valid XML, or even SOAP exception, I could easily handle such cases, and save the request\response payload in separate DB schema for operational purposes.
I updated the response payload by returning non XML response from the backend, like "ABCDEFGHI....".
when I call this service through datapower, it returns clear response.
<errorResponse>
<httpCode>400</httpCode>
<httpMessage>Bad Request</httpMessage>
<moreInformation>Invalid XML payload received.</moreInformation>
</errorResponse>
But I am unable to capture the message.body payload which is in my case "ABCDEFGHI..", the apim.getvariable('message.body') returns nothing.
My question:
How to capture the invalid response payload (none well XML) for SOAP service by using Gateway script?
You can't... as the the message will be rejected prior to processing since DataPower will set the message type to SOAP it will reject anything not being SOAP.
You would need to pass it through a "chaining" API (or service on the DataPower instance) which could capture the response payload.
I want to customise OAuth Endpoint URI's.
I want to sent parameters in post body instead of query params.
now my request is like -
example.com/oauth/token?grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}
But I want it like this.
example.com/oauth/token
Request body -
{
grant_type=password,
client_id={CLIENT_ID},
client_secret={CLIENT_SECRET},
username={USERNAME},
password={PASSWORD}
}
How should I do it?
The token endpoint of a properly-implemented authorization server does NOT accept GET requests because RFC 6749, "3.2. Token Endpoint" says as follows:
The client MUST use the HTTP "POST" method when making access token requests.
So, your authorization server's token endpoint should reject GET requests.
RFC 6749, "4.3. Resource Owner Password Credentials Grant" says that request parameters of a token request using Resource Owner Password Credentials flow should be embedded in the request body in the format of "application/x-www-form-urlencoded". The following is an excerpt from "4.3.2. Access Token Request".
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
Therefore, you don't have to customize your authorization server. If the server is implemented correctly, its token endpoint accepts POST requests.
The token endpoint created by spring-oauth2 already deals with POST as well.
It would be hard to customize it to accept a JSON request body, because the TokenEndpoint class expects all the params as #RequestParam params.
However, if your concern is about security (as HTTPs does not secure query parameters) you indeed can send the request parameters through post. It is just a matter of sending the request in the form "form-data" or "x-www-form-urlencoded". These are 2 ways of sending arbitrary key-value parameters in the request body, in a way that appears to the server as they are regular request parameters. So it is a matter of making your client using this.
Also, note that in spring-oauth2 it is possible to disable the GET endpoint, this way forcing your clients to use POST with one of the ways above.
I have a server in which the client can register itself as a device (like a mobile device). For the registration, the device must be associated with another resource (say an user) which is already registered on the server. To do that, the client sends a Http Post request to the server, with two params, its own ID and the associated resource ID.
I need to choose an Http Status code to return when the client ask the server to do some procedure and one of the resources indicated in the parameters are not found.
I suggested 404, but my professor said that 404 is used the resource associated to the URI is not found, not when you submit a well-formed request with bad parameters.
What is the most suitable http status and why would you choose?
In my opinion, it fits to:
400 - Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
OR
403 - Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
Ref: fc2616
I would use 403 'Forbidden' - meaning, you are forbidden from accessing the page with the request you have sent