I posted earlier this post right here
The problem is that when i send my requests after login on my ionic app a have the token stored and I use it to send other request that needs authentication these request has the header like this:
Accept: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI.....
Content-Type: application/json
Origin: http://localhost:8100
Referer: http://localhost:8100/
An after 3 days of search I figured out the request headers are being ignored by Apache and all requests arrives without token so i get this message error as response from all API routes:
{"message": "Unauthenticated"}
Related
Thread Name:Thread Group 1-1
Sample Start:2022-11-14 15:38:43 GMT
Load time:56
Connect Time:42
Latency:56
Size in bytes:1472
Sent bytes:2669
Headers size in bytes:1472
Body size in bytes:0
Sample Count:1
Error Count:1
Data type ("text"|"bin"|""):
Response code:401
Response message:Unauthorized
HTTPSampleResult fields:
ContentType:
DataEncoding: null
Response Header
Connection: keep-alive
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Accept-Language: en-GB,en;q=0.5
prefer: odata.include-annotations="*"
x-ms-sw-tenantid:
x-ms-user-agent:
clienthost: Browser
x-ms-client-session-id:
Accept: application/json
x-ms-source-id:
x-ms-sw-objectid:
x-ms-correlation-id:
content-type: application/json
x-ms-app-id:
I tried applying Cookie Manager and Authorization Manager but the code is failing everytime.
As per HTTP Status Code 401 description:
The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
This status code is sent with an HTTP WWW-Authenticate response header that contains information on how the client can request for the resource again after prompting the user for authentication credentials.
So you either need to provide proper Authorization header via HTTP Header Manager or again properly configure the HTTP Authorization Manager to generate the header for you.
I'm writing a vue app to post data using axios to an API powered by laravel. The APIhas a POST route which is to create a resource. I have CORS set up which allows successful GET'ing of the data. However when I try to POST the data, the network tab shows an OPTIONS request being made with nothing being returned and no POST request follows.
Using axios: a POST request is made with: axios.post(url);
but no POST request is actually made, only the OPTIONS request with: axios.post(url,data).
I made a simple api with slim and didn't have similar problems, so I'm assuming this is something laravel specific?
There are no server log errors, the laravel log shows no errors neither. The error in the browser console is: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://api/api/zones/save. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
UPDATE
These are the headers that are sent as the request:
Host: apiurl
User-Agent: ....
Accept: text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Origin:null
DNT: 1
Connection: keep-alive
I understand about the pre-flight but the API I made with slim passed the pre-flight using the same axios code and the post request was made. I'm not sure why the laravel API isn't doing so.
UPDATE 2
These are the headers for the OPTIONS response
Server nginx/1.10.3 (Ubuntu)
Content-Type text/html; charset=UTF-8
Transfer-Encoding chunked
Connection keep-alive
Allow GET,HEAD,POST
Cache-Control no-cache, private
Date Fri, 03 Nov 2017 20:46:47 GMT
Content-Encoding gzip
and this is the code I'm using for the laravel middleware:
public function handle($request, Closure $next)
{
return $next($request)
->header('Access-Control-Allow-Origin', '*')
->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
->header('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
;
}
}
I'm including this code in the Kernel under the 'api' key
As I know that if cors request comes with some extra headers set, first server needs to process it.
With CORS, the server must send the Access-Control-Allow-Headers header to allow uncommon request headers from the client.
Access-Control-Allow-Headers ... - Comma-delimited list of the supported request headers.
e.g suppose my pre-flight request is
OPTIONS /cors HTTP/1.1
Origin: http://api.bob.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-Header
Host: api.alice.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0...
Then from server-side I will send response
Access-Control-Allow-Origin: http://api.bob.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8
My question is -
should I close the connection on server side while we send pre-flight response to client?
One more thing how can I cached pre-flight request for all other distinct subsequent requests?
Thanks
You could cache the OPTIONS request using the
Access-Control-Max-Age
header.
Attach it to the headers collection of the OPTIONS response.
But nevertheless an initial OPTIONS request by the user agent (browser) has to be made, you cannot avoid this.
But all further OPTIONS requests are cached and not issued to the server.
No need to close the connection.
Access-Control-Allow-Origin: http://hello-world.example
Access-Control-Max-Age: 3628800
Access-Control-Allow-Methods: PUT
as explained here, search for
could have the following headers specified
to get to the designated text section.
I have been encountering error in storing a file to Object Storage using HTTP POST method sent using Async XMLHttpRequest. The request is a CORS HTTP request sent to the Object storage public URL with required headers set. The error message says: Reason: CORS header Access-Control-Allow-Origin missing.
The error seems to happen with multipart form data send request using POST. If PUT is used to create the file, the required file (resource) gets created. The response to the PUT request contains the required Access-Control-Allow-Origin header, whereas the response to POST does not contain despite the meta data attributes being set on the container.
I have even tried using X_AUTH_TOKEN header instead of X_STORAGE_TOKEN, but the failure continues to happen.
Raised the ticket with Softlayer support, but have not received a solution. Any ideas to resolve the above would be helpful.
The details are below:
The container prod_file has following meta data attributes set:
access-control-expose-headers: Access-Control-Allow-Origin
access-control-allow-origin : *
The Firefox browser version is: Mozilla Firefox 46.0
Client OS is: Linux 3.16.0-71-generic #91~14.04.1-Ubuntu SMP Mon Apr 18 1K9:43:36 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Request URL: https://*****.objectstorage.softlayer.net/v1/AUTH_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/prod_file/6ffb51fc-e40f-4cf5-982c-44cb5c342851.fl.file.orig.txt
Request HTTP Method: POST
Mechanism used: Async XMLHttpRequest
Request Headers:
Host: *****.objectstorage.softlayer.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Storage-Token: AUTH_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Referer: http://*****myorg******.com/organization/572680760cf26af856c7432c/resources
Content-Length: 4500
Content-Type: multipart/form-data; boundary=---------------------------2139255891192408661525197545
Origin: http://*****myorg******.com
Connection: keep-alive
Response Headers:
Connection: keep-alive
Content-Length: 50
Content-Type: text/plain
Date: Sat, 14 May 2016 14:57:02 GMT
X-Trans-Id: *****Some Transaction Id********
The error response has the following message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://*****.objectstorage.softlayer.net/v1/AUTH_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/prod_file/6ffb51fc-e40f-4cf5-982c-44cb5c342851.fl.file.orig.txt. (Reason: CORS header 'Access-Control-Allow-Origin' missing)
Thanks for the help in advance.
It looks like you set wrong the headers for your container, please take a look this documentation and try it:
http://docs.openstack.org/developer/swift/cors.html
https://swiftstack.com/blog/2013/04/02/using-cors-with-swift/
Renember that softlayer object storage is based in Open Stack.
Let me know if you are still having troubles
Regards
i am trying to read a url for JSON export from servicenow in java code but getting 401 authentication error please advise:
i'm using this link:
"https://servicenow.com/incident_list.do?JSONv2&sysparm_record_count=2"
-- Mocked up domain name..
I would suggest using a proxy (ie. Fiddler, BurpProxy, Runscope, nGrok) to see the HTTP request you are sending to ServiceNow from your code. The HTTP Request must contain an Authorization header (Basic Auth) as shown in sample below. You'll want to make sure the request that is being created and sent by your Java code has a correctly formatted and valid Authorization Header.
Authorization: Basic {this should be your credentials Base 64 encoded}
GET https://demo006.service-now.com/incident.do?JSONv2&sysparm_sys_id=d71f7935c0a8016700802b64c67c11c6 HTTP/1.1
Host: demo006.service-now.com
Authorization: Basic {this should be your credentials Base 64 encoded}
Accept-Encoding: gzip, deflate, compress
Accept: */*