From frontend application (Vue.js) I make axios (ajax) request to the URL of backend application (Golang) which works with Kerberos. I need to return information about the employee when frontend application makes GET request to the route of backend application.
Inside frontend application I make such axios request:
axios.get(url, {withCredentials: true})
Inside backend application I set CORS options like that:
headers := handlers.AllowedHeaders([]string{"X-Requested-With", "Content-Type", "Authorization"})
methods := handlers.AllowedMethods([]string{"GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS"})
origins := handlers.AllowedOrigins([]string{"*"})
credentials := handlers.AllowCredentials() // true
Right now client application raise HTTP 401 Unauthorized error when I make axios request. Everythink works fine only if I make request from browser.
In the log of the backend application I see such header information when I make request from browser:
map[Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Accept-Encoding:[gzip, deflate] Accept-Language:[ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7] Connection:[keep-alive] Cache-Control:[max-age=0]]
map[Connection:[keep-alive] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36] Accept-Language:[ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7] Cache-Control:[max-age=0] Authorization:[Negotiate YIIHVQYGKwYBBQUCoIIHSTCCB0WgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBw8EggcLYIIHBwYJKoZIhvcSAQICAQBuggb2MIIG8qADAgEFoQMCAQ6iBwMFACAAAACjggV4YYIFdDCCBXCgAwIBBaEPGw1LQVItVEVMLkxPQ0FMoi0wK6ADAgECoSQwIhsESFRUUBsaa3otZG1waWdudDA1Lmthci10ZWwubG9jYWyjggUnMIIFI6ADAgEXoQMCAQOiggUVBIIFETMAZStUfDPJR4GItJfk8JST2HU7YxuFq4HPQ/PWoK/gW5HzZj+dc9CC1stR/D/LhOJFKcAdzkDRmjHNanWWaolcJDhHttrGcF01jHH0xHVUPir8B/7j65QOXmedHIRDexlQsUzjztWuxtPQjERcZFPAo4RtTkpLB2wIHJaeNTevkBOofxVmBunxIqBk+h9Rk2qswOfQlj/Eevrm2R3t6AG3kgliUBg3KbrZ7KxRWUdx2dvaZ6lZ8sKLRY8NYorozVTDS4hlLiGAldZlXICO5PbyiXcy/qHyiUge98r1vqQzyVNYixG9ZEj7fy6hSNF3KDSgjjT70zLaRb8Bj44VKR8BKqRTh6zby+ku6VGjrUdn/7r9iG3G0nnjc+1/WQyY55afcI5SKs7oBJlfqsX5OPF+VEtWbDG2UVK9KiTIbtFpnl6rkimam0pFaT9Rthgcy/1ehR1OvPAajC46s1gFz9St0qZO2syqukfStb3bdWIdxNVQZMjKlHjMm2URtBNOK34kXzdEmLh9kYtufGBK9M1VMRJ53VijG1ZUEodYeUi0JVwfSAvpq2NVdJ1kOgY93REYjHVjSR7Ur3uUzxFszVj7ur35bjlUK+K7Dwu+AZNsNiQ6Xq9FIzZZzkcuA4s+L6FYx1ttCPqDw7cPIO+LlpsOyhxK+SP1N9E8veeR5sS3MPt6xsSPf70lw9m7ztVudIksDK5Myth6VY9QdpEGlbQ2XKaw+ZVjPyMhvn90eJznQXf4IpbhpE6r4owf4CuFMcJ4hZrnP9tmT9CrCdDzVunV6JCORwu5mErGitzjM8o1pesKw9lvrv/RxZQS9lI8MziRxTCp/ZiMZYk9ZlsyMAJMrquweaFHDFLRn3B20xJouH8GtR2TIefPuwkhJn1m7rbsnRZa7QAki+yBP/meLLffstU+fGGBiVQfsc1Tj6acZDRyFeMCbLnqZZGiFwhxsJtI1h/hs/F5awpEZ7P1eyjhK6p7v+itvhT9O4FYTQkJ/Fce9TMiUSxcPiTH5UbKAsOt7jaqJjGwJSFf3DtKpgulPLv42DlyX4+mnsDNMp1yniloh5j6goxc/riL8iqO9LEyxId0n3QyNNqs6Iq6ZjVk48bQ+mocNkLDJ85k8bZOVjnFrRlUHLzTqLPuNn1cbVn4yoFOj3DROfRQf9HEukE5wgjUg/nlKECsn+eJwfLFpNCiyJZnojOs5chW8E6IZgP/qGy/poqNAazuGFx9Bf8wqJ4UcQGWuu7IdGM2SdKttxigMnvR8wMkw8mvl2Z07vY8Czrl+h/NfMJZTdPJYk/VLiu5qXRMdAPiSI5HuvWZuuDpuh6FijvR3bRwtjOgoU5V96zSC6CfiLXZy5TWCTtWtg2OZYPXUrO+sTeSLCI8toJQzJ3QzQD7yiPmdsDr1VA/pbWn6o0M29L0R+uwkw17sf4XlEffWzPj+JDIFYOaMtPra/FNEOdyg2GGG5I13UvIJq6anNiSb54FQxOaX2ed7vQl3PTx4SB0+AxVTfic5osUZo9/GY8U+qIsMQRnECxGiNWBMkPRPupFjwLV3HAM27XE2KV7dk2HeMAuD4+reASoNrctPoBox16ACliE2XLL/hnmcASSi32XeJOCDTcvcaIeib4K8GceMK5P+himWI/RjuGy7yUfjQIx3kYQERoVZBXycQFnE9XNBlzknP0Tbfy6DKLrjx1s4x0s5ngKgy/xOYg4tq40V/D0Xa8ICpqkggFfMIIBW6ADAgEXooIBUgSCAU7K5/v8GkuLM9ygpogXpOHDnydt9A3f/2N/d49zmcFkQzNRR6enJpvm++OxEuho4Zl/PMhK5eHZT+Zl11EXrWfmzyBw5AE61vp/bTy4m1S/YYRexOyKuwV1eJIamp31iFuxgTJ6bHgij7B+H7crnb1cmzafooewazuKpycmtroqN7FMnFvohSWoB8IOudxEHF/oVSYrRhSFt63YqiJ5c2nLLKxhkFobkDS2IGuWsxQt9w7epEcgu73aVr3AwHT0IeeDUpIZIjfEtBZO77MipC+oGyUEZt1ZMMcP+I+3c9qht2Qj7nk+daOZSQge/3OCWzj6wpImsaBjCYNYz57+KEBIJDhMLZjR16ibnp8b+oGLgkQwm9TRuLZ9CHIy+lOgQv+aeGrNS3TvcjX3nIxlC3O9pImpExmhtLsapHLFOgMcdDyBMY0wsxvLNa/gKLqq] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Accept-Encoding:[gzip, deflate]]
As you can see browser somehow generate SPNEGO (Negotiate) token and set it to header automatically. I can't understand how I can make the same result via axios request. I will be grateful for any help.
Related
I m trying to integrate Instream VAST ads in my App, I used inmobi,
As the Sample Mentioned here for VAST ad request ,
I tried with different Parameter but nothing works, Is anybody tried Inmobi Instream Ads, has a success with It
My request
http://vast.w.inmobi.com/showad?plid=XXXXX&ua=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4437.0 Safari/537.36 Edg/91.0.831.1&ip=XXX.XXX.XXX.XXX&gpid=XXXXXXXX&lmt=false&w=480&h=320&protocols=3&bundle=com.sample.bundle
with header
Content-Type & X-Forwarded-For
Is it possible for a Chromecast receiver to determine a particular sender's URL?
I can get a list of senders:
const context = cast.framework.CastReceiverContext.getInstance();
context.getSenders();
This returns an object like this:
{
id: "01234567-8901-2345-6789-abcdefabcdef.0:160531083194132871",
userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWeb…L, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
}
However, this doesn't contain the URL of the sender. I need to figure out the URL of the site being cast from. Is this possible? And if so, how?
I am trying to open and download pdfs using python requests based on urls I get from an API. This works for many of the files, but for files stored at one specific site I get a 500 Internal Server error response. In the respone there is a simple html with only the text: Not Authenticated.
When I paste the same url in Chrome I get the pdf. However I can see a "503 - Failed to load resource" error in the console as it failed to load some icon. Can this be relevant somehow?
The url also works when I run it in Postman with no headers at all.
I have seemingly the same issue as described in this question:
python requests http response 500 (site can be reached in browser)
However the fix of adding User-Agent to the header of the request does not help. Can there be some other header data required, and is there any way of checking what request my Chrome browser sends?
Update: I logged what request Chrome is sending and copyed the header to my python request. Still the same error. I have tried with our without the same cookie.
Here is my code:
import requests
headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'nb,en-GB;q=0.9,en-US;q=0.8,en;q=0.7',
'Connection': 'keep-alive',
'Cookie': 'JSESSIONID=a95b392a6d468e2188e73d2c296b; NSC_FS-NL-CET-XFC-IUUQ-8081=ffffffff3d9c37c545525d5f4f58455e445a4a4229a1; JSESSIONID=7b1dd39854eee82b2db41225150e',
'Host': url.split('/')[2],
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'}
response = requests.get(url, headers=headers, verify=True)
I use Python 3.6.3
I found that I only get the error when I run the GET through requests. So I changed to using: urllib.request.urlopen(url)
More info about this approach here: Download file from web in Python 3
We have a SPA that is protected with Azure AD. This seems to work fine, and users can authenticate ok.
We also have a spring boot rest service, that is also secured by Azure AD. When we try to do an GET from e.g. chrome, we get redirected to Azure for authentication, and then routed back to the rest service where we get the result.
But, when we try to call this rest service from SPA client, it does not work. Our client is running on http://localhost:5010/ and when we try to access the rest service, after the client itself successfully has authenticated against Azure, we just get a redirect to http://localhost:5010/login
This tells me that the rest service are not able to verify the clients authenication, but I don't understand why.
We use adal-angular4 in our SPA and adal4j in our spring boot server.
How can I make the rest service accept tokens from SPA client, without trying to re-authenticate rest service?
According to the comment, you got these as headers:
Host: localhost:5010
Connection: keep-alive
Accept: application/json, text/plain, /
X-XSRF-TOKEN: 1c35cf04-25a1-4c59-8429-6e48b8484ef3
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Referer: localhost:5010/vesselActivity
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,nb;q=0.8
Cookie: XSRF-TOKEN=1c35cf04-25a1-4c59-8429-6e48b8484ef3
Only Cookie is XSRF cookie, so it seems you're lacking authorization headers in your client app.
I am developing an iOS application utilizing the Ionic framework with Cordova and have run into a bit of a snag in my dev cycle. While running on my local dev web server, any RESTful call happening from the $http service is failing with a 401 Not Authorized error even though I am passing the Authorization header. Interestingly enough, the call works fine once I build the app and deploy onto the iOS Emulator.
FWIW, the api calls are to an Atlassian Confluence api.
CORS doesn't seem to be the issue as that has been configured, tested and working on non-authenticated calls.
Here is the very basic call that is failing within the browser but working on the emulator when using the same headers:
$http.defaults.headers.common['Accept'] = 'application/json';
$http.defaults.headers.common.Authorization = 'Basic xxxxxxxxxxxxxx';
$http.get('https://www.example.com/rest/prototype/1/search/site?type=blogpost&spaceKey=TESTSPACE&os_authType=basic')
.success(function (data, status) {
this.serviceData = data;
})
.error(function (data, status) {
console.log(status, data.result);
});
I am sending two custom headers: Accept: application/json and Authorization: Basic *** If I run the application in Chrome with the above service configuration, I see the following Request Headers. There is an added Access-Control-Request-Headers that mentions the Accept and Authorization headers, but those headers are not there. I see the following Request Headers going across the wire:
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,nl;q=0.6
Access-Control-Request-Headers:accept, authorization <!---- This is added but there is no Authorization Header
Access-Control-Request-Method:GET
Cache-Control:no-cache
Connection:keep-alive
Host:www.example.com
Origin:https://local.example-client.com
Pragma:no-cache
Referer:https://local.example-client.com/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
If I make the same call with the Authorization Header using the Advanced Rest Client Chrome extension, it works correctly.
Accept:application/json <!----------- This one is */* when called from $http
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,nl;q=0.6
Authorization:Basic *** REMOVED *** <!----------- This one is missing when called from $http
Cache-Control:no-cache
Connection:keep-alive
Cookie: *** REMOVED ***
Host:www.example.com
Pragma:no-cache
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
One thing to note is that if I remove the Authorization header line (below), then the Accept header now appears:
//$http.defaults.headers.common.Authorization = 'Basic ************************';
Can anyone provide me any insight on what I may be missing here?
It's probably a problem with your CORS configuration. Authenticated requests require very specific configuration to work properly with CORS.
Make sure you're
Returning the Access-Control-Allow-Headers header to allow those headers
Returning the exact origin in Access-Control-Allow-Origin (not "*")
Setting withCredentials to true on the XHR (in Angular this can be set in the defaults just like the headers)
(I'm not entirely sure if the "Authorization" header is considered a "credential" if you set it by hand so the last two may or may not be required.)
The reason it works under Cordova is because Cordova doesn't implement origin restrictions for XHRs (they would be a bit pointless since your app doesn't have anything "local" to communicate with)