I'm using Cro HTTP Authentication/Authorization/Sessions very successfully with HTTP routes.
Then I added a route that creates a web-socket using Cro::HTTP::Router::WebSocket, and I can connect to it with Cro::WebSocket::Client and everything works fine.
Now I want to control access to the websocket, so I add a Cro::HTTP::Auth parameter. Works great. Now the the client gets a 401 Unauthorized as expected.
Next step, how do I open the door?
With Cro::HTTP::Client, I can pass in an Authorization header, or even pass in the auth option. How do I do that with Cro::WebSocket::Client?
I'm very new to WebSocket, so I don't even know if this is the right way to do things like this, but it seems like the Cro::WebSocket::Client connect method should take a headers named option that gets extra headers that get passed along.
The mentioned patch from titsuki was merged by Jonathan Worthington with commit 2593e21 on Oct 14, 2018
Related
I am trying to make a script to test REST services using Jmeter.
Till now I was using Chrome’s Advanced REST Client.
My authentication request was GET and it was something like this in Advanced REST:
https://username:password#URL:portnumber
its a GET request
Now when I am using Jmeter. I tried following ways:
I added HTTP Authorization Manager and mentioned Base URL and Username/password inside it.
When I am trying to do a request then its showing me “Unauthorized”
I also tried to login using normal https request but no success.
When accessed manually, a authorization popup window appears and username and password is submitted inside this window.
Please suggest me a way for how to login using Jmeter.
Few suggestions:
Most likely you have mismatch in URL you're trying hit and the one, specified in HTTP Authorization Manager, double check it.
Add View Results Tree listener and make sure that the header like:
Authorization: Basic xxxxxxxxxxxx=
is being sent along with the request and compare it with the one, sent by the real browser.
Try switching "Implementation" of your HTTP Request samplers to HttpClient3.1, the easiest way of doing this is using HTTP Request Defaults
And finally, you can use HTTP Header Manager to send the relevant header, it's name should be Authorization and value Basic and username:password encoded in Base64. There is base64Encode function available via JMeter Plugins.
we are using CORS Filter to send AJAX request between two different domains and we set the configuration properties of this filter by code using OSGI HttpService instead of a web.xml file. The problem is that sometimes (not every time) it doesn't work correctly, it doesn't let us make POST, PUT or DELETE requests. We have add the property xhrFields:{withCredentials: true} to these requests but it hasn't change anything.
We have tried to make these requests with Google's Simple Rest Client and we have observed that even when our website is forbidden to perform this request Google's Client always has access.
Does someone know how we can solve it?
On the server side, try adding the following header:
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Cookies support - Problem?
Original Issue/Background:
We have API based on servlet / JSON running in Openshift, the web server used in openshift is Tomcat.
We store information to httpsession and everything works fine when used directly against openshift / tomcat (POST / GET). But when we configured apigee against existing methods the session is lost. Stuff is stored correctly in the session in server side, but when second request comes from apigee into the tomcat the session is "lost"
Piece of java code to get the session is plain httpsession.getRequest(). As said this works fine when using backend directly. Is there some additional steps (cookies etc) needed to maintain the session when requests are used through apigee?
Update Findings;
With short debug an traffic monitoring the reason of the error in apigee is confirmed to be that it does not pass JSessionId to requests. This means that cookies support should be enabled somehow in the API proxy settings / Configuration.
Anyone have an idea where or if this can be resolved?
First off, cookies aren't part of a proper RESTful payload -- if you grabbed the headers you could store them with an access_token as part of the generate token policies.
That aside, you should be able to pass the cookies back to the requesting App and then let the app pass them back to the API -- my jokeindex API lets you do this.
Make sure you don't have any AssignMessage policies in the flow that are stripping out the headers accidentally -- something like this:
<Set>
<Headers />
</Set>
as that will remove ALL headers. Also, you can look at the Trace tool in Apigee to check each policy step along the way to see if you're stripping the Cookie: header from the requesting payload.
When you have your resource on address "http://yourdomain.com/somewhere/", and you redirect to that resource from apigee API, for instance by url: http://yourapi.apigee.net/v0/myresource" what you get back from your server is cookie for /somewhere/ not v0/resource/somewhere, so basically when browser gets cookie back, it does not put it into correct place and discards it. At least that was/is my case.
You should ping #bissell about this but I did find this article that might be helpful:
http://community.apigee.com/groups/learn-create-and-manage-apis/some-basic-questions-new
Also, you might be able to fix your issue by adding an "extract variable" policy to the request that captures the JSessionId and then adding an "assign message" policy to add it back to the request.
You can assign policies from API Platform>Dashboard>API Proxies>YOUR API>Develop
We have a REST API secured using Kerberos. Hosted elsewhere is a webapp that calls this API.
If you navigate directly to the API, then the authentication works fine and a cookie is returned. Then the webapp works just fine since it has a cookie for API's root URI.
However if you navigate to the webapp and it makes an HTTP GET request to the API using AJAX, then the request returns 401: Unauthorized as well as WWW-Authenticate:Negotiate. If I navigate to the same address, chrome would negotiate and get authenticated, but in this case it stops at this point.
There are various ugly hacks to get around the problem, like creating an IFRAME that sources some part of the API, or redirecting the user to the API and having it bounce the user back using a 307, but these are clearly not optimal.
It works fine in IE7.
What is the correct way to deal with this?
I figured out the issue. The REST API had an additional authentication layer that used the "Authorization" http header to set an api-key. After removing this security layer, everything worked fine.
I'm going to leave this question up in case anybody else makes the same mistake.
I'm developing an iOS app that makes frequent requests to a web server, and I'm using AFNetworking (which I very much like). However, I'm running into a problem with authorization that I just can't solve.
The server requires me to provide an authorization header in order to get the response that I want. Specifically, the authorization headers should be like so:
Authorization = "ApiKey some-user-name:someNumericalApiKey"
I'm using AFNetworking throughout the project, and everything works fine, except for this authorization issue. I'm using the following code:
[myClient setDefaultHeader:#"Authorization" value:#"ApiKey some-user-name:someNumericalApiKey"];
where myClient points to an AFHTTPClient object. Strange enough, when I log the request in XCode using AFHTTPRequestOperationLogger, the logger claims that I have the correct headers set. However, the authorization header does not seem to reach the server - I can't see it in the server log.
To isolate the problem, I've tried to make the exact same request using good old NSURLRequest, as well as curl, and the requests library in Python - all of these work fine, i.e. the authorization header is sent & received (i.e. I can see it in the server log), and the server response is what it should be.
If anyone has run into the same problem (and has found a solution) I would very much appreciate to hear from you.
Thanks.
Sometimes (especially with Django) this is caused by redirection stripping of header parameters. For instance, /Object redirects to /Object/ in the background and removes the necessary auth parameter during the switch.
If you're using AFNetworkActivityLogger with level AFLoggerLevelDebug then you should be able to check this out in the console. If you see a POST request with /Object and the response with /Object/ then this might indicate redirection stripping is taking place.
If you construct your operation manually then the defaultHeaders are not applied, that might be the cause of your problem.