I want to pass a WebSocket RFB URL to NoVNC library. But this needs an authentication cookie to be provided via headers. How can I tell NoVNC to use cookies during request?
If you are wanting to change the WebSocket path that noVNC uses you can do it via the settings or use the "path" query parameter. Here is where the setting is located in the noVNC UI:
If you are interested in noVNC Token-based target selection then you can set the "token" query param for the WebSocket path (not the noVNC URL). In other words, a noVNC URL with a websockify token specified would look something like this:
http://host1:6080?host=host1&port=6080&path=websockify?token=foo
Related
I need to pass the token generated in one request into another request.
In second request,
I cannot pass the Authorization as the header because the API is not designed in a way to pass the token as header, nor Authorization manager is working as I need to pass the body and in Authorization manager I am not able to locate where to pass the body.
Is there any other way apart from Authorization manager or Header manager?
HTTP Authorization Manager generates and sends the relevant Authorization header, the header value differs depending on the protocol which is being used for the authentication/authorization from basic access control to NTLM and Kerberos
HTTP Header Manager allows you to send arbitrary HTTP headers including the aforementioned Authorization one
Unfortunately we cannot suggest how exactly you can pass the token, you need to
check the API contract or documentation, some API implementations have special documentation endpoints
contact the people who "designed" the "API"
capture the request from the real browser using browser developer tools or if it's another application use a sniffer tool like Wireshark or Fiddler
I have a single page application that's using a web API. When a user logs in, I would want the server to set a cookie for further identification.
AJAX requests are obviously HTTP, only with a small identifying header. For as far as I know, the browser's agent should not differentiate between XMLHttpRequest and normal requests. Especially since I'm using a relatively old version of firefox.
App URL: http://sub.domain.com/app
API Request: http://sub.domain.com/service/method
The domain and subdomain are exactly the same. There's no attempt to change other domains cookies.
As you can see the cookie is recognized by the browser's request parser. Even after digging all over SO and Google, I haven't found one logical explanation to why this isn't setting the cookie.
Tried a bunch of different Set-Cookie arguments combinations. I figured the most stable syntax is key=value; expires=date; domain=.domain.com and that's what I use in the example above.
P.S.
I am using actual domain and subdomain, NOT localhost.
Using a relatively old and stable version of Firefox.
I think you issue is quite well explained here
How does a browser handle cookie with no path and no domain
For Set-Cookie without path attribute, RFC6265 states that:
If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.
So from your server you need to set path=/ as well to make sure cookie is accessible to everyone
Edit-1
Also make sure that your webpage and API both run on the same protocol. Because if the cookie is marked secured then the same cannot be read by an http url
The problem can occur due to two reasons:
The Set-Cookie header returns from an HTTPS request to an HTTP website.
"Path" attribute is not set so it defaults to the API URI's path (as explained by Tarun Lalwani).
The syntax that ended up working was:
Set-Cookie: test=working; Domain=.domain.com; Path=/; Secure
I am trying to access NIFI rest api of another server from my machine using ajax like below,
url:"https://serverip:port/nifi-api/",
{Authorization : 'Bearer ' + 'access token here'}
Getting Response to preflight request doesn't pass access control
check: No 'Access-Control-Allow-Origin' header is present on the
requested resource error.
Apache NiFi's API is designed to be invoked by a variety of clients, but in this case I think you are encountering a security precaution put in place by CORS (Cross-Origin Resource Sharing).
If a piece of code on server A (your non-NiFi machine) makes an AJAX request to a different origin (your NiFi instance), and the HTTP method is not GET (and some other minor restrictions), server A will first send a "preflight" request, which is HTTP OPTIONS, to the remote instance to determine what requests are valid. A server can reply to this with the header Access-Control-Allow-Origin: *, which is a wildcard value denoting it accepts requests from any origin. However, if you want to send credentials along with the request, the originating hostname must be explicitly listed in the response (Access-Control-Allow-Origin: https://serverA.com).
Because NiFi uses an embedded Jetty server to host the API, you may have to explicitly add a CrossOriginFilter as described here.
I'm trying to intercept a web application which uses a HTTP proxy (basic HTTP auth password protected) to access its resources.
In Fiddler options, there is a setting for manual proxy configuration. But in that field, I can only define the proxy address and port. I need to define an username/password combination for upstream proxy.
Is there any way to do this?
Your scenario is a bit unclear. Clients should automatically prompt for proxy credentials when a HTTP/407 is received, although many don't.
If your question is: "How can I add a Proxy-Authorization header to all requests that pass through Fiddler?" then it's pretty simple.
Rules > Customize Rules > Scroll to OnBeforeRequest and add:
if (!oSession.isHTTPS)
{
oSession.oRequest["Proxy-Authorization"] = "Basic dXNlcm5hbWU6cGFzc3dvcmQ=";
}
Where dXNlcm5hbWU6cGFzc3dvcmQ= is the base64-encoded version of the "username:password" string. You can use Fiddler's Tools > TextWizard to base64-encode a string.
I have an application that makes web requests to a set of URLs with the same host name. For testing purposes, I need to have this application make the same requests to URLs with a different host name. I don't have access to the source code, so building a debug version with the modified URLs is not possible.
Is there a [lightweight] proxy application that can intercept web requests and transform their URL?
For example, if it detects a web request to https://some.production.server/path, have it transform and send the request to https://some.development.server/path
Sure, use Fiddler. Click Tools > Hosts.