I am developing an OpenCMIS client using BindingType.Browser. Creating a session passing the required parameters for USER, PASSWORD, BROWSER_URL, BINDING_TYPE and REPOSITORY_ID works as expected. The session is created and further steps can be executed.
Now I want to make my client run on machines using HTTP proxies to access the internet. To specify the proxy to access I set the system properties http.proxyUrl and http.proxyPort. This works too as long as the proxy does not require authentication.
Well, that's the point where I am struggeling right now. I activated the authentication in my test proxy and in the client code I added the parameters PROXY_USER and PROXY_PASSWORD to create the session. But this doesn't seem to work. I already debugged the used StandardAuthenticationProvider to verify what happens. The HTTP-Header "Proxy-Authenticate" is created by the authentication provider but it seems that the chemistry framework is sending the request without that header. In the log of my proxy the received requests do not contain any security headers.
CONNECT my.server.org:443 HTTP/1.1
User-Agent: Java/1.8.0_111
Host: my.server.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Any suggestions?
I found the solution in the following thread: Java Web Start: Unable to tunnel through proxy since Java 8 Update 111.
Since Java 8 Update 111 the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime, by adding "Basic" to the jdk.http.auth.tunneling.disabledSchemes networking property when proxying HTTPS. For more information refer to 8u111 Update Release Notes.
To re-activate the proxying you need to set jdk.http.auth.tunneling.disabledSchemes="". This cann be done via VM Argument when starting the application
-Djdk.http.auth.tunneling.disabledSchemes=""
or at runtime by setting the property in the main method of the application
System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
Related
I am working on creating performance test for an application based on Windows authentication.
Test plan is designed as following :
Test Plan
HTTP Cookie Manager
HTTP Authorization Manager
Thread Group
HTTP Request 1
HTTP Request 2
In the HTTP authorization manager section I have provided the base URL, username, password and selected Mechanism as BASIC_DIGEST.
Now assume that HTTP Request 2 is a file upload scenario.
When the steps were recorded then then the file upload scenario had a Content-Type header which has the value - Multipart/form-data; boundary=----WebkitFormBoundaryxxxxxxxxxx.
Now when I execute the script boundary in the above format is not generated which probably results in script failure. I need to understand what changes I might need to implement in order to generate the Content-Type correctly.
I believe that you should rather remove Content-Type header from the HTTP Header Manager and tick "Use multipart-form/data" box in the HTTP Request sampler:
The fact you're getting HTTP Status 401 means that your configuration of HTTP Authorization Manager is not correct. If you're using your Windows domain credentials for accessing the application your "Mechanism" choice might be wrong as Kerberos is way more popular than NTLM so inspect network tab of your browser developer tools and see what are WWW-Authenticate and Authorization header value, this way you can guess what mechanism is being used exactly and properly configure the HTTP Authorization Manager
More information: Windows Authentication with Apache JMeter
We are trying to make a call to web service (nonsecure i.e. HTTP) in Xamarin.iOS. As it is an http URL we have added NSAppTransportSecurity to bypass the secure access.
Currently, we are using HttpClient with NSUrlSessionHandler so that ATS config specified in info.plist gets applied.
client = new HttpClient(new NSUrlSessionHandler());
Problem #1
Now, the issue is whenever we are firing the web service request and after that, if we switch to a different app and come back to our app, the request gets stuck and does not return anything. if we stay on our app, it returns the response successfully.
Problem #2
In order to resolve Problem#1 issue of switching app, we tried client = new HttpClient(new CFNetworkHandler()); i.e. using CFNetworkHandler and that resolves our issue but this eventually creates another issue of accessing http URL. As we have used CFNetworkHandler , configurations related to NSAppTransportSecurity in info.plist gets ignored. As Apple Developer Document says
ATS doesn’t apply to calls your app makes to lower-level networking
interfaces like the Network framework or CFNetwork.
Error that we get while calling webservice with CFNetwork is as follows and it looks like info.plist config is getting ignored
StatusCode: 505, ReasonPhrase: 'HTTP/1.1 505 HTTP Version Not Supported', Version: 1.1, Content: System.Net.Http.CFContentStream, Headers:
{
Date: Fri, 03 Jul 2020 06:15:19 GMT
Connection: close
Server: Microsoft-HTTPAPI/2.0
Content-Type: text/html; charset=us-ascii
Content-Length: 350
}
However, on the other end,Microsoft Xamarin Says
App Transport Security does not apply to Xamarin apps using Managed HTTPClient implementations. It applies to connections using CFNetwork HTTPClient implementations or NSURLSession HTTPClient implementations only.
So, if we use NSUrlSessionHandler the request got stuck while switching app and if we use CFNetworkHandler then ATS won't allow to access the services.
ATS Configurations are as follows
set NSAppTransportSecurity with NSAllowsArbitraryLoads set to YES
set NSExceptionDomains with following parameters
a. naaxdev.cloudapp.net
b. NSIncludesSubdomains set to YES
c. NSExceptionAllowsInsecureHTTPLoads set to YES
d. NSExceptionRequiresForwardSecrecy set to NO
I am working on a RESTful web application using Go + gorilla/mux v1.4 framework. Some basic security testing after a release revealed an Open URL Redirection vulnerability in the app that allows user to submit a specially crafted request with an external URL that causes server to response with a 301 redirect.
I tested this using Burp Suite and found that any request that redirects to an external URL in the app seems to be responding with a 301 Moved Permanently. I've been looking at all possible ways to intercept these requests before the 301 is sent but this behavior seems to be baked into the net/http server implementation.
Here is the raw request sent to the server (myapp.mycompany.com:8000):
GET http://evilwebsite.com HTTP/1.1
Accept: */*
Cache-Control: no-cache
Host: myapp.mycompany.com:8000
Content-Length: 0
And the response any time is:
HTTP/1.1 301 Moved Permanently
Location: http://evilwebsite.com/
Date: Fri, 13 Mar 2020 08:55:24 GMT
Content-Length: 0
Despite putting in checks for the request.URL to prevent this type of redirect in the http.handler, I haven't had any luck getting the request to reach the handler. It appears that the base http webserver is performing the redirect without allowing it to reach my custom handler code as defined in the PathPrefix("/").Handler code.
My goal is to ensure the application returns a 404-Not Found or 400-Bad Request for such requests. Has anybody else faced this scenario with gorilla/mux. I tried the same with a Jetty web app and found it returned a perfectly valid 404. I've been at this for a couple of days now and could really use some ideas.
This is not the claimed Open URL redirect security issue. This request is invalid in that the path contains an absolute URL with a different domain than the Host header. No sane client (i.e. browser) can be lured into issuing such an invalid request in the first place and thus there is no actual attack vector.
Sure, a custom client could be created to submit such a request. But a custom client could also be made to interpret the servers response in a non-standard way or visit a malicious URL directly without even contacting your server. This means in this case the client itself would be the problem and not the servers response.
I'm using gssapi/Kerberos authentication in my web application, and I want single sign on via the browser.
The problem is, Firefox sends an initial request to the server with no authentication, and receives a 401. But it includes a keep-alive header:
Connection: keep-alive
If the server respects this keep-alive request, and returns a WWW-Authenticate header, then Firefox behaves correctly and sends the local user's Kerberos credentials, and all is well.
But, if the server doesn't keep the connection alive, Firefox will not send another request with the credentials, even though the response has the WWW-Authenticate header.
This is a problem because I'm using Django, and Django doesn't support the keep-alive protocol.
Is there a way to make Firefox negotiate without the keep-alive? In the RFC that defines the Negotiate extension, there's nothing about requiring that the same connection be re-used.
Alternatively, is there a way to make Firefofx preemptively send the credentials on the first request? This is explicitly allowed in the RFC.
That header is HTTP 1.0, wake up, fast-forward 15 years and your problems will go away. Firefox works very well with SPNEGO.
We're writing Windows app and we also have backend server. And we want to implement Google Login. So the Windows app asks the user, it receives the JWT token and passes it to our server. I the token, there are 2 keys: aud and azp. On our other platoforms (iOS, Android), the azp is the OAuth Client ID of the application from Google Cloud Console and aud is OAuth Client ID for our server. But on Windows, they are both same. On other platform, this is handled by libraries provided by Google, but on Windows, we're using low-level HTTP. But we can't find a way to specify the aud. How can we do it?
EDIT: I found out about audience:server:client_id:... in scope, but it doesn't work for me either. It gives me Error: invalid_scope.
This is the request (using HTTPie):
http -v https://accounts.google.com/o/oauth2/auth client_id==windows-ios-app-client_id.apps.googleusercontent.com redirect_uri==my.bundle.id: response_type==code 'scope==audience:server:client_id:server-client-id.apps.googleusercontent.com'
GET /o/oauth2/auth?client_id=windows-ios-app-client_id.apps.googleusercontent.com&redirect_uri=my.bundle.id%3A&response_type=code&scope=audience%3Aserver%3Aclient_id%3Aserver-client-id.apps.googleusercontent.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: accounts.google.com
User-Agent: HTTPie/0.9.2
I think we should provide this scope while you request for token. This is probably automatically done if we use Google/Sign-In library, provided that we set the server client id.
[GIDSignIn sharedInstance].serverClientID = #"YOUR_SERVER_CLIENT_ID_HERE"
By the way, If any am looking for a way to implement the same using AppAuth. I did not find any solution yet.
Send the web client id as a parameter audience=WEB_CLIENT_ID when requesting token endpoint.