I can enter this URL from a browser, and after entering my credentials this successfully calls my API http://172.16.0.40/rest/vars/set/1/12/666.
I'm trying to do this from an an ESP8266 using HTTPClient. My credentials are username:password, and I used an online conversion utility to get dXNlcm5hbWU6cGFzc3dvcmQ=.
When executed, the following returns error 701 (no idea what that is).
HTTPClient http;
http.begin("172.16.0.40", 80, "/");
http.addHeader("Content-Type", "text/plain");
http.addHeader("Authorization", "dXNlcm5hbWU6cGFzc3dvcmQ=");
auto httpCode = http.POST("rest/vars/set/1/12/999");
If I comment out the Authorization header, I get a 401, which is unauthorized access. What am I doing wrong?
You are trying to do a POST request to http://172.16.0.40/ with rest/vars/set/1/12/999 as payload.
HTTP status code 701 is not a standard code and is probably server specific.
You probably meant to do:
HTTPClient http;
http.begin("172.16.0.40", 80, "/rest/vars/set/1/12/999");
http.addHeader("Content-Type", "text/plain");
http.addHeader("Authorization", "Basic dXNlcm5hbWU6cGFzc3dvcmQ=");
auto httpCode = http.POST(payload);
If you want a GET request, call http.GET() instead of http.POST(payload) and you should get the same response as inside the browser.
Edit:
And as #MaximilianGerhardt already answered, you need to prepend Basic to your Authorization header.
The header of such an authorization must look like (Wikipedia):
Authorization: Basic d2lraTpwZWRpYQ==
In short, you're probably just missing the "Basic" part. And need do change your code to
http.addHeader("Authorization", "Basic dXNlcm5hbWU6cGFzc3dvcmQ=");
Related
I am trying to get an access token via RestTemplate.postForEntity().
myRestTemplate.postForEntity(authBaseUrl, request, Object.class);
I have a specific class for it, but let's use now a simple Object as type. It contains an access_token field.
It works, because I can get response, but the length if the access tokens (which is a string)
is 1196 character long. And I can get the same length in Postman too.
But if I use the intelliJ built-in REST client, the length is 1199.
Only the token from the intelliJ rest client works (So the longer).
Because I always get a new access token, it is impossible to get the same token twice.
How can I debug it?
What could be the problem?
Is the code that generates the response available to you? if so in your response add a header content-length so you can see what the server sent and what you received. Also, debug the server side and see what is being generated. In addition take another 3d party Http client and test it with this client see if you see a difference. The Http clients that you can try are Apache Http client, OK Http client, or my favorite - a very simplistic client written by me as part of my own Open Source MgntUtils library. Here is the Javadoc for my http client Here is a link to a similar question where you can get the references for any of above mentioned Http clients: How to check the status of POST endpoint/url in java
I'm trying to figure out if it is and how possible to initiate a connection with Authorization that avoids getting a 401 back from the server on the initial call.
According to the RFC (https://www.ietf.org/rfc/rfc4559.txt, end of section 4.2), the client should be able to send, with the initial request, an Authorization header containing a token, but for me that doesn't work. I've tried sending the same token (seems to be always the same) that is usually sent as a response to the first 401, but no luck.
Is there something in the configuration that needs to be changed to allow such behavior or do I need a different token?
I am trying to send a post message to authentication server and I am usign postforobject. When I run the program, i am getting "Exception in thread "main" org.springframework.web.client.HttpClientErrorException: 401 null" error
RestTemplate rest = new RestTemplate();
String responseEntity;
String uri = "http://...";
responseEntity = rest.postForObject(uri, null, String.class);
System.out.println(responseEntity);
Also I tried
responseEntity = rest.postForObject(uri, "", String.class);
Same result, it didn't work.
When I using Simple Rest Client it works
enter image description here
Any idea?
401 null probably means that the server expected some form of authentication but none was presented (i.e. no Authorization header in your request)
The most likely explanation is: the Simple REST Client (re)uses Chrome's cookies. If you previously authenticated against your service using a form login, the Simple Rest Client will reuse the JSESSIONID cookie. To detect that simply press F12 and open the network tab of your debugger. FYI there are other browser plugins, for example "Advanced REST Client", which give you more visibility over what's being sent to the server.
When you send a request using restTemplate, it doesn't have access to the session cookie (which is to be expected). You should either post to URI that allows anonymous access, or provide some form of authentication in the request. If you require additional help please post your security configuration.
I want to customise OAuth Endpoint URI's.
I want to sent parameters in post body instead of query params.
now my request is like -
example.com/oauth/token?grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}
But I want it like this.
example.com/oauth/token
Request body -
{
grant_type=password,
client_id={CLIENT_ID},
client_secret={CLIENT_SECRET},
username={USERNAME},
password={PASSWORD}
}
How should I do it?
The token endpoint of a properly-implemented authorization server does NOT accept GET requests because RFC 6749, "3.2. Token Endpoint" says as follows:
The client MUST use the HTTP "POST" method when making access token requests.
So, your authorization server's token endpoint should reject GET requests.
RFC 6749, "4.3. Resource Owner Password Credentials Grant" says that request parameters of a token request using Resource Owner Password Credentials flow should be embedded in the request body in the format of "application/x-www-form-urlencoded". The following is an excerpt from "4.3.2. Access Token Request".
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
Therefore, you don't have to customize your authorization server. If the server is implemented correctly, its token endpoint accepts POST requests.
The token endpoint created by spring-oauth2 already deals with POST as well.
It would be hard to customize it to accept a JSON request body, because the TokenEndpoint class expects all the params as #RequestParam params.
However, if your concern is about security (as HTTPs does not secure query parameters) you indeed can send the request parameters through post. It is just a matter of sending the request in the form "form-data" or "x-www-form-urlencoded". These are 2 ways of sending arbitrary key-value parameters in the request body, in a way that appears to the server as they are regular request parameters. So it is a matter of making your client using this.
Also, note that in spring-oauth2 it is possible to disable the GET endpoint, this way forcing your clients to use POST with one of the ways above.
I have a web crawler on Heroku and I'm trying to call the script from a POST request on Parse Cloud Code httpRequest but I receive a 403 forbidden response basically telling me the Referer Header didn't pass. How can I get past this?
Django's CSRF protection tests the Referer header: see https://docs.djangoproject.com/es/1.9/ref/csrf/#how-it-works. Browsers typically send that header to indicate the page that originated a request, but programmatic user agents don't (cURL, Python requests, and presumably Parse.Cloud.httpRequest) without being told to do so.
To add custom headers to a Parse request, see: Parse.Cloud.httpRequest call with HTTP request header (note the headers object).
That said, you also need to make sure you have a way to get the CSRF token to begin with, and include it either in a XCSRF-Token header or a form field (unclear from your question whether you are doing that).