I have configured Jersey client to automatically follow HTTP 302 redirects:
DefaultApacheHttpClientConfig config = new DefaultApacheHttpClientConfig();
config.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
Client client = ApacheHttpClient.create(config);
This works perfectly fine when I receive HTTP 302 for HTTP GET request: the client redirects me automatically and the last response I got from client is HTTP 202.
However, when submitting HTTP POST request that results in HTTP 302, the client does not redirects me automatically. I.e., the last response from the client is HTTP 302 and I need to follow redirects manually. This behavior seems counter-intuitive for me, as Web browsers are handling such redirects automatically. The use case also seems quite common, for instance, when trying to login with HTTP POST, you often get redirected to a new page.
Why is it so? And is there a way to handle it automatically, in a same way Web browser does it?
Related
I am developing a REST client (A) that talks to the another rest based application (B).
Now B is a secure application and has login url. When I hit the url using RestTemplate I get nothing in response but headers. But after that if I ask for any other resource using RestTemplate to app B it says unauthorized.
Below image shows the headers. How can I login once and then use this headers to talk with application B using RestTemplate.
thank you
I also don't have any login code for my rest client app A. As it will completely depend on app B. So I will not have any local user database for app A.
Request: POST /login username=user&password=password
Response: 302 Set-Cookie: JSESSIONID=xxxxxxx
Request: GET /protected-endpoint Cookie: JSESSIONID=xxxxxxx
Response: 200 Stuff...
A successful POST request to the /login endpoint should return a JSESSIONID Cookie. This is what you'll need to pass along in subsequent requests as this is your session token.
Depending on your Security Configuration you may need to make some modifications but that is the gist of it.
I've written a proxy that provides tunnelling for secured connections. However, the proxy tends to redirect (non-secured, HTTP GET) connections to a redirected page if the site being accessed is invalid. It does it by returning a "HTTP/1.0 302 Moved Temporarily" message. Will returning a HTTP/1.0 302 Moved Temporarily to a HTTP CONNECT also result in the same browser behaviour?
I've tried and it doesn't work as expected.
Therefore I was wondering if anyone could suggest the correct way of asking a HTTP CONNECT request to redirect to a different page?
If the site being accessed is invalid, you probably want to do something other than a 302 redirect. Where would you redirect to? A 302 redirect should probably only be passed back to the client from the destination site itself, but in that case it would still be a valid site.
If the site the client is requesting is not accepting connections, you should probably return a 502 Bad Gateway error to the client. See:
https://www.rfc-editor.org/rfc/rfc2616#section-10.5.3
If you can actually connect to the destination site, you should return a 200 OK to the client and then whatever the destination site returns over the proxied connection.
A CORS POST request (AJAX) made by my client server (running on Apache # port 443) to my REST server (running on Tomcat # port 8443), fails to trigger when tried over HTTPS.
Please note that all the requests function properly without SSL.
I have already set the withCredentials: true options in the request fields. And my Tomcat server also takes care of the appropriate headers :
response.addHeader("Access-Control-Allow-Origin", "https://localhost");
response.addHeader("Access-Control-Allow-Credentials", "true");
response.addHeader("Access-Control-Allow-Headers", "Content-Type");
response.addHeader("Access-Control-Allow-Methods", "OPTIONS, POST");
I also tried using Curl, but the issue persisted over SSL. However, the Tomcat server responds to all my requests when tried directly over Postman/through the browser.
Could someone tell me what I'm missing out here?
I'm assuming this is an issue with the preflight request. There are two types of CORS requests: simple, and not-so-simple.
The simple kind is either a GET or POST with no custom headers whose content type is "text/plain".
The not-so-simple kind is any request using custom headers, utilising request methods other than POST or GET, and using different content body types. These requests will be "preflighted"; that is the browser will make a preflight request on the clients behalf in order to determine whether or not the server will allow this request. The preflight request uses the OPTIONS method. I'm willing to bet if you use something like Firebug to have a look what's going on you'll see something like this in the Net tab: "OPTIONS activity" with a status of "Aborted".
Unfortunately the preflight request doesn't pass the client certificate to the server which is why your request is failing to trigger. You need to disable two way SSL in order to get it working. In Apache you can try changing the SSLVerifyClient to:
SSLVerifyClient optional
I've used this before in order to get my cross domain AJAX calls working over HTTPS.
Good luck.
I plan to use https to build a website. After the user logs in, s/he is directed to a dashboard. The dashboard will be developed using javascript and html5. What are the thing I need to keep in mind when I make ajax calls using SOAP to a web service while using https?
The most important things:
always use the same domain name, otherwise browser will throw cross domain errors,
always use https protocol for every ajax request, so browser won't get same origin errors.
On the server side check for X-Requested-With: XMLHttpRequest HTTP header, to be sure that the request came as AJAX, not standalone GET/POST request. This is only difference.
With AJAX request browser will send the same cookies value as in the any other request, so you can surely check user session with it.
I have to integrate a 3rd party newsletter signup form that makes an AJAX call to HTTP url.
That form I'm placing on pages that use HTTP or HTTPS protocols ( http for home pg., ect.; https for ecommerce related stuff )
I don't think anything is sent back from the destination server ( at least I can't see the response) other than status code.
I'm getting 200 OK whether I submit the form from HTTP or HTTPS page and watch what's going on with it in Firebug. Wonder if it's safe to assume the call gets processed successfully?
Usually, I like to have a proof positive that something worked or didn't, but in this case all test signups show up the next day, ( due to sign up getting processed as some scheduled task I'm guessing ), hence the unease.
You can call https server from http but can't call http from https directly using AJAX.
To call http user from https server you need to call your server side application from java script using AJAX, and then call http url from your server side application then send back this to the client.
You can use window.location.protocol to check whether you're currently on a Secure connection, and if so, you should AJAX a secure url.