I have a Spring web service that requires HTTP Basic authentication and I'm trying to access it via Javascript.
My Spring security configuration has the following definitions:
<security:http create-session="stateless">
<security:http-basic />
<security:intercept-url pattern="/item/**"
access="ROLE_ADMIN,ROLE_USER" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="Aladdin" password="open sesame"
authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
And my Javascript client is setting the Authentication header accordingly. However I will always get 401 for a response:
Request URL:http://localhost:8080/item
Request Method:GET
Status Code:401 Full authentication is required to access this resource
Request
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Authorization:BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Cache-Control:no-cache
Connection:keep-alive
Cookie:JSESSIONID=x8foxdzzuc8g1cqnhxj34u4tv
Host:localhost:8080
Pragma:no-cache
Referer:http://localhost:8080/index.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
X-Requested-With:XMLHttpRequest
Response:
Cache-Control:must-revalidate,no-cache,no-store
Content-Length:1461
Content-Type:text/html;charset=ISO-8859-1
Server:Jetty(8.1.3.v20120416)
WWW-Authenticate:Basic realm="Spring Security Application"
Is there something missing from my request? I used Wikipedia's example for the user/password to make sure the encoding is not messed up - it matches with the example here
The problem was simpler than I thought - the Authorization header should say "Basic" not "BASIC". Just changing that fixed the entire thing.
Related
I am trying to connect to an OData API using Advanced REST Client.
The Login is successful and I receive a SecurityToken which I use in the following GET request:
accept: application/json
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.8
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
Content-Type: application/json
authorization: Basic <security-token>
Even though I am using the security token I received from the Login, I am receiving a message that says "The HTTP authorization header is not formatted correctly." and I also receive an "Authorization required" prompt in Advanced REST Client (ARC).
Can anyone tell me what is wrong with the Authorization header or how I can format it correctly?
Something wrong with your token.
please show your login result.
In addition, My be It is because of authorization type that you use 'basic'.
Use 'Bearer' with authorization token:
authorization: Bearer ....
Hi I am developing services in web api2 vs2015. Initially i had cors issue i fixed and http verbs like get,delete,put,post working fine in mozilla and internet explorer. I am getting errors in google chrome for put and delete request. I am not able to do put and delete in google chrome. This is my request and response values in chrome.
Request URL:http://192.168.0.213:8041/User_Creation/1019
Request Method:OPTIONS
Status Code:400 Bad Request
Remote Address:192.168.0.213:8041
**Response Headers**
view source
Cache-Control:no-cache
Content-Length:58
Content-Type:application/json; charset=utf-8
Date:Mon, 16 Jan 2017 10:07:04 GMT
Expires:-1
Pragma:no-cache
Server:Microsoft-IIS/8.5
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
**Request Headers**
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers:
Access-Control-Request-Method:DELETE
Connection:keep-alive
Host:192.168.0.213:8041
Origin:http://192.168.0.213:8040
Referer:http://192.168.0.213:8040/usercreation/Index
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
I have below line of code in web.config
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="POST, PUT, DELETE, GET, OPTIONS" />
<add name="Access-Control-Allow-Headers" value="content-Type, accept, origin, X-Requested-With, Authorization, name" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
Am i missing anything here?
I am sending requesting delete http verb and in 3rd line i can see options verb. I am confused here. May i know how can i fix this issue? Thank you for your help.
This is another CORS question. I have a weird issue.
I have an old application. i have access to inetpub but not the source code (only dlls and web.config).
So, before i make any POST call, there is a preflight call that is happening and somehow , the server is now allowing options to happen.
How do i make this work with just web.config or iis changes?
interestingly, Get call works. only post doesnt work.
I have added the following in Web.config of the api
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
in my test application, when i try to call the api, i am sending the following in the request headers
OPTIONS http://OldWebApiurl HTTP/1.1
Host: http://Oldwebapi.host
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://TestSite
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Access-Control-Request-Headers: accept, content-type
Accept: */*
Referer: http://testsite/page
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
How do i make this work with just web.config or iis changes?
I am afraid that this might not be possible with changes to those files only. For example if you are using ASP.NET Web API (which you seem to be using according to the tags used in your question) you might consult the following tutorial explaining the required changes you need to make to your source code in order to enable CORS.
So long story short, get the code of this web application from source control, add the config.EnableCors(); call to the bootstrapping section and decorate the controllers/actions that need to be accessible with CORS with the [EnableCors(...)] attribute. Then push back the changes you did in the source control, trigger a build and let the continuous delivery do the rest and deploy your changes to the target environment. Then you can enjoy CORS.
interestingly, Get call works. only post doesnt work.
That's perfectly normal, most common browsers simply do not make a pre-flight request for GET AJAX calls because those are considered safe - those are not supposed to modify any server side state so they are allowed.
Because of some reasons I have a spring application which has two client applications written in extjs. One only contains the login page and the other the application logic. In Spring I include them into two jsp pages which I'm using in the controller.
The login and the redirect to the application page works fine. But if I logout the logout is done successful but I keep staying on the application page instead of being redirected to the login page.
security config:
<security:logout logout-url="/main/logoutpage.html" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/test/logout.html"/>
Controller:
#RequestMapping(value="/test/logout.html",method=RequestMethod.GET)
public ModelAndView testLogout(#RequestParam(required=false)Integer error, HttpServletRequest request, HttpServletResponse response){
return new ModelAndView("login");
}
"login" is the name of the view which contains the login application. In browser debugging I can see following two communcation:
Request URL:http://xx:8080/xx/xx/logoutpage.html?_dc=1358246248972
Request Method:GET
Status Code:302 Moved Temporarily
Request Headersview source
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:JSESSIONID=6E22E42CC6835C8A6DFF2535907DEF17
Host:xx:8080
Referer:http://xx:8080/xx/xx/Home.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11
X-Requested-With:XMLHttpRequest
Query String Parametersview URL encoded
_dc:1358246248972
Response Headersview source
Content-Length:0
Date:Tue, 15 Jan 2013 10:37:33 GMT
Location:http://xx:8080/xx/xx/login.html
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/xx
Request URL:http://xx:8080/xx/xx/login.html
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:JSESSIONID=6E22E42CC6835C8A6DFF2535907DEF17
Host:xx:8080
Referer:http://xx:8080/xx/xx/Home.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11
X-Requested-With:XMLHttpRequest
Response Headersview source
Content-Language:de-DE
Content-Length:417
Content-Type:text/html;charset=ISO-8859-1
Date:Tue, 15 Jan 2013 10:37:33 GMT
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=532EBEED737BD4172E290F0D10085ED5; Path=/xx/; HttpOnly
The second response also contains the login page:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
<script src="http://extjs.cachefly.net/ext-4.1.1-gpl/ext-all.js"></script>
<link rel="stylesheet" href="http://extjs.cachefly.net/ext-4.1.1-gpl/resources/css/ext-all.css">
<script type="text/javascript" src="/xx/main/app/app.js"></script>
</head>
<body></body>
</html>
Somebody has an idea why the login page is not shown?
Thanks
Instead of custom JavaScript handler for logout control just use a normal link:
Logout
Logout controller uses HTTP redirect to show login page. In a case of AJAX call redirect does not work like you want. Look into XmlHttpResponse of your AJAX call. You will find the logout page there.
What do you mean by "One only contains the login page and the other the application logic"? you have 2 apps? 2 different WARs/JARs?
please explain...
BTW - After logout, you want to redirect the user to a protected resource in your app, and then Spring will redirect the user to the login page. You do not have to (or should not) implicitly redirect to the login page by yourself.
Our client uses IE8, and its caching-hungry ways makes things difficult. To fix this I added a bean to prevent caching
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="cacheSeconds" value="0" />
</bean>
According to Chrome's (Very useful) developer tool, I can see that Response Headers are:
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:1070
Content-Type:text/html;charset=utf-8
Date:Tue, 27 Nov 2012 17:21:31 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Pragma:no-cache
However, now I'm getting a 406 response. Why would I be getting this?
The Request Headers are:
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:redacted
Host:localhost:8040
Referer:http://localhost:8040/redacted
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
X-Requested-With:XMLHttpRequest
I took a look at this answer, but I'm already using Jackson.
Found the answer. Once again it's a problem with how the beans are ordered. If I place the no-cache bean AFTER the jackson bean, then it works.