I have JsonResult action which required authentication and special role
[Authorize(Roles = "User")]
public virtual JsonResult Cancel()
{
//...
}
But when for example i log off and hit this action with jQuery ajax i could see that status code is 200, but it is should be 401.
$.ajax({
url: "/Cancel/",
type: "POST",
dataType: "text",
cache: false,
success: function (data, textStatus, xhr) {
alert(xhr.status); //200 here when unauthorized
}
});
So I really not able to execute the controller logic because it is not authorized, i checked that on debug, but why i am getting status code 200 in jquery ajax?
UPDATED:
In Fiddler it is saying status code 302 and i could see that request to /Acount/Login was made after /Cancel request.
/Cancel - 302
/Acount/Login - 200
In Chrome network Status Code:302 Found and also i could see that login controller(/Acount/Login) getting called after /Cancel was called.
/Cancel - 302
/Acount/Login - 200
Complete request details in Opera network
Could someone explain whats happening, why jquery didn't get correct status code?
Really what i want to do - a want to get correct status code and if it is 401 i want to redirect user to login page (window.location.href = " /Acount/Login")
Request details
POST /Cancel/ HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.9.168 Version/11.50
Host: localhost:999
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://localhost:999/Action
Cookie: style=normalText; ASP.NET_SessionId=latzewpi3kqmkq4meljv0ln5
Connection: Keep-Alive
Content-Length: 0
Accept: text/plain, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: text/xml; charset=utf-8
Content-Transfer-Encoding: binary
Response details
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /Account/LogOn?ReturnUrl=%2fCancel%2f
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 11 Aug 2011 03:04:53 GMT
Content-Length: 169
FormsAuthentication have handler in its http module, that will redirect all 401 responses to login page instead of error page.
Looking at source code of FormsAuthenticationModule there should be (quite ugly) workaround - if you append ReturnUrl=/ to your query string, the module should do no redirection.
The best solution is probably to write own http module for authentication - you can open FormsAuthenticationModule in reflector and use it as reference.
Related
I'm getting my feet wet with redux-observable and OAuth2 authentication. I'm stuck at the point where I have to POST adding Authorization header to my HTTP request. The header is has not been added. Instead, I see any custom-set header names as values of Access-Control-Request-Headers, and that's it.
This is a redux-observable 'epic':
const epicAuth = function(action$){
return action$.ofType(DO_AUTHENTICATE)
.mergeMap(
action => Rx.Observable.ajax( authRequest(action.username, action.password))
.map( response => renewTokens(response))
.catch(error => Rx.Observable.of({
type: AJAX_ERROR,
payload: error,
error: true,
}))
)
}
This is my request object:
const authRequest = function(username, password){
return {
url: TOKEN_PROVIDER + '?grant_type=password&username=' + username + '&password=' + password,
method: 'POST',
responseType: 'json',
crossDomain: true,
withCredentials: true,
headers: {
'Authorization': 'Basic <base64-encoded-user#password>',
}
}
}
The HTTP headers captured:
http://localhost:8082/api/oauth/token?grant_type=password&username=xxx&password=yyy
OPTIONS /api/oauth/token?grant_type=password&username=xxx&password=yyy HTTP/1.1
Host: localhost:8082
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
Origin: http://localhost:3000
DNT: 1
Connection: keep-alive
HTTP/1.1 401
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
WWW-Authenticate: Basic realm="MY_REALM/client"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1098
Date: Wed, 01 Nov 2017 17:57:38 GMT
It all ends up with 401 response, since the Authorization header was not sent. I have tested the Oauth2 endpoint manually with Postman tool, and all went well: I've got a valid access token, could renew it, etc. CORS is enabled on server side.
What am I missing here?
The client code is working correctly.
You've captured the OPTIONS cors request, which is asking the server if it is OK to POST the Authorization header (see the Access-Control-Request-Headers: authorization).
Make sure that you've configured CORS correctly on your server. It shouldn't be trying to authenticate OPTIONS calls. It should instead be sending a proper response which tells the browser if it is allowed to make the POST call.
I am working with Spring Security
The app has enabled the following:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/css/**", "/resources/images/**", "/resources/jquery/**", "/resources/js/**").permitAll()
... more URLs to intercept
.antMatchers("/notification**").hasAuthority("ROLE_ADMIN")
.antMatchers("/ajax/notification**").hasAuthority("ROLE_ADMIN")
.anyRequest().authenticated()
.and()
.csrf()
...
Observe CSRF is applied. For a form the following is used:
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}"
method="post">
<input type="submit"
value="Log out" />
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
</form>
It according Form Submissions
The app works fine how is expected, it intercepts any URL prior to load/render a jsp page and ask for the login control how is expected, if the user has logged the control about authorization is applied how is expected too. Therefore all is working with CSRF how is suggested.
Until here all is Ok.
I added ajax through jQuery and because it works with an URL, therefore I need apply the CSRF control for that URL too.
That's why above appears:
.antMatchers("/ajax/notification**").hasAuthority("ROLE_ADMIN")
Now, I want get the expected HTTP error code and message when CSRF is applied to the ajax URL "/ajax/notification" and the CSRF headers were not send.
The js ajax code is:
$.getJSON(
"/projectname-01/ajax/notification",
function(data, textStatus, req) {
console.log("data: " + data);
console.log("textStatus: " + textStatus);
console.log("req: " + req)
console.log("data: " + data);
console.log(data.content + " " + data.date);
$("#single").empty();
$("#single").append(data.content + " " + data.date);
$("#multiple").append(data.content + " " + data.date)
.append("<br/>");
}
)
Note: The URL needs to be /projectname-01/ajax/notification, the projectname-01 is mandatory, if I remove that, I get the 404. It does not work even if ./ajax/notification is used (observe the dot).
Problem: The code works fine, I mean, the Ajax call happens to the server without any problem, I am expecting some error, it because the code is not using the CRSF requeriments for ajax.
It according from:
Ajax and JSON Requests
The csrfMetaTags Tag
Thus, such as either:
<head>
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<!-- ... -->
</head>
or
<sec:csrfMetaTags />
and of course the js code working with:
_csrf_parameter, _csrf_header etc.
Then the expected HTTP error code and message is need it for testing and production purposes
Thus, what is missing? or what is the problem?
Headers: how was requested below the HTTP headers:
From Opera
General
Request URL:http://localhost:8080/security-01/ajax/notification
Request Method:GET
Status Code:200
Remote Address:[::1]:8080
Referrer Policy:no-referrer-when-downgrade
Response Headers
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 23 Sep 2017 00:14:20 GMT
Request Headers
GET /security-01/ajax/notification HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 OPR/47.0.2631.80
Referer: http://localhost:8080/security-01/tiles/notification/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=9F2007DA3C8C683D26B8D17D85563140; jenkins-timestamper-offset=18000000
From Firefox
Request Headers
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/security-01/tiles/notification/
X-Requested-With: XMLHttpRequest
Cookie: JSESSIONID=CF344E56DD03C4019DCA334CD38B73EC
Connection: keep-alive
Response Header
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 23 Sep 2017 00:17:06 GMT
Clarification
According with Spring Security Reference Documentation we apply CSRF for a JSP page (submit form) and for Ajax, both work around with a URL. For the former I have already configured and works fine. The latter is the problem.
When I use jQuery's $.getJSON call without send the special CSRF data/headers values (<sec:csrfMetaTags />, meta[name='_csrf_parameter'] , etc), I mean from: 30.6 The csrfMetaTags Tag appears the following:
// using JQuery to send an x-www-form-urlencoded request
var data = {};
data[csrfParameter] = csrfToken;
data["name"] = "John";
...
$.ajax({
url: "http://www.example.org/do/something",
type: "POST",
data: data,
...
});
// using JQuery to send a non-x-www-form-urlencoded request
var headers = {};
headers[csrfHeader] = csrfToken;
$.ajax({
url: "http://www.example.org/do/something",
type: "POST",
headers: headers,
...
});
From above it sends the CRSF information either from data or headers. But in my code I am not sending that. Therefore I expect some special control and error reported through Spring Security
Thus with my current ajax code, through development in runtime (Tomcat running with the app), the call to the server happens and data is returned. Thus Spring Security did not intercept and throw an error due the absence of these CRSF data/headers.
Therefore thinking now for development and testing, if I create #Test methods where should fail because the CSRF data/headers values were not send. The #Test methods are going to fail because the call to the server happens without any security control.
Your HTTP GET request produces no error, because the CSRF token is only required for requests that update state, see Spring Security Reference:
18.2 Synchronizer Token Pattern
[...]
We can relax the expectations to only require the token for each HTTP request that updates state. This can be safely done since the same origin policy ensures the evil site cannot read the response. Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked.
and CsrfFilter:
Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
To get a CSRF token you have to use HTTP POST, PUT or DELETE request.
I am testing a site having login page and then some blogs on which we can comment/post.
I first login to the site and then select a blog and make a comment on that blog.
I am able to pass the login request and select blog request but comment on the blog request showing error Invalid credential.
Here is the response message:
Thread Name: Thread Group 1-1
Sample Start: 2014-09-17 12:41:42 IST
Load time: 9
Latency: 9
Size in bytes: 286
Headers size in bytes: 286
Body size in bytes: 0
Sample Count: 1
Error Count: 1
Response code: 403
Response message: Invalid credentials
Response headers:
HTTP/1.1 403 Invalid credentials
Cache-Control: private
Server: Microsoft-IIS/8.5
X-FRAME-OPTIONS: SAMEORIGIN
X-UA-Compatible: IE=Edge
X-Telligent-Evolution: 8.0.0.37997
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 17 Sep 2014 07:11:42 GMT
Content-Length: 0
HTTPSampleResult fields:
ContentType:
DataEncoding: null
And this is the request data:
POST http://192.xx.xx.61/TelligentCommunity/api.ashx/v2/comments.json
POST data:
Body=This+is+the+sample+post+by+Arjun&ContentId=c6bc2886-1fcb-46a4-8120-e344b8d8e4a1&ContentTypeId=f7d226ab-d59f-475c-9d22-
Cookie Data:
AuthorizationCookie=71710e44-7ba7-4af7-b390-6ae81cdec229; .Telligent.Evolution=F426475F7F35ED7250E97697BCC3DE0147BD3D15C494681A9C188922459CC698DD6F6A0CA77D61E2D5C6A56A5239B338B8DC484DAB6A4073B69F9F9139500867A843A9EB39D217825C47672E1B5165214A990F8E9CF519ED6159591B510967F84F6810CBCC4466E0DA5E37D03AB0E341A6DA0970861A2F58EE873E168D1A851D9B956033B10C9856D680FC6AC5736F961631BDD1A66EE89024020BF55A8422B24A485311C87C5074F2507E4FFA9EFBADC36B0DCBC051965ACE32EDA2B5607FEBDE17F0C2F486A42E05680FD90F30494B
Request Headers:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Rest-Authorization-Code: 7a24113f-2a71-428b-80c7-57234aac67c1
Accept-Language: en-US
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
DNT: 1
Pragma: no-cache
Authorization-Code: 7a24113f-2a71-428b-80c7-57234aac67c1
X-Requested-With: XMLHttpRequest
Referer: http://192.xx.xx.61/TelligentCommunity/certification/b/90days2mcsa/archive/2014/09/12/how-to-win-by-contributing-to-the-mcp-community
Accept-Encoding: gzip, deflate
Content-Length: 123
Host: 192.xx.xx.61
Are you sure that your login request is successful? How do you know? ASP.NET applications use dynamic parameters like viewstate or eventvalidation and they need to be extracted from the previous response and added to the next one. See ASP.NET Login Testing with JMeter guide for details.
Looking into api and json URL bits I would expect that Content-Type header should be application/json. I would suggest adding a HTTP Header Manager as a child of the request which posts a blog comment and configure it to send above Content-Type.
This Authorization-Code header value: is it something you recorded or it came from correlation? If first you need to pass the correct value as well.
I've been battling with Chromium, jQuery and AJAX. My extension takes some resources from some sites using ajax, then parse the results and store it somewhere. One of those sites decided to do the jump to https. Neat. I just have to change the http for https, and fix any problem I hit down the road. No joy.
I use the following ajax method to get the stuff (is the smallest unit I could reproduce):
$.ajax({
url: "https://reader.japanzai.com/search/",
type: 'POST',
data: {
'search': "onna"
},
beforeSend: function (xhr) {
xhr.setRequestHeader("Access-Control-Allow-Origin", "*");
},
headers: {
'Access-Control-Allow-Origin': '*'
}})
Lets ignore for a while that I've set the headers twice, since just using one don't work either and throw the result:
OPTIONS https://reader.japanzai.com/search/ No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://nhjloagockgobfpopemejpgjjechcpfd' is therefore not allowed access. jquery.js:5
x.support.cors.e.crossDomain.send jquery.js:5
x.extend.ajax jquery.js:5
(anonymous function) VM4000:2
InjectedScript._evaluateOn VM3770:581
InjectedScript._evaluateAndWrap VM3770:540
InjectedScript.evaluate VM3770:459
XMLHttpRequest cannot load https://reader.japanzai.com/search/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://nhjloagockgobfpopemejpgjjechcpfd' is therefore not allowed access. lab.html:1
As you can see, it says that the request header is not present, which is true following the http request:
Request URL:https://reader.japanzai.com/search/
Request Method:OPTIONS
Status Code:200 OK
Request Headersview parsed
OPTIONS https://reader.japanzai.com/search/ HTTP/1.1
origin: chrome-extension://nhjloagockgobfpopemejpgjjechcpfd
access-control-request-method: POST
dnt: 1
accept-encoding: gzip,deflate,sdch
host: reader.japanzai.com
accept-language: es,en-US;q=0.8,en;q=0.6
method: OPTIONS
user-agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
accept: */*
url: /search/
scheme: https
version: HTTP/1.1
access-control-request-headers: access-control-allow-origin, accept, content-type
Response:
HTTP/1.1 200 OK
cache-control: post-check=0, pre-check=0, max-age=0
content-encoding: gzip
content-type: text/html
date: Thu, 13 Feb 2014 22:58:03 GMT
expires: Sat, 01 Jan 2000 00:00:01 GMT
last-modified: Thu, 13 Feb 2014 22:58:03 GMT
pragma: no-cache
server: nginx/1.5.8
set-cookie: ci_session=U3Q14aq8Q7W4KVifDyLi7%2B3lppr%2FS4BNmW1kD9t60H7dz73M5KMs1jgBo8ZrilKoswn63PvCl1sOldPs1RCl6NdiP1VZeekoMTISyQenQZU0F8yUC0odw6WuMUE5I%2FY%2Bfvddv2YH06b2pxyyNBDZnNn%2BLnLzPrRYBXHuAjFbTyucX%2FMLUUM2cwKLzaK3ILKPhxy8FXW%2FI%2F9EPPbwo%2B8nmbPwOeqDfpDdu61F5yzUU8KjfUo7MwwFIXyGWtqbjbF3PCKNZrY%2F3Cj77DgCpcCbTTKZ%2BVzrdw16oGVDg1dP8lQgSof89rLNqUlQSj60tCVzZ27oPNh9OvvTNJ92tYkTHDukG4dyv21yM4M3PACZ%2FKVNP0i2UWHbBujADPSsrGJhJxPzBsuRDLcPtDcBtuaXA4LLMoGoYW6SxYk%2BseltMvk%3D; expires=Fri, 14-Feb-2014 00:58:03 GMT; path=/
set-cookie: ci_session=tQT8qmNRnMRN2Oj3moCdZg9VNEEsPxi3t88g2SpYQxahFr%2FpiEpQFzsO2mLTp1bPlsGLmqQGnMUiuwFpLYNIneNHtU%2BoKkVOcnR8ZKxPd0FDrkW%2BqT0N2IIsV%2BC%2FXQX%2BZUkLg1E4iP6u%2F0%2Fjk1t%2BAwcwhoC0M3zODuEKv1l9JMFo%2B1g4%2BhIOp%2FHTzBnlMvE2KjanXJR55F3DOHdyi4MvQb1vzgWEZTTAfhZ3bkQPkKe41ZCJYQTw%2FrDfry8n2h43UKPc1IF4tWp%2BKh0yhux%2FsBn84meT3xR%2Bpba9ffeZObrQyVomKlmJg9oRkKvlhR4MlNsiIeIZEvtP52ns0X1uF%2B7Pg6RpcMihe1u2S0%2Fbz5wm75vQ6tyykmFp5qfnoDgXB6J7RmbBQy4GTOFEA2zqN3V6QXT71cSn%2B1ARd9GtNMA%3D; expires=Fri, 14-Feb-2014 00:58:03 GMT; path=/
status: 200 OK
strict-transport-security: max-age=31536000
vary: Accept-Encoding
version: HTTP/1.1
x-powered-by: PHP/5.4.4-14+deb7u7
So, I'm missing something obvious here or there's just no way to do this?
I followed abraham advice and added the site to the permissions field in the manifest. It worked, the only bad thing is that if another site decides to move to https I need to release a new version, so this is what I ended doing:
"permissions" : [
"tabs",
"*://*/*",
"https://ssl10.ovh.net/*",
"unlimited_storage",
"clipboardWrite",
The important part here is "*://*/*" which includes anything from http and https.
I have a jQuery Ajax call, like so:
$("#tags").keyup(function(event) {
$.ajax({url: "/terms",
type: "POST",
contentType: "application/json",
data: JSON.stringify({"prefix": $("#tags").val() }),
dataType: "json",
success: function(response) { display_terms(response.terms); },
});
I have a Flask method like so:
#app.route("/terms", methods=["POST"])
def terms_by_prefix():
req = flask.request.json
tlist = terms.find_by_prefix(req["prefix"])
return flask.jsonify({'terms': tlist})
tcpdump shows the HTTP dialog:
POST /terms HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:5000/
Content-Length: 27
Pragma: no-cache
Cache-Control: no-cache
{"prefix":"foo"}
However, Flask replies without keep-alive.
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 445
Server: Werkzeug/0.8.3 Python/2.7.2+
Date: Wed, 09 May 2012 17:55:04 GMT
{"terms": [...]}
Is it really the case that keep-alive is not implemented?
The default request_handler is WSGIRequestHandler.
Before app.run(), Add one line,
WSGIRequestHandler.protocol_version = "HTTP/1.1"
Don't forget from werkzeug.serving import WSGIRequestHandler.
Werkzeug's integrated web server builds on BaseHTTPServer from Python's standard library. BaseHTTPServer seems to support Keep-Alives if you set its HTTP protocol version to 1.1.
Werkzeug doesn't do it but if you're ready to hack into the machinery that Flask uses to instantiate Werkzeug's BaseWSGIServer, you can do it yourself. See Flask.run() which calls werkzeug.serving.run_simple(). What you have to do boils down to BaseWSGIServer.protocol_version = "HTTP/1.1".
I haven't tested the solution. I suppose you do know that Flask's web server ought to be used for development only.