I'm using the Quarkus Rest Client to communicate with an external service which uses two cookies to authenticate all requests. These two cookies are returned from an authentication API and from every subsequent API call. Is there a way to handle these cookies automatically? Currently I'm getting the cookies from the response object of the authentication API and I manually send them in every request using #CookieParam.
I haven’t try it, but can’t you do something like this:
//pseudo code !!!
#RestClient
public interface UsersClient {
#POST
String backendCall(#CookieParam("Token1") token1, #CookieParam("Token2") String token2)
#POST
Map<String,String> authenticate(String param)
default String makeCall(String param) {
var tokens = authenticate(param);
return backendCall(tokens.get(0), tokens.get(1));
}
}
From your service you inject this rest client and call the makeCall(...) method. That should authenticate you against your server, and use the tokens from the response and send these as cookies to the backend call.
Apologies for any mistakes in the code: I‘ve written it from my tablet. But I hope the idea is clear.
And also check the Microprofile Rest client documentation for more information:
https://download.eclipse.org/microprofile/microprofile-rest-client-2.0/microprofile-rest-client-spec-2.0.html#_sample_definitions
Related
We have an ASP.NET Core API that uses Windows Authentication and Claim based identity.
The API has one Controller with multiple Actions. The Actions have different authorization policies.
[Authorize(Policy = "Read")]
[HttpGet]
public async Task<ActionResult<Item>> Read()
{ ... }
[Authorize(Policy = "Write")]
[HttpPost]
public async Task<ActionResult<Item>> Write(Item item)
{ ... }
In Startup.cs we have this:
services.AddAuthorization(options => {
options.AddPolicy("Read", policy => policy.RequireClaim("OurReadType","OurReadValue"));
options.AddPolicy("Write", policy => policy.RequireClaim("OurWriteType","OurWriteValue"));
});
We also have a front end that consumes this API. Everything works fine when the front end application accesses our API. Users have only access to read actions if they have the read claim and the same goes for write actions. When a user that has only the read claim tries to call a write action they'll get a 401 Unauthorized. This is all expected behavior. No problems so far.
The problem starts when we try to access our API from Postman. ONLY from Postman do we get 403 Forbidden errors.
Postman is configured to use NTLM Authentication using my personal username and password. And my account has both read and write claims.
If we remove the [Authorize(Policy = "Read")] annotation from an action, we no longer get the 403 error when calling that action using Postman. This makes me think that the problem is somewhere with postman and claims based authorization.
Does anybody have an idea of what the problem is? I'm fairly new to claims based identity and to using Windows authentication to this extent. So any help is appreciated.
Is there a way in Postman to obtain automatically, if an endpoint returns an HTTP 401, a new API key for that user by calling the login endpoint? In this situation Postman loads the result and store the API key in a variable in the specific Environment.
The test tab in Postman allows you to write some JS code that retrieves the response data and allows you to act accordingly.
Then the postman API allows you to set the next request in the collection runner or newman, so you can just call the login request properly.
Basically something like this:
const jsonData = pm.response.json()
if (pm.response.code === 401) {
pm.setNextRequest('login')
}
Here is some further reading about scripting in postman.
I'm doing a simple page to register users. However after I get the user's input I need to call a web service to get a token which will then allow me to call another web service which will finally proceed to register the user (using the input AND the token).
So what I want to know is how to call this WS and retrieve it's response and then add that response (which would be the token) to the form used for user registration.
Edit: I'm using classic ASP
Depends on how the web service is written. These days most APIs are written using REST (i.e. standard HTTP GET/POST URL format). So you simply make a call to a URL, and get a value back - you can do this using ASP's "ServerXMLHTTP" component. e.g.
Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
xml.Open "POST", sURL, False
xml.Send parms
returnValue = xml.ResponseText
Then do something with "returnValue"
I am using Worklight Adapters and using Authentication based adapter, which verify credential via a third party webservice (grails server).
When testing with one user, every thing is fine, but once I start using multiple users accounts, I found that all users connect to the same session, with the same Cookie JSESSIONID
I think worklight adapter is adding cookies from previous requests, and that's equivalent to a browser connecting to différent accounts, without removing old cookies / logging out.
When debugging, I can see that I have in the authentication request response headers, when the first user login:
"Set-Cookie":"JSESSIONID=63850CB333E7C279DC6D5B1D973B21E7; Path=/"
and when the second user login, there is no longer "Set-Cookie" header in the response.
Anyone have a solution, or workarounds ?
How can I force worklight to remove existing cookies when connecting to the authentication webserver ?
In your adapter procedure you should add the attribute connectAs="endUser". This way each user will create a unique connection to the authentication backend and they will not share the same session ID.
I force a logout on window close. Something like this:
function wlCommonInit() {
window.onbeforeunload = function() {
WL.Logger.debug("logging out");
WL.Client.logout();
};
}
i'm reading RESTful Web Services and on the first chapters they talk about taking advantages over the stuff HTTP already serves.
They introduce en example that does authentication to del.icio.us using HTTP Basic Authentication.
Until now, the apps I've been written in NodeJS implemeted Authentication by sending a POST request from a form containing user and a password field.
How do you guys implement this? Do webpages implement auth via http basic auth?
Which one is recommended?
Thanks in advance.
You may find Basic HTTP authentication in Node.JS? useful as it describes how to do Basic Authentication in NodeJS.
As for its use in Web Services, well...there are lots of ways to authorize requests from using a shared secret (like an API key), cookies (like Basic Auth) or user credentials added to a request string. All have their pluses and minuses.
For most of my coding, I rely on public/private key pairs to assure the identity of clients.
http-auth module should do the job
// Authentication module.
var auth = require('http-auth');
var basic = auth.basic({
realm: "Simon Area.",
file: __dirname + "/../data/users.htpasswd" // gevorg:gpass, Sarah:testpass ...
});
// Creating new HTTP server.
http.createServer(basic, function(req, res) {
res.end("Welcome to private area - " + req.user + "!");
}).listen(1337);