When trying to use getUrl() to grab a CSV file from a URL with basic .htaccess authorization, I am redirected to an Amazon S3 location. The getURL() function passes the original HTTP headers (for the auth) to Amazon S3 which Amazon thinks is an Amazon token; this causes the following error in the response:
Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified
I can't see these issues talked about anywhere other than an advisory from Thompson Reuters: https://community.developers.thomsonreuters.com/questions/29247/aws-download-x-direct-download-returns-invalid-arg.html
The fix is to receive the redirect back from the remote server, look at the response and pull out the new (redirected) URL and grab the CSV file from there without the auth details in the header.
Is there a way in deluge script ZOHO to do this? The getUrl() function seems really basic and the documentation is very thin.
The other way to do this is a 'middleware' application that can use CURL, save the CSV's on a remote server then use ZOHO getUrl() to pull these CSV files. This is not an optimal solution but unless ZOHO gives access to some HTTP client functions then I don't see another way.
To get the detail of the response headers include detailed:true in the invokeurl request.
Example:
// parameters is a Map
// header is a Map
response = invokeurl
[
url :url
type :POST
parameters:parameters
headers:header
detailed:true
];
// To see all headers and content
info response;
// To see the http response code
info response.get('responseCode');
// With detailed:true any html or json returned will be put in responseText
// info response.get('responseText');
// To see the all http response headers
info response.get('responseHeader');
// To see a specific http response header
// Note: case matters in the response headers name
// "Content-Type" won't find "content-type"
info response.get('responseHeader').get('content-type');
// was the url redirected to another url?
info response.get('responseHeader').get('location');
// get the redirect url
redirect_url = response.get('responseHeader').get('location')
from there you can process the redirect url and pass it to the next http request.
Recommendation:
After working for months both including detailed:true and not including it, I now lean toward always including it. detailed:true includes more useful information and has a helpful regular structure: {responseCode: <code>, responseHeaders: <headers>, responseText: <returned-data>}.
This is possible in Deluge using the invoke URL task - https://www.zoho.com/deluge/help/web-data/invokeurl-task.html#response.
invokeURL can hand over the response headers to you from which you can get the redirect URL and then proceed with the authentication.
Related
I am working on B2G OS. I am trying to hit one API using XHR which is redirecting me to another API with Set-Cookie response header. In the next API request that cookie which I got in the first header response which is missing in request header.
Use option 'redirect' : 'follow' while making xhr request, also add systenxhr permission in manifest if this is cross origin request.
I am developing an application for my AppleTV. The App will read movies from an online website that hasn't developed any API for this kind of thing.
I use XMLHTTPRequest to get the different URLs and have the user search for his movie, etc... Everything is working fine, except for a single request. To get the movie URL, I have to send a get request to a specific address (let's say http://example.com/getmovie.html) with a constant cookie (let's say mycookie=cookie).
I've tried using setRequestHeader:
var xhr = new XMLHttpRequest();
xhr.open("GET", url, false);
xhr.withCredentials = true;
xhr.setRequestHeader('Cookie', 'mycookie=cookie');
xhr.send();
But no cookie seems to be sent.
I also tried setting the cookie with Document.cookie like I would have probably done in a "normal" js script (running in my browser) but no luck either.
This is extremely frustrating, especially since I'm stuck so close to the end of my app.
I guess cross-origin might be the issue but I'm able to get URLs without issues if I don't have to set cookies, so I am a bit lost there.
Please let me know how I can get http://example.com/getmovie.html with a specific cookie header.
Thanks for your help
im sorry to inform you but the xmlHTTPRequest function of javascript does not allow a cookie header to be set for security reasons as shown here: Why cookies and set-cookie headers can't be set while making xmlhttprequest using setRequestHeader? the best way i could see you making that get request would be to a proxy server that you would be running. I believe that it is built this way to prevent you from setting cookies on domains that you do not own, furthermore i do not see an alternate resolution to this problem as no were in the docs i looked at was cookie persistence or management mentioned
In case someone has the same issue:
I didn't find a solution to sending a cookie with javascript. However, in my situation, the origin of the request didn't matter, only the cookie did. My solution was then to create a PHP file receiving the destination URL and the cookie content as parameters, and then sending the get request with the cookie as a request header. (more information about how to do so here: PHP GET Request, sending headers).
In my javascript I then use XMLHttpRequest to connect to my PHP file (hosted online) with simple get parameters and I then receive the response from the PHP. That trick of course won't work if the origin of the request matters (except if you host your file at home I guess, but in my case I want my application to work even if my WAMP isn't on).
Well... the problem here is the line xhr.setRequestHeader('Cookie', 'mycookie=cookie'); line just because the 'Cookie' header is reserved for the client browser to send the stored cookies. This means you are trying to do what the browser already does. When you send a any request, the client browser automatlycally will take all the cookies related to the site you are requesting and put them on the 'Cookie' header, you don't need to do anything else, if your cookie exist in your browser, it will be send.
Cordova how to send session cookie, allow credentials with XMLhttprequest:
// JS
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/ajax.php', true);
xhr.withCredentials = true;
xhr.onreadystatechange = function() {
if(xhr.readyState == 4 && xhr.status == 200) {
// alert(xhr.responseText);
// Get header from php server request if you want for something
var cookie = xhr.getResponseHeader("Cookie");
// alert("Cookie: " + cookie);
}
}
xhr.send();
// Php
// You can add cookie to header and get with (session works without it)
header('Cookie: PHPSESSID='.$_COOKIE['PHPSESSID']);
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With, Set-Cookie, Cookie, Bearer');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
I've managed to make a file downloader in C++ (using winsock). It downloads every simple link with a file like: www.page.com/image.png
I want to make it download all of the images from an entire page, such as all the images from a 4chan thread, but I don't know what I should send in the http request to get the page's source. How can I request the source of a webpage?
You don't send anything in the http request, in the manner you're thinking.
An http request sends a single request, for a single document, and returns a single document from the server.
To download an entire page, you will have to parse the downloaded HTML document, extract all the relative links from the HTML source, then issue a separate http request for every image, css, js, etc... referenced from the main document.
This is how tools like wget's --recursive option download entire pages.
If the page is located at the root of the http://www.page.com server, you would send a GET request to the www.page.com server asking for the / resource:
GET / HTTP/1.1
Host: www.page.com
Let's say the page was actually located at http://www.page.com/thepage.html. You would send a GET request asking for /thepage.html instead:
GET /thepage.html HTTP/1.1
Host: www.page.com
Either way, you would then have to parse the resulting HTML to get the individual URLs of all the <img> tags that are on the page.
So I know there are a lot of questions about CSRF (because I have read some of them) but there is one point I still don't understand. Let's imagine the following case:
I am logged in(with cookies) on my server where there is a page with a button 'Delete my account'. Which I don't want to press.
I visit a hacker's server:
a. My browser requests 'bad.html', which contains JS, with a callback function defined. It also has a script like:(thus avoiding the Same-Origin Policy problem)
var s = document.createElement('script');
s.src = 'url to "deleteAccountPage" of my server?'
s.src += 'callback=hackerCallback';
s.type = 'text/javascript';
document.body.appendChild(s);
b. Script is "appended" the browser will load the page and then call hackerCallback passing the page HTML text as parameter.
c. With this HTML, the callback can parse the token in there.
The hackerCallback now has the token, sends an Ajax request to my server on the "deleteMyAccount" page.
My account is now deleted, because the Token, the cookies and even the browser trace matches the ones registered by the server.
How do you avoid that behaviour ? I have read things about only allowing certain Headers on my server. This would cut short all Cross-Domain request on my server, however according to this link (http://blog.alexmaccaw.com/jswebapps-csrf) it is not enough... (Which I totally believe)
Thansk for the help
Seba-1511
You are using JSONP in order to make a cross domain request via a scr tag. The JSONP is only allowed for GET requests and you shouldn't have GET endpoints that make changes (not idempotent).
deleteAccount should be a POST endpoint that couldn't be requested via JSONP.
If you insist in use GET on deleteAccount you should use CSRF tokens or send the token in a header instead of a cookie (if you're using XHR requests)
I am trying to use spring security in my application developing restful web services and not getting the way how to send request to j_spring_security_check directly so that i can provide same url as a web service to Authorization of username and password.
Currently i am using following request pattern:
URL: "http://localhost:8080/CabFMS/j_spring_security_check"
Content-type: application/x-www-form-urlencoded
Body: {'j_username':'user','j_password':'123'}
Response: is Bad credentials
I am not sure about Content-type and body parameters. Please provide suggestion. To send request i am using REST Client
Tarun Gupta
As you correctly noticed j_spring_security_checks expects application/x-www-form-urlencoded content, therefore you need to encode it as such:
j_username=user&j_password=123
Your request pattern should be :
/j_spring_security_check?j_username=user&j_password=123
with method "POST" type.
other then this you can change request action & parameters text "j_spring_security_check" and "j_username" ,"j_password" by configuring alternate text in attributes :
login-processing-url,
username-parameter,
password-parameter
of spring "form-login" tag in security configuration xml file.
Create an AuthenticationSuccessHadler for this, in the authenticationSuccess method, return base64 encoded authorization header with the pattern username:password
Then, on each request, set the header as Basic yourtokenhere