Spring Security - web-services

I am trying to use spring security in my application developing restful web services and not getting the way how to send request to j_spring_security_check directly so that i can provide same url as a web service to Authorization of username and password.
Currently i am using following request pattern:
URL: "http://localhost:8080/CabFMS/j_spring_security_check"
Content-type: application/x-www-form-urlencoded
Body: {'j_username':'user','j_password':'123'}
Response: is Bad credentials
I am not sure about Content-type and body parameters. Please provide suggestion. To send request i am using REST Client
Tarun Gupta

As you correctly noticed j_spring_security_checks expects application/x-www-form-urlencoded content, therefore you need to encode it as such:
j_username=user&j_password=123

Your request pattern should be :
/j_spring_security_check?j_username=user&j_password=123
with method "POST" type.
other then this you can change request action & parameters text "j_spring_security_check" and "j_username" ,"j_password" by configuring alternate text in attributes :
login-processing-url,
username-parameter,
password-parameter
of spring "form-login" tag in security configuration xml file.

Create an AuthenticationSuccessHadler for this, in the authenticationSuccess method, return base64 encoded authorization header with the pattern username:password
Then, on each request, set the header as Basic yourtokenhere

Related

Can ZOHO deluge script getUrl() function read HTTP response headers?

When trying to use getUrl() to grab a CSV file from a URL with basic .htaccess authorization, I am redirected to an Amazon S3 location. The getURL() function passes the original HTTP headers (for the auth) to Amazon S3 which Amazon thinks is an Amazon token; this causes the following error in the response:
Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified
I can't see these issues talked about anywhere other than an advisory from Thompson Reuters: https://community.developers.thomsonreuters.com/questions/29247/aws-download-x-direct-download-returns-invalid-arg.html
The fix is to receive the redirect back from the remote server, look at the response and pull out the new (redirected) URL and grab the CSV file from there without the auth details in the header.
Is there a way in deluge script ZOHO to do this? The getUrl() function seems really basic and the documentation is very thin.
The other way to do this is a 'middleware' application that can use CURL, save the CSV's on a remote server then use ZOHO getUrl() to pull these CSV files. This is not an optimal solution but unless ZOHO gives access to some HTTP client functions then I don't see another way.
To get the detail of the response headers include detailed:true in the invokeurl request.
Example:
// parameters is a Map
// header is a Map
response = invokeurl
[
url :url
type :POST
parameters:parameters
headers:header
detailed:true
];
// To see all headers and content
info response;
// To see the http response code
info response.get('responseCode');
// With detailed:true any html or json returned will be put in responseText
// info response.get('responseText');
// To see the all http response headers
info response.get('responseHeader');
// To see a specific http response header
// Note: case matters in the response headers name
// "Content-Type" won't find "content-type"
info response.get('responseHeader').get('content-type');
// was the url redirected to another url?
info response.get('responseHeader').get('location');
// get the redirect url
redirect_url = response.get('responseHeader').get('location')
from there you can process the redirect url and pass it to the next http request.
Recommendation:
After working for months both including detailed:true and not including it, I now lean toward always including it. detailed:true includes more useful information and has a helpful regular structure: {responseCode: <code>, responseHeaders: <headers>, responseText: <returned-data>}.
This is possible in Deluge using the invoke URL task - https://www.zoho.com/deluge/help/web-data/invokeurl-task.html#response.
invokeURL can hand over the response headers to you from which you can get the redirect URL and then proceed with the authentication.

Response depends on Request Content-Type

in my Integration Request I have Body Mapping Tempates for application/xml, application/json (the same template body - reads URL parameters and create JSON body as lambda input).
Client is requesting API with application/json or application/xml. How to make response body format depending on request Content-Type in API Gateway only?
Regards,
Radek
Create ANY integration and handle everything with Lambda. You can avoid all the mappings and handle everything in code and we found that much easier.
More details here on ANY Integration,
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-set-up-simple-proxy.html
Hope it helps.

Passing #FormParam values to a rest service without using an HTML form

We have an existing rest web service that does a certain online transaction. It was created to receive input of #FormParam type. When we call this web service, we initially just passed the values by appending it to the url
e.g.
/sometransaction?creditCardNumber=123
Problem is, since the number is appended to the url, this gets logged in the web server http requests logs. This cant be since this is sensitive information. We need to pass this the same way a HTML form does a POST submit, it order for the parameters not to be appended to the url and get logged by the web server. Problem is, we don't have a UI page to do this. This is just basically a web service calling another web service.
How can we achieve this?
Code:
#POST
#Path("/dotransaction")
Public Response doTransaction(#BeanParam TxnParams) {
}
Its a rest web service the the params class TxnParams have #FormParam attributes
Ensure the Content-Type is set to application/x-www-form-urlencoded and send the data in the request payload.
Use & to separate the parameters and use = to associate the parameter with its value.
That's what the request will be like:
POST /sometransaction HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded
creditCardNumber=4111111111111111&expirationDate=09-2016
And always use HTTPS when sending sensitive information over the wire.

How to send POST variable in POSTMAN

I can't get POSTMAN to send any post variables to my Django app. Suppose I have a post variable called 'report_request' and it has a value that is a JSON string. On the Django side I want to get request.POST['report_request'] and parse the JSON into a dictionary. But POSTMAN never seems to send the POST data. How exactly do I do this? Is there some magical header I need to send?
Doh! My bad. The URL I need to connect to is really HTTPS rather than HTTP, but I was specifying the URL as http://. Apparently if Postman is asked to connect to an HTTPS site using HTTP, it silently just drops all POST variables. How lovely. Anyway it was an easy fix, just change the http:// url to https:// and all is well.
Be sure to provide the POST data in the body (body tab) of the request and not in the parameters (params tab).
Otherwise, POSTMAN will interpret your POST request as being without data and on a url with GET parameters.
See these specifications about csrf if needed
Check if you're sending the csrf token, it's a security feature.
https://docs.djangoproject.com/en/1.8/ref/csrf/

How can I set a cookie in a request using Fiddler?

I need to set a cookie before I issue a request to a Web site using Fiddler. How do I do this?
Simple...You need to set a header value, with your request, like so:
Cookie: YourCookieName=YourCookieValue
To do this using the FiddlerScript engine, add the following code into the onBeforeRequest method:
oSession.oRequest["Cookie"] = (oSession.oRequest["Cookie"] + ";YourCookieName=YourCookieValue");
This will preserve any other cookies that have been set.
You need to be more specific about what you're trying to do.
You can edit (or add) an outbound Cookie header to send a cookie to the website. You can do this either manually or via the FiddlerScript engine. But that doesn't "set" the cookie on the client-- it simply sends it to the server. If you want to set a cookie on the client, you either have to use another means, or you can inject a Set-Cookie response header on a previous response from the server, with the value you want to set on the client.
You can also use the Fiddler Composer.
Run Fiddler
Open the Composer Tab on the top.
It's easiest if you can start with another request from your web site. To do this capture a the request you want to modify, then drag it from the UI to the composer tab.
A good explanation is here: http://www.debugtheweb.com/Fiddler/help/composer.asp
Fiddler allows your to resend/rebuild an existing request. There is a Request Builder. While rebuilding in the RAW form, modify your cookies.
This solution is valid for Cookie based authentication:
If you want to test the API/url which have authentication enabled, please try following, i am showing for MVC web API on IIS server. usually there are more than 1 cookie responsible for authorization, so you may need to send more than 1 cookie in header as follows:
User-Agent: Fiddler Host: localhost:51000 content-Type: application/json Cookie : .ASPXAUTH=xxxxx;ASP.NET_SessionId=yyyy;__RequestVerificationToken=zzzz
When running Fiddler as a reverse Proxy you can modify the response headers
via FiddlerScript by adding a line in the OnBeforeResponse method:
static function OnBeforeResponse(oSession: Session) {
// ...
oSession.oResponse["Set-Cookie"] = "sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT";
}
Also check Fiddler docs about Modifying a Request or Response for more info.