I am using a org.springframework.security.ldap.authentication.LdapAuthenticationProvider.LdapAuthenticationProvider(LdapAuthenticator authenticator, LdapAuthoritiesPopulator authoritiesPopulator) to validate my clients. When I am calling from SoapUI I can see this pointcut being executed every time execution(Authentication org.springframework.security.authentication.ProviderManager.authenticate(Authentication)) When I call from postman, it only gets executed the first time postman calls.
It appears that somehow my app is caching the client and saying it does not need re-authenticated when I call from postman, but this is not happening when I call from soapui. What is the difference?
I have tried changing all settings I can see in postman and soapui, but I cannot seems to make any difference in the results. Can someone describe, or point me to a resource that describes what is going on?
Seems to be related to cookies... In postman I found a property, disable cookie jar. If that is enabled i get the same performance as soapui and it always validates. I guess now I need to see how cookies work with spring security.
Related
I am attempting to use the REST api of Jenkins. Jenkins requires a POST request to a URL to delete a job. This results in the following:
I tell my chosen Client to send a POST to the appropriate URL.
The client sends a POST and authorizes itself with username and password.
Jenkins deletes the job.
Jenkins returns a "302 - Found" with the location of folder containing the deleted job.
Client automatically sends a POST to the location.
Jenkins answers with "200 - OK" and the full HTML of the folder page.
This works just fine with Postman (unless I disable "Automatically follow redirects" of course).
Jersey however keeps running into a "404" at step 5 because I blocked anonymous users from viewing the folder in question. (Or a "403" if I blocked anonymous users altogether.)
Note that the authentication works in step 1 because the job has been deleted successfully!
I was under the impression that Jersey should use the given authentication for all requests concerning the client.
Is there a way to actually make this true? I really don't want to forbid redirects just to do every single redirect myself.
To clarify: The problem is that while Jersey follows the redirect, but fails to authenticate itself again, leading to the server rejecting the second request.
Code in question:
HttpAuthenticationFeature auth = HttpAuthenticationFeature.basicBuilder()
.credentials(username, token)
.build();
Client client = ClientBuilder.newBuilder()
.register(auth)
.build();
WebTarget deleteTarget = client.target("http://[Jenkins-IP]/job/RestTestingArea/job/testJob/doDelete")
Response response = deleteTarget.request()
.post(null);
EDIT: The "302-Found" only has 5 headers according to Postman: Date, X-Content-Type-Options ("nosniff"), Location, Content-Length (0) and Server. So neither any cookies nor any tokens that Postman might use and Jersey disregard.
Question loosely related to this one - if I were able to log the second request I might be able to understand what's happening behind the scenes.
EDIT2: I have also determined that the problem is clearly with the authentication. If I allow anonymous users to view the folder in question, the error disappears and the server answers with a 200.
I found the answer with the help of Paul Samsotha and Gautham.
TL;DR: This is intended behavior and you have to set the System property http.strictPostRedirect=true to make it work or perform the second request yourself.
As also described here, HttpURLConnection decided to not implement a redirect as it is defined in the HTTP standard but instead as many browsers implemented it (so in laymans terms, "Do it like everyone else instead of how it is supposed to work"). This leads to the following behavior:
Send POST to URL_1.
Server answers with a "302 - Found" and includes URL_2.
Send GET to URL_2, dropping all the headers.
Server answers with a "404 - Not Found" as the second request does not included correct authentication headers.
The "404" response is the one received by the code, as steps 2 and 3 are "hidden" by the underlying code.
By dropping all headers, the authentication fails. As Jersey uses this class by default, this lead to the behavior I was experiencing.
My website is making post requests to Postman's mock server. I want to be able to see my request to make sure that it is coming across in the way that I expect. I have tried attaching a monitor but that doesn't show me the request anywhere that I am able to find.
Where in the Postman Windows client can I see a request coming in to my Postman mock server?
I contacted Postman support and they say currently what I want to do is not possible. See this link for information: Postman Support Twitter Response
They did say however that if I wanted to just see the request that I am sending that I can use Postman Echo to see what kind of request I am sending.
It is now possible to view logs for requests made to and responses sent from your Postman mock server.
Mock Call Logs - https://blog.postman.com/introducing-postman-mock-call-logs/
You can see request to your mock end points buy doing the following.
Open postman, in the left most menu/column select mock servers
2)Click on Mock Servers and in the second left most column you should see your mock servers
3)Click on the one you want and in the middle screed you should see the logs
enter image description here
Its very easy, this functionality was added way back in 2020.
Just click on the Mock Server and you should be able to see the logs on the right side.
Isn't interceptor a good decision for it?
Is there a way to mock requests when writing automated UI tests in Swift 2.0. As far as I am aware the UI tests should be independent of other functionality. Is there a way to mock the response from server requests in order to test the behaviour of the UI dependant on the response. For example, if the server is down, the UI tests should still run. Quick example, for login, mock if password failed then UI should show alert, however, if the login is successful the next page should be shown.
In its current implementation, this is not directly possible with UI Testing. The only interface the framework has directly to the code is through it's launch arguments/environment.
You can have the app look for a specific key or value in this context and switch up some functionality. For example, if the MOCK_REQUESTS key is set, inject a MockableHTTPClient instead of the real HTTPClient in your networking layer. I wrote about setting the parameters and NSHipster has an article on how to read them.
While not ideal, it is technically possible to accomplish what you are looking for with some legwork.
Here's a tutorial on stubbing network data for UI Testing I put together. It walks you through all of the steps you need to get this up and running.
If you are worried about the idea of mocks making it into a production environment for any reason, you can consider using a 3rd party solution like Charles Proxy.
Using the map local tool you can route calls from a specific endpoint to a local file on your machine. You can past plain text in your local file containing the response you want it to return. Per your example:
Your login hits endpoint yoursite.com/login
in Charles you using the map local tool you can route the calls hitting that endpoint to a file saved on your computer i.e mappedlocal.txt
mappedlocal.txt contains the following text
HTTP/1.1 404 Failed
When Charles is running and you hit this endpoint your response will come back with a 404 error.
You can also use another option in Charles called "map remote" and build an entire mock server which can handle calls and responses as you wish. This may not be exactly what you are looking for, but its an option that may help others, and its one I use myself.
I have a flex app using BlazeDS to talk with a web app using Spring Security. During normal use the user has already logged into the web app before running the flex app, so the browser takes care of passing the JSESSIONID session cookie on the outgoing messages so the web app knows who they're coming from.
However, I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging, which means there's been no previous login and thus no existing session. I put some code in -- just for the purpose of debugging -- to first send a login message. That works, and the JSESSIONID cookie comes with the response, but I don't know how to attach it to the subsequent BlazeDS remoting calls that the app makes.
Is there some sort of channel configuration that does this, or some other method? And if you're going to point me to the BlazeDS/SpringSecurity preauthentication example, I appreciate the thought, but we already have a fairly involved configuration of Spring Security and I don't want to mess with that.
As an aside, I was a bit disconcerted when I tried to follow a suggestion to call login() on the RemoteObject's ChannelSet, only to find that the ChannelSet was null. I don't see how that can be, since the remoting calls work, using -- I can only assume -- the AMF channel defined in the services-config.xml. Anyway, I don't know whether login() works by sending j_username and j_password to /j_spring_security_check anyway, so it might not have been appropriate; and of course I'd still be left with the subject of this query, which is how to use the session once it's been created.
I don't think it'll help to explain anything, but I'll include some code and config snippets...
The login:
<mx:HTTPService id="loginRequest" url="http://fiddler:8080/app/j_spring_security_check" useProxy="false"
method="POST" result="handleLoginResult(event)">
<mx:request xmlns="">
<j_username>username</j_username>
<j_password>password</j_password>
</mx:request>
</mx:HTTPService>
The RemoteObject:
<mx:RemoteObject id="remoteObject" destination="blazebackend">
<mx:method name="getConfigData" result="handleConfigDataResult(event)" fault="handleFault(event)"/>
<mx:method name="addSession" result="handleAddSessionResult(event)" fault="handleFault(event)"/>
</mx:RemoteObject>
A channel:
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="/{context.root}/app/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
TIA.
I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging
Using Eclipse you can debug inside Eclipse IDE when deployed on a localhost or remote server by configuring the "Url or path to use" when starting debugging.
JESSIONID means that you're using Java EE authentication, the login method of the ChannelSet can be used for a custom and or Basic authentication (that can be or not a Java EE authentication), I think the best for you is to deploy on a localhost, or eventually remove security when debugging.
Whenever a web request is made by Visual Studio to TFS, Fiddler will show a 401 Unauthorized error. Visual Studio will then try again with a proper Authorization Negotiate header in place with which TFS will respond with the proper data and a 200 status code.
How can I get the correct headers to be sent the first time to stop the 401?
This is how the process of Windows Integrated Authentication (NTLM) works. NTLM is a connection based authentication mechanism and actually involves 3 calls to establish the authenticated session.
The TFS API then goes to extra-ordinary lengths to make sure that this handshake is done in the most efficient way possible. It will keep the authenticated connection open for a period of time to avoid this hand-shake where possible. It will also do the initial authentication using a HTTP payload with minimal content and then send the real message if the message you were going to send is over a certain length. It does a bunch of other tricks as well to optimise the connection to TFS.
Basically, I would just leave it alone as it works well.
You will see that a web browser also does this when communicating with a web site. It will always try to give away the minimum amount of detail with the first call. If this fails, it will reveal a little more about you.
This is by design and for a very good reason.
This is how it's always done - request, get the 401 back, then send the authorization. It's part of the authentication protocol for http.