Spring Boot and XMLHttpRequest - spring-security

I am having a hard time understanding how Spring Boot (v1.3.3) handles the X-Requested-With: XMLHttpRequest header. My understanding is that this header tells Spring Boot to return, for requests without an authenticated session, a 401-Unauthorized error rather than a 302-Found with a location to the login page.
I have set up my AngularJS client to send this header for any routing, and then configured an $http interceptor to act on the 401 error by displaying a dialog. Doesn't work for me, with a Spring Boot server with no additional security configuration.
With some investigation with CURL:
It seems that the -H "Accept: application/json" header also needs to be provided.
curl -v -H "X-Requested-With: XMLHttpRequest" localhost:9080/ returns a 302, while curl -v -H "X-Requested-With: XMLHttpRequest" -H "Accept: application/json" localhost:9080/ returns a 401.
Questions: Why is the application/json header required as well? Can I configure it differently (i.e. not require application/json header)? Should I configure it this way, or take another approach? The reason I don't want to require the application/json header is because I am not allowing public access to some resources, such as HTML templates and JS code, and want a 401 returned for these resources as well.
It seems that the JSESSIONID cookie may be affecting the response.
curl -v -H "X-Requested-With: XMLHttpRequest" -H "Accept: application/json" localhost:9080/ returns a 401, while curl -v -H "X-Requested-With: XMLHttpRequest" -H "Accept: application/json" -H "Cookie: JSESSIONID=63EA6E09F64B98938E4495DF9898323A" localhost:9080/' returns a 302.
Questions: Why does the presence of the (valid) JSESSIONID cookie make any difference?
I have looked at the source code for Spring Security and Spring Boot and I just cannot put together the pieces. Any help is much appreciated.

Related

Swagger UI generating wrong Curl command

Swagger UI generating wrong Curl command as pasted below and due to this query string truncating
curl -X GET http://domain:8080/v1/endpoint?access_token=affsfafasfa&type=1 -H "accept: application/json" -H "content-type: application/json"
the correct Curl command should be like this
curl -X GET 'http://domain:8080/v1/endpoint?access_token=affsfafasfa&type=1' -H "accept: application/json" -H "content-type: application/json"
the difference between above two command is quote around http url . So please tell me how to achieve this in swagger ui ?
I guess you found a bug in the new version. The very latest code already contains a fix for it.
Its an bug in swagger ui version 3.0.2 and swagger support team has fixed this bug now https://github.com/swagger-api/swagger-ui/issues/2839

Unknown Format exception with text/plain,text/html; Accept header

The accept header "Accept: text/plain,text/html;" works for sites like http://nginx.org. However when I run it locally against my Rails 4.1 app
curl -v -H "Accept: text/plain,text/html;" localhost:3000/
on a html responding homepage, I get a 500 error page for an ActionController::UnknownFormat execption.
When I curl
curl -v -H "Accept: text/plain,text/html" localhost:3000
everything works fine (notice the missing ;)
How can I also make it work for Accept: text/plain,text/html; case?
Apparently it's malformed according to RFC 7231 and shouldn't work. nginx.org turns back 200 OK even for obviously malformed MIME types.
See also https://github.com/rails/rails/issues/21749

How to use Yahoo IM messaging api? (unable_to_determine_oauth_type)

Recently, I have just created a yahoo application by following the online [yahoo oauth 2.0 guide for developer,][2]
I can get the OAuth 2.0 credential but meet "unable_to_determine_oauth_type" oauth problem while calling yahoo IM related [API][3]. Why?
Here is my steps:
curl -v https://api.login.yahoo.com/oauth2/request_auth -d 'client_id=[CLIENT-ID]&redirect_uri=oob&response_type=code&language=en-us'
it then redirects me to https//login.yahoo.com/oa?.src=oauth2&.partner=&.pd=c%3DmZmAFpe.2e7WuWzcHD2ZPYQ-%26ockey%3Ddj0yJmk9Q1N4cldYYXdKYXhNJmQ9WVdrOWIyOXdXbG95TnpnbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD0yOQ--&.intl=us&.lang=en-us&.done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Frequest_auth%3F%26client_id%3Dd[CLIENT-ID]%26redirect_uri%3Doob%26response_type%3Dcode%26language%3Den-us%26crumb%3D
By following it in browser, I get the code: dpr5bnm
I concat the client id and secret into one string separated by ':' and go to base64 encode it (https://www.base64encode.org)
get the basic credential: ZGoweUptazlRMU40Y2xkWVlYZEtZWG...ldOSGJ6bE5RUzB0Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtZUQweU9RLS06YjY3MmZlZDcwOGFhYmRjNDFiNGRmYmNlZmY3MzU1YmU2MmRhMWRkZQ==
then, call get_token API
curl https//api.login.yahoo.com/oauth2/get_token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic ZGoweUptazlRMU40Y2xkWVlYZEtZ...YldOSGJ6bE5RUzB0Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtZUQweU9RLS06YjY3MmZlZDcwOGFhYmRjNDFiNGRmYmNlZmY3MzU1YmU2MmRhMWRkZQ==" -d "grant_type=authorization_code&redirect_uri=oob&code=dpr5bnm"
get json access token response: {"access_token":"fiTeDQrBnQVB...u5DGLu.M-","token_type":"bearer","expires_in":3600,"refresh_token":"AFaPK...xDSwSZ.Ke4jffDDboSpO6fg2t","xoauth_yahoo_guid":"ZT3Y7L7...5QJ7SAU5Q"}
But when i use the token willing to use session management API to login: (OAuth 2.0 Bearer Authorization)
`curl -v http//developer.messenger.yahooapis.com/v1/session -H "Content-type: application/json;charset=utf-8" -H "Authorization: Bearer B_YnLlibghNNJIW0HlaITp0mkcTFEovpF...oJZuzUvjVDM0ko.QjT4io-"
it show the following error: <yahoo:description>Please provide valid credentials. OAuth oauth_problem="unable_to_determine_oauth_type"</yahoo:description>
So do anyone know why and how to make a yahoo IM message?

curl POST request empty in ZF2 Rest API

I am testing my ZF2 Rest Module that is running on localhost, by sending curl POST requests from the same box.
curl -i -X POST -H "Content-Type: Application/json" -d '{username":"xyz","password":"xyz"}' http://localhost/api/login
In the corresponding controller and action, I have tried returning the POST parameters, but an empty array is returned always
var_dump($this->getRequest()); // returns: array(0){}
var_dump($_POST); // returns: array(0){}
If I switch from POST to GET with
curl -i -G -H "Content-Type: Application/json" -d '{username":"xyz","password":"xyz"}' http://localhost/api/login
it actually seems to work
var_dump($_GET); // returns: array(1) {["{"username":"xyz","password":"xyz"}"]=>string(0) ""}
Why is the POST request failing to pass/extract the parameters?
PHP only populates $_POST for form urlencoded POST data. You've explicitly set the content type to JSON, so the PHP way to access this would be:
file_get_contents("php://input");
In ZF2, I believe you want:
$this->getRequest()->getContent();
and in practice, you'll probably want to run this through json_decode().

How do I make OmniAuth Identity accept JSON post data?

I'm using OmniAuth-Identity for log ins, and logging in using Ajax calls. Attempts to log in passing JSON data don't work.
For instance this works:
curl -i -H "Accept: application/json" -d "auth_key=joe#example.com&password=cheesestix" "http://0.0.0.0:3000/auth/identity/callback"
This doesn't, it returns "invalid credentials"
curl -i -H "Accept: application/json" -H "Content-Type: application/json" -d '{"auth_key":"joe#example.com","password":"cheesestix"}' "http://0.0.0.0:3000/auth/identity/callback"
Is this a known issue? Form encoding my data will be difficult as I'm using AngularJS.
UPDATE:
One of the rails guys fixed it by backporting JSON support into Rack.
gem 'rack', git: 'https://github.com/ssoroka/rack.git', branch: '1.5.2-json-support-backport'
I'm hesitant to post that as an answer becase I don't understand the details of Rack well enough to explain anything. But the relevant diff is here: https://github.com/ssoroka/rack/commit/d8e2e2af6da57805d2f0906ce925ea150def31a0

Resources