I am having a hard time understanding how Spring Boot (v1.3.3) handles the X-Requested-With: XMLHttpRequest header. My understanding is that this header tells Spring Boot to return, for requests without an authenticated session, a 401-Unauthorized error rather than a 302-Found with a location to the login page.
I have set up my AngularJS client to send this header for any routing, and then configured an $http interceptor to act on the 401 error by displaying a dialog. Doesn't work for me, with a Spring Boot server with no additional security configuration.
With some investigation with CURL:
It seems that the -H "Accept: application/json" header also needs to be provided.
curl -v -H "X-Requested-With: XMLHttpRequest" localhost:9080/ returns a 302, while curl -v -H "X-Requested-With: XMLHttpRequest" -H "Accept: application/json" localhost:9080/ returns a 401.
Questions: Why is the application/json header required as well? Can I configure it differently (i.e. not require application/json header)? Should I configure it this way, or take another approach? The reason I don't want to require the application/json header is because I am not allowing public access to some resources, such as HTML templates and JS code, and want a 401 returned for these resources as well.
It seems that the JSESSIONID cookie may be affecting the response.
curl -v -H "X-Requested-With: XMLHttpRequest" -H "Accept: application/json" localhost:9080/ returns a 401, while curl -v -H "X-Requested-With: XMLHttpRequest" -H "Accept: application/json" -H "Cookie: JSESSIONID=63EA6E09F64B98938E4495DF9898323A" localhost:9080/' returns a 302.
Questions: Why does the presence of the (valid) JSESSIONID cookie make any difference?
I have looked at the source code for Spring Security and Spring Boot and I just cannot put together the pieces. Any help is much appreciated.
Related
Swagger UI generating wrong Curl command as pasted below and due to this query string truncating
curl -X GET http://domain:8080/v1/endpoint?access_token=affsfafasfa&type=1 -H "accept: application/json" -H "content-type: application/json"
the correct Curl command should be like this
curl -X GET 'http://domain:8080/v1/endpoint?access_token=affsfafasfa&type=1' -H "accept: application/json" -H "content-type: application/json"
the difference between above two command is quote around http url . So please tell me how to achieve this in swagger ui ?
I guess you found a bug in the new version. The very latest code already contains a fix for it.
Its an bug in swagger ui version 3.0.2 and swagger support team has fixed this bug now https://github.com/swagger-api/swagger-ui/issues/2839
The accept header "Accept: text/plain,text/html;" works for sites like http://nginx.org. However when I run it locally against my Rails 4.1 app
curl -v -H "Accept: text/plain,text/html;" localhost:3000/
on a html responding homepage, I get a 500 error page for an ActionController::UnknownFormat execption.
When I curl
curl -v -H "Accept: text/plain,text/html" localhost:3000
everything works fine (notice the missing ;)
How can I also make it work for Accept: text/plain,text/html; case?
Apparently it's malformed according to RFC 7231 and shouldn't work. nginx.org turns back 200 OK even for obviously malformed MIME types.
See also https://github.com/rails/rails/issues/21749
Recently, I have just created a yahoo application by following the online [yahoo oauth 2.0 guide for developer,][2]
I can get the OAuth 2.0 credential but meet "unable_to_determine_oauth_type" oauth problem while calling yahoo IM related [API][3]. Why?
Here is my steps:
curl -v https://api.login.yahoo.com/oauth2/request_auth -d 'client_id=[CLIENT-ID]&redirect_uri=oob&response_type=code&language=en-us'
it then redirects me to https//login.yahoo.com/oa?.src=oauth2&.partner=&.pd=c%3DmZmAFpe.2e7WuWzcHD2ZPYQ-%26ockey%3Ddj0yJmk9Q1N4cldYYXdKYXhNJmQ9WVdrOWIyOXdXbG95TnpnbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD0yOQ--&.intl=us&.lang=en-us&.done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Frequest_auth%3F%26client_id%3Dd[CLIENT-ID]%26redirect_uri%3Doob%26response_type%3Dcode%26language%3Den-us%26crumb%3D
By following it in browser, I get the code: dpr5bnm
I concat the client id and secret into one string separated by ':' and go to base64 encode it (https://www.base64encode.org)
get the basic credential: ZGoweUptazlRMU40Y2xkWVlYZEtZWG...ldOSGJ6bE5RUzB0Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtZUQweU9RLS06YjY3MmZlZDcwOGFhYmRjNDFiNGRmYmNlZmY3MzU1YmU2MmRhMWRkZQ==
then, call get_token API
curl https//api.login.yahoo.com/oauth2/get_token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic ZGoweUptazlRMU40Y2xkWVlYZEtZ...YldOSGJ6bE5RUzB0Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtZUQweU9RLS06YjY3MmZlZDcwOGFhYmRjNDFiNGRmYmNlZmY3MzU1YmU2MmRhMWRkZQ==" -d "grant_type=authorization_code&redirect_uri=oob&code=dpr5bnm"
get json access token response: {"access_token":"fiTeDQrBnQVB...u5DGLu.M-","token_type":"bearer","expires_in":3600,"refresh_token":"AFaPK...xDSwSZ.Ke4jffDDboSpO6fg2t","xoauth_yahoo_guid":"ZT3Y7L7...5QJ7SAU5Q"}
But when i use the token willing to use session management API to login: (OAuth 2.0 Bearer Authorization)
`curl -v http//developer.messenger.yahooapis.com/v1/session -H "Content-type: application/json;charset=utf-8" -H "Authorization: Bearer B_YnLlibghNNJIW0HlaITp0mkcTFEovpF...oJZuzUvjVDM0ko.QjT4io-"
it show the following error: <yahoo:description>Please provide valid credentials. OAuth oauth_problem="unable_to_determine_oauth_type"</yahoo:description>
So do anyone know why and how to make a yahoo IM message?
I am testing my ZF2 Rest Module that is running on localhost, by sending curl POST requests from the same box.
curl -i -X POST -H "Content-Type: Application/json" -d '{username":"xyz","password":"xyz"}' http://localhost/api/login
In the corresponding controller and action, I have tried returning the POST parameters, but an empty array is returned always
var_dump($this->getRequest()); // returns: array(0){}
var_dump($_POST); // returns: array(0){}
If I switch from POST to GET with
curl -i -G -H "Content-Type: Application/json" -d '{username":"xyz","password":"xyz"}' http://localhost/api/login
it actually seems to work
var_dump($_GET); // returns: array(1) {["{"username":"xyz","password":"xyz"}"]=>string(0) ""}
Why is the POST request failing to pass/extract the parameters?
PHP only populates $_POST for form urlencoded POST data. You've explicitly set the content type to JSON, so the PHP way to access this would be:
file_get_contents("php://input");
In ZF2, I believe you want:
$this->getRequest()->getContent();
and in practice, you'll probably want to run this through json_decode().
I'm using OmniAuth-Identity for log ins, and logging in using Ajax calls. Attempts to log in passing JSON data don't work.
For instance this works:
curl -i -H "Accept: application/json" -d "auth_key=joe#example.com&password=cheesestix" "http://0.0.0.0:3000/auth/identity/callback"
This doesn't, it returns "invalid credentials"
curl -i -H "Accept: application/json" -H "Content-Type: application/json" -d '{"auth_key":"joe#example.com","password":"cheesestix"}' "http://0.0.0.0:3000/auth/identity/callback"
Is this a known issue? Form encoding my data will be difficult as I'm using AngularJS.
UPDATE:
One of the rails guys fixed it by backporting JSON support into Rack.
gem 'rack', git: 'https://github.com/ssoroka/rack.git', branch: '1.5.2-json-support-backport'
I'm hesitant to post that as an answer becase I don't understand the details of Rack well enough to explain anything. But the relevant diff is here: https://github.com/ssoroka/rack/commit/d8e2e2af6da57805d2f0906ce925ea150def31a0