I'm playing with the swagger editor, the pet store example, and the API there contains this message under each endpoint:
This is a cross-origin call.
Make sure the server at petstore.swagger.io accepts POST requests from editor.swagger.io.
OK, so I go to http://petstore.swagger.io , but where exactly do I set the CORS there? I don't see it.
Thanks.
Related
I am attempting to use the REST api of Jenkins. Jenkins requires a POST request to a URL to delete a job. This results in the following:
I tell my chosen Client to send a POST to the appropriate URL.
The client sends a POST and authorizes itself with username and password.
Jenkins deletes the job.
Jenkins returns a "302 - Found" with the location of folder containing the deleted job.
Client automatically sends a POST to the location.
Jenkins answers with "200 - OK" and the full HTML of the folder page.
This works just fine with Postman (unless I disable "Automatically follow redirects" of course).
Jersey however keeps running into a "404" at step 5 because I blocked anonymous users from viewing the folder in question. (Or a "403" if I blocked anonymous users altogether.)
Note that the authentication works in step 1 because the job has been deleted successfully!
I was under the impression that Jersey should use the given authentication for all requests concerning the client.
Is there a way to actually make this true? I really don't want to forbid redirects just to do every single redirect myself.
To clarify: The problem is that while Jersey follows the redirect, but fails to authenticate itself again, leading to the server rejecting the second request.
Code in question:
HttpAuthenticationFeature auth = HttpAuthenticationFeature.basicBuilder()
.credentials(username, token)
.build();
Client client = ClientBuilder.newBuilder()
.register(auth)
.build();
WebTarget deleteTarget = client.target("http://[Jenkins-IP]/job/RestTestingArea/job/testJob/doDelete")
Response response = deleteTarget.request()
.post(null);
EDIT: The "302-Found" only has 5 headers according to Postman: Date, X-Content-Type-Options ("nosniff"), Location, Content-Length (0) and Server. So neither any cookies nor any tokens that Postman might use and Jersey disregard.
Question loosely related to this one - if I were able to log the second request I might be able to understand what's happening behind the scenes.
EDIT2: I have also determined that the problem is clearly with the authentication. If I allow anonymous users to view the folder in question, the error disappears and the server answers with a 200.
I found the answer with the help of Paul Samsotha and Gautham.
TL;DR: This is intended behavior and you have to set the System property http.strictPostRedirect=true to make it work or perform the second request yourself.
As also described here, HttpURLConnection decided to not implement a redirect as it is defined in the HTTP standard but instead as many browsers implemented it (so in laymans terms, "Do it like everyone else instead of how it is supposed to work"). This leads to the following behavior:
Send POST to URL_1.
Server answers with a "302 - Found" and includes URL_2.
Send GET to URL_2, dropping all the headers.
Server answers with a "404 - Not Found" as the second request does not included correct authentication headers.
The "404" response is the one received by the code, as steps 2 and 3 are "hidden" by the underlying code.
By dropping all headers, the authentication fails. As Jersey uses this class by default, this lead to the behavior I was experiencing.
My website is making post requests to Postman's mock server. I want to be able to see my request to make sure that it is coming across in the way that I expect. I have tried attaching a monitor but that doesn't show me the request anywhere that I am able to find.
Where in the Postman Windows client can I see a request coming in to my Postman mock server?
I contacted Postman support and they say currently what I want to do is not possible. See this link for information: Postman Support Twitter Response
They did say however that if I wanted to just see the request that I am sending that I can use Postman Echo to see what kind of request I am sending.
It is now possible to view logs for requests made to and responses sent from your Postman mock server.
Mock Call Logs - https://blog.postman.com/introducing-postman-mock-call-logs/
You can see request to your mock end points buy doing the following.
Open postman, in the left most menu/column select mock servers
2)Click on Mock Servers and in the second left most column you should see your mock servers
3)Click on the one you want and in the middle screed you should see the logs
enter image description here
Its very easy, this functionality was added way back in 2020.
Just click on the Mock Server and you should be able to see the logs on the right side.
Isn't interceptor a good decision for it?
We create web project with RestFull+OAuth.
Its looks good - client sent token for each request in header Authorize.
But for some request we can`t add header.
For example when we print some image or document.
Because we use window.open - at our disposal only GET params.
At now i see one way - for that request add token to UPL as get params(?token=xxxxxxx) and not show url line in child browser window.
But i think its not good way.
Maybe somebody have other idea or practicals of implement it.
putting token in URL is not good way as it will be public in network and any one sniffing on your network will get the token, I think you have to make revers proxy on your server to get the file you want by after checking session attribute to be sure you are authorized for that.
Using fiddler I can intercept an ajax post request and with request composer I can resend the same request, causing the server to respond it normally. It doesnt matter if protocol is http or https (fiddler deciphers HTTPS traffic), with tools like Fiddler it is just possible.
On web applications side is it possible to understand or prevent such requests? How?
No. There's no way to prevent this. URLs are meant to be accessed. If it shouldn't be accessed, don't put it online or require some method of authentication. Some clients may pass an identifiable User-Agent header that can be restricted, and Fiddler probably does as well. However, the whole point of tools like Fiddler is to be able to make any type of custom request, which includes this User-Agent string. So, even if you block the default User-Agent, there's nothing stopping the user of Fiddler from changing the User-Agent to something that won't be blocked.
I am building a rest api in mvc. When consuming the API, I need to be able to get the referring URL that is calling the service. I have tried Request.UrlReferer and it comes back null. How can I get the url that is consuming the service?
Are you sure you don't mean in the consumer you need to know the referer of the client making the REST call?
If this is the case what you need to do is look at the request header and extract from it the Referer.