First off, I apologize if I use any incorrect terminology. I'm familiar with calling internal apis, but this a side project and new territory for me.
I've been using chrome debugger and powershell to write some scripts against the api of a public site. I was able to retrieve the JWT token, however after a few minutes my calls will start to fail with a 403 error. To get around this I've been exporting all the request headers from chrome and storing those locally for my script to pass whenever my call to the api fails. I narrowed it down to 4 headers that must be present, the one that is most suspect seems to be "cookie".
I then removed all key value pairs in the cookie header until I found the one that makes it fail. It's named "__cf_bm". A quick google says it's some kind of cloudflare bot management data. I don't see any of the data present in the __cf_bm cookie being sent in a response during authentication, I only see it in request headers. Is it not possible to construct this value? Does this essentially prevent me from interacting with the site's api?
I am trying to implement testing POST request for my APIs using KARATE, but getting 403 - expected csrf token not found.
However, I am able to perform POST Request using Jmeter - Login to the application, perform GET request and get the XSRF Token from GET request RESPONSE HEADERS and pass it in the POST request in Header Manager in Jmeter. That way, I am able to create a new resource using POST. I am not sure why this approach isn't working in Karate.
You must be missing some header. The fastest way you can solve this is by collaborating with someone on the server-side dev team.
Refer to this example in the Karate demos that uses CSRF:
I am trying to excute IBM BPM Rest api call from Post man client
Ex:
https://ustrial01.bpm.ibmcloud.com/bpm/dev/rest/bpm/wle/v1/user/current?includeInternalMemberships=true&parts=all
I set Basic Authentication values( Username, password)
I am getting status code as 200, but response i am getting some HTML code.
Can any one help me on this.Any help is greatly arreciated.
If you are getting a 200 status then why do you need the response? the status code should be good enough for you because 200 means the REST call worked fine.
I'm not familiar with the product you're referring to, but it sounds like you need to specify the media type you want to get back in an Accept header of your request. I suggest you try specifying
Accept: application/json
or (being an IBM product I'm guessing XML might be preferred)
Accept: application/xml
I tried to access BPM REST api call using Chrome's Postman & REST Console plugins.
Based on my experience, sometimes I don't no why it looks like Postman will not take auth details.
But, below steps always worked for me:
1. login to BPM account in Chrome,
2. open REST Console plugin and can access REST api GET/PUT all the time.
Hope this helps. Thanks
There are two parts to this answer, the 'long story short' part and the elaborate part.
Long Story Short:
IBM BPM Cloud exposes a variety of REST APIs to interact with its BPM engine and let it be as a service or more commonly known as 'Headless BPM' or 'BPM-as-a-Service'.
These REST API calls are secured by basic authentication i.e. by username/password
For Cloud, the username and password used for the REST API is not the same as the User's credential, which the User will use for logging into IBM BPM Process Portal or website. For on-prem solution, it is the same.
For Cloud, a 'functional' username password has to be requested for (Cloud Admin can create those) and that has to be used in the service call.
For example, if you are username/password for logging into BPM Cloud is 'johndoe#gmail.com/Test123' then there will be functional credential created for this ID (say, 'somefunctionalusernamedjohn123/8jdklajl23').
We can use this credential with every reqeust but what we should do is, use these credentials in the very 1st call to BPM server, in the response of which there will be a specific 'cookie'. We should save it and re-use that in our sub-sequent calls until it expires (you'll receive appropriate http status code if you disable 'follow redirect' in your http client config).
I had to raise a PMR to get this information. https://www.ibm.com/support/knowledgecenter/en/SSFPJS_8.6.0/com.ibm.wbpm.wle.editor.doc/topics/int_ext_services_start_process.html
Sample Java code to start a process:
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://ustrial03.bpm.ibmcloud.com:443/bpm/dev/rest/bpm/wle/v1/process?
processAppId=3u092jr02j-fghjkyk.u078992c166c1&bpdId=25.jk8989-539a-4150-
b63e-ggui67868gjkgj7&action=start")
.put(null)
.addHeader("Content-Type", "application/x-www-form-urlencoded")
.addHeader("Accept", "application/json")
.addHeader("Connection", "keep-alive")
.addHeader("Authorization", "Basic YXJrYX242232jklkljljLmNvbTpkZWZjb240QA==")
.addHeader("Cache-Control", "no-cache")
.addHeader("Postman-Token", "f46c1525-899-9897-uoh89-bb2b21a57f16")
.build();
Response response = client.newCall(request).execute();
Before finding this solution through PMR, I was desperately looking for a solution or a workaround. I noticed that my REST calls are getting redirected to an authentication page and I also noticed that, it is quite similar to what happens when you try logging into any IBM BPM Process Portal.
Once you login to IBM BPM Portal using Chrome, observe that it doesn't log you out. So I guessed the answer to be in the cookie and through trial and error, I picked up the cookie, which is PD-S-SESSIONID (named Something like that), and started using them in my service but obviously they expire in like 30-40 mins. So, I went ahead and used selenium and headless chrome to do the same thing as what I did manually. Anyway, this hack shouldn't be needed for On-Prem solution or with functional IDs for cloud.
Another very useful API wrapper which I have used in my project is:
https://github.com/egetman/ibm-bpm-rest-client. I had to make some changes to make this work with the trial account and for some other reasons.
And of course, we can't go far without the help of in-built REST API tester by IBM
e.g. https://ustrial03.bpm.ibmcloud.com/bpm/dev/bpmrest-ui/BPMRestAPITester/index.jsp
Thanks!
Im pretty new to webservice etc and I need figure out what is causing a http 403 response code.
I am hitting a service that was recently secured using siteminder, what I need to find out is what siteminder expects when receiving a http get request. Is there anyway I can find this out I assume that it is authenticating correctly due to the 403.
Im thinking that the request maybe missing some headers or indeed cookies I'm just finding it hard figuring out what is needed and would be great if I can get some guidance into how to at least find out what is expected.
I can hit the service fine through the browser.
T.I.A
You should turn on tracing on the web agent, check the log and see what headers are being sent, and if the 403 is coming from SiteMinder or your web service
So I'm trying to authenticate my app to Digg using OAuth (and I'm totally not an OAuth expert).
I use the Scribe Java library.
I keep on getting the HTTP 401 Authorization Required. Inside the body of the response, it is a 5001 Invalid Signature Error.
I have read this Digg Google Groups Thread
and I didn't really understand. They say I should remove the method from the URL, but when I do this, I get the no Method provided error (or something like that).
Here is the dump of the communication : on Pastebin
Could you please help me finding the solution on how to get the request token?
Thank you for your help.
You might want to stop sending the method in the URL as a querystring parameter and do this instead:
request.addBodyParameter("method","oauth.getRequestToken");
Hope that works for you