I tried to access a HTTPS connection by entering the value in browser, it seems to work fine and redirects me to expected page/output. But when I tried the same using the code, I am unable to get the result. I tried of setting the UserAgent as (Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en-GB) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.141 Mobile Safari/534.1+). But no luck. I am getting trusted connection alert, when i click continue i get response code 302.How can i implement secure connection certificate to disable trusted connection alert.
I am used to httpsconnection to open url it returns the response code 302.Again i checked with
if (rc == HttpConnection.HTTP_TEMP_REDIRECT
|| rc == HttpConnection.HTTP_MOVED_TEMP
|| rc == HttpConnection.HTTP_MOVED_PERM) {
String location = conn.getHeaderField("location").trim();
System.out.println("location========"+location);
try {
Url = location;
newhttpConn = (HttpConnection) Connector.open(Url, Connector.READ_WRITE);
newhttpConn.setRequestMethod(HttpConnection.POST);
newhttpConn.setRequestProperty("User-Agent",
System.getProperty("browser.useragent"));
} catch (Exception e) {
System.out.println( e.toString());
}
But no use i am getting same 302 from redirect url.
EDITED:
Also please give some ideas to get the functions equivalent to HTTPClient to be work in HTTPSConnection. How can i get those functionalities. If there is no possibility to use Httpclient in blackberry then how can i utilize Blackberry https connection equivalent to Httpcleint (or) to get the automatic redirect using HTTPS Connection?
When connector.open(url) excutes i am getting like this
SSL:->CH
SSL:<-SH
SSL:<-SC
SSL:<-SHD
TLS:->CKE
SSL:->CCS
TLS:->F
TLS:<-F
in output console then wrong response displayed.
I am getting trusted connection alert, when i click continue i get response code 302.
This is a fully expected behaviour.
302 means the requested resource is on some other URI. In other words server instructs you to execute a redirect. You should investigate connection headers and in the one named "Location" you will find a new URI to continue with. Close/finalize you current connection and start a new one for the just got redirect URI.
UPDATE:
Usually good servers respond with HTTP 302 after a successful POST. This is a known Post/Redirect/Get pattern to prevent users from posting the same data twise on browser page refresh (user may press F5 in a desktop browser). So if the page you are accessing via POST is designed for usual browsers, then this may just mean your POST was successful and you don't need to execute a redirecting request. At least, if you need the response for some result evaluation then don't redirect using a POST, this time use a GET.
Related
I have created an app (backend and frontend) that is mainly used on a Windows intranet. I'm using Kerberos authentication to do SSO so that anyone logged in to Windows domain is automatically authenticated to the server. To do this I set up Kerberos SPN for server and configured browsers etc and is all working fine in the normal scenario. My problem is that I need to continue if the user is not authenticated (ie connects from outside the Windows domain or does not have their browser configured correctly).
In summary there are two scenarios:
if authenticated OK continue with authorization granted for their ID [currently works]
if not authenticated continue with no (public) authorization [does not work]
In the first case the HTTP requests/responses are:
a. frontend: initial HTTP request
b. backend: no auth found so return 401 unauthorized with WWW-Authenticate:Negotiate header
c. frontend: re-sends request with Authorization header -> decoded to get the login ID
In the 2nd case:
a. frontend: initial HTTP request
b. backend: no auth found so return 401 with WWW-Authenticate:Negotiate (and error text in the body)
c. frontend: browser stops (displaying the body of the response as text to the user)
This is the crux of the problem I need to somehow avoid the browser just completely bombing (as at step c above).
Solutions I have tried:
display a message to the user about how to adjust browser settings to allow SSO to work in the body of the 401 response message. This is pretty ugly looking and does not work for connections from outisde the domain
Tried a 301 redirect in stead of 401 unauthorized response, but the browser does not like this.
Tried a redirect using javascript in the 401 response body, but it is not executed.
Have the backend send 401 but with WWW-Authenticate:Negotiate,Basic. But this display an unneeded login/password dialog and still fails if they don't login.
What I really need is an None option, ie: WWW-Authenticate:Negotiate,None then continue with no auth if the subsequent frontend request indicate "None" was used.
Of course, there isn't a "None" option. :(
It seems that this should be a fairly typical scenario but I have been researching this to no avail for 3 days now. Any advice would be greatly appreciated.
If the browser is connecting from outside the intranet then just continue. That is do not send the 401 response at all (no auth). You should be able to tell from the IP address where they connect from.
Another option is to redirect using JS in a page in the 401 body. As mentioned above I think you need to include Content-type: text/html or Content-type: text/javascript.
I have trouble using cy.intercept testing API that not actually exist (after mocking data)
what I mean?
I have url like: .../users/hello.
cy.intercept("POST", "/users/hello", { fixture: "test.json" }).as(
"getTestUser"
);
hello value (in the url) came from mock data (from previous response) which means that it is not actually exist in the DB / server does not know this value.
the final result: I am getting 404 from the server (it not really know this value and throw authentication error )
how can I resolve it? can I intercept a dummy url and set the server side to ignore this url and then return my stub?
tnx
Your intercept is stubbing because you have specified a fixture. The request will never go to the server.
Take a look at the routes at the top of the test
When you specify a fixture, you will not get 404 from the server. The request will never get to the server (assuming you have specified the URL correctly on the intercept).
If you are getting a response from the server, it means the URL in the intercept is not matching correctly.
Take a look at the dev console network tab, check the full URL you are trying to catch.
Perhaps you just need a wildcard in front,
cy.intercept("POST", "**/users/hello", { fixture: "test.json" })
.as("getTestUser")
EDIT: I fixed the problem, see links in the answer.
I'm using the XMLHttpRequest AJAX API to send data from different websites to our server in PythonAnywhere.
Something odd happens: depending on the website, either we send successfully or we get this error
POST https://canecto.pythonanywhere.com/api/ 500 (Internal Server Error)
even though the same code is loaded.
I tried to manually open the request and send data via JavaScript console in Chrome but nothing changes.
Here is how the snippet looks like:
var url = "https://canecto.pythonanywhere.com/api/";
var xmlHttpPost = new XMLHttpRequest();
xmlHttpPost.open("POST", url, true);
xmlHttpPost.setRequestHeader("Content-type", "application/json");
var postData = {
page_url: window.location.href,
time_on_page: activeTime,
cookie: cookie,
/* some variables */
};
xmlHttpPost.onreadystatechange = function() {
if (xmlHttpPost.readyState == 4 && XMLHttpRequest.DONE) {
console.log('');
}
};
/* send data */
xmlHttpPost.send(JSON.stringify(postData));
I read here that the problem should not be the client-side JavaScript.
If I inspect on the server side, for the line requests.get(page_url, headers=HEADER, timeout=10)(where I try to access the page) I get this log:
I read on the Python request library that it may be something related to the SSL verification, but I have very little clue about it. I tried to check other similar questions but I have not found the answer.
Has anybody experienced anything similar and successfully solved it?
To whom it still uses Python < 2.7.9: this answer worked for me. SNI is not supported in Python 2, that means you should follow such answer and these requirements to make requests work with SSL certificate verification.
I have the following setup on my server:
Apache HTTP Server is serving a BackboneJS frontend application
Apache Tomcat is serving a Java based backend (CORS enabled).
Everything is running on a single server that I have full control over.
I'm currently using com.thetransactioncompany.cors.CORSFilter in the Java based backend to enable CORS. Everything seens to be working fine.
My frontend has the following code to redirect the user to the login page in case an un-authenticated REST call occurred:
$.ajaxSetup({
statusCode: {
401: function(){
window.location.replace('/#login');
},
403: function() {
window.location.replace('/#denied');
}
},
cache: false
});
Everything works fine on all major browsers except for IE10.
In IE10, when the non-authenticated users calls the REST serverm the server returns an HTTP 401 (as it should). The XHR object I'm seeing in the IE debugger hoewever seems to have translated this into status = 0. (On chrome you can cleary see that it has status = 401.
This appears to be a bug in IE10 where IE10 is treating HTTP status 401 as a network error. The console shows:
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied
Is there a way to workaround this ?
I can add handling for statusCode 0 in the ajaxSetup but that seems more of a hack.
Is there a way to disable CORS altogether through some kind of Apache / Tomcat configuration ?
Currently my apache configuration is setup using vhosts so that the following public URLs map their corresponding internal hostname / ports.
http://mywebapp.com -> http://myrealservername:8080/ -> /var/www/http
http://myrestapi.com -> http://myrealservername:8088/ -> /usr/local/tomcat/webapps/restapi
Would it be possible / advisable to have Apache
continue serving the static webapp from http://mywebapp.com/restapi
exposing the REST API on http://mywebapp.com/restapi (keeping it "inside" the webapp).
If such a setup were possible I wouldn't need CORS anymore ? It would keep things a lot simpler while increasing browser support ?
I am trying to authenticate to the Jazz server using pure Javascript. I am supposed to be able to do a GET onhttps://myserver:9444/qm/authenticated/j_security_check?j_username=foo&j_password=bar . (same behavior on a POST as well)
This works fine in Ff plugin Poster - if I provide a dummy user-agent header. However, in the JS code I am writing (using dojo.xhrGet), I am getting a 400 - bad request, mostly because the heager is saying Chrome, with a response HTML stating - You have followed a direct link to log in to a Jazz server. This page has been presented to ensure that a malicious website cannot use cleverly crafted content to circumvent security. If you would like to log in to the server, please use the link below.
The problem I have hit is - I am unable to override the user-agent header in teh dojo.xhrGet since it s a protected header and you get a Refused to set unsafe header "user-agent if you try to override it with some value like "api".
How do I get around this catch 22?
You cannot change the User-Agent header for XMLHttpRequest. See this SO question.
If you want to authenticate to a Jazz server, you should use dojo.xhrPost to send a HTTP POST request to the form authentication url.
dojo.xhrPost({
url: '/qm/authenticated/j_security_check',
data: {
j_username: 'foo',
j_password: 'bar'
}
})