My system Browser (IE) is proxy authenticated. I tried to download "www.google.com" using
IWinHttpRequest it fails with status code 407 ( Need Proxy Authentication ) even after setting the user name and password using SetCredentials(...) for "www.google.com". The response text contains "cache access denied". How to solve this?
SetCredentials should be called twice as follows
hr = pIWinHttpRequest->SetCredentials(bstrUserName, bstrPassword, HTTPREQUEST_SETCREDENTIALS_FOR_SERVER);
hr = pIWinHttpRequest->SetCredentials(bstrUserName, bstrPassword, HTTPREQUEST_SETCREDENTIALS_FOR_PROXY);
before called "Send"
Related
I have some code that looks at "Basic Authorization" requests from many different sites.
I want to know if I can make the following assumptions:
A successful response (credentials are correct) will always have response code 200 OK
A failed response (incorrect credentials) will always have response code 401 Unauthorized
Are the above fair assumptions, or is the success/fail conditions configurable per site?
No, there are other possible response codes.
According to the official spec, there can also be the error code 407.
Also, on MDN:
If a (proxy) server receives invalid credentials, it should respond with a 401 Unauthorized or with a 407 Proxy Authentication Required, and the user may send a new request or replace the Authorization header field.
If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.
In all cases, the server may prefer returning a 404 Not Found status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated.
Besides that, I'm quite sure that an actual successful attempt will result in status code 200.
I have created an app (backend and frontend) that is mainly used on a Windows intranet. I'm using Kerberos authentication to do SSO so that anyone logged in to Windows domain is automatically authenticated to the server. To do this I set up Kerberos SPN for server and configured browsers etc and is all working fine in the normal scenario. My problem is that I need to continue if the user is not authenticated (ie connects from outside the Windows domain or does not have their browser configured correctly).
In summary there are two scenarios:
if authenticated OK continue with authorization granted for their ID [currently works]
if not authenticated continue with no (public) authorization [does not work]
In the first case the HTTP requests/responses are:
a. frontend: initial HTTP request
b. backend: no auth found so return 401 unauthorized with WWW-Authenticate:Negotiate header
c. frontend: re-sends request with Authorization header -> decoded to get the login ID
In the 2nd case:
a. frontend: initial HTTP request
b. backend: no auth found so return 401 with WWW-Authenticate:Negotiate (and error text in the body)
c. frontend: browser stops (displaying the body of the response as text to the user)
This is the crux of the problem I need to somehow avoid the browser just completely bombing (as at step c above).
Solutions I have tried:
display a message to the user about how to adjust browser settings to allow SSO to work in the body of the 401 response message. This is pretty ugly looking and does not work for connections from outisde the domain
Tried a 301 redirect in stead of 401 unauthorized response, but the browser does not like this.
Tried a redirect using javascript in the 401 response body, but it is not executed.
Have the backend send 401 but with WWW-Authenticate:Negotiate,Basic. But this display an unneeded login/password dialog and still fails if they don't login.
What I really need is an None option, ie: WWW-Authenticate:Negotiate,None then continue with no auth if the subsequent frontend request indicate "None" was used.
Of course, there isn't a "None" option. :(
It seems that this should be a fairly typical scenario but I have been researching this to no avail for 3 days now. Any advice would be greatly appreciated.
If the browser is connecting from outside the intranet then just continue. That is do not send the 401 response at all (no auth). You should be able to tell from the IP address where they connect from.
Another option is to redirect using JS in a page in the 401 body. As mentioned above I think you need to include Content-type: text/html or Content-type: text/javascript.
The response of Authentication grand code for the request which i pass is 200 Ok. But am getting an html response in that. i couldn't find any code. Can You please help me.?
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXfeeb89&redirect_uri=https://localhost:44330/callback
This is the request which i send. But not receiving the authentication code. But It shows 200 OK.
In the admin tool, check that your integration key is set to use Authorization Code grant, not Implicit grant.
Also check that you've authorized your exact callback URI for your integration key.
If you're not getting any errors from DocuSign, then authenticate yourself and the your browser will then be redirected to your redirect uri, in this case https://localhost:44330/callback
I add username and password in URL, but Jmeter send request to server with square bracket.
username : ABC
password : 123
In sampler I have mentioned like this
https://ABC:123#api.google.com
but after execution it added brackets like this
https://[ABC:123#api.google.com]/path
due to this my API is failing, please help me out
thanks in advance.
Don't add anything but application under test IP or hostname into "Server Name or IP" input, if you want to include your credentials into URL use "Path" field instead:
However if you don't have an explicit requirement stating to send credentials in the URL I would rather recommend providing them using HTTP Authorization Manager as putting the whole URI into "Path" might cause other test elements malfunction, for example HTTP Cookie Manager
So suggested setup would be:
HTTP Request sampler:
HTTP Authorization Manager
More information: How to Use HTTP Basic Authentication in JMeter
All major web applications (Google, Facebook, etc.) return page status 200 ok in case of authentication failure, i.e. wrong login/password pair.
Although by definition, if a resource is not found with request URI - status 404 Not found is returned.
Wikipedia says:
[404 Not Found] Used when the requested resource is not found, whether it doesn't exist or if there was a 401 or 403 that, for security reasons, the service wants to mask
How does the login case differ?
Server code 200 means you get the response . Whether it is your wrong credentials or not. if Your request has not been processed then server returns different error code . But for your case,
Your login request has been processed , connection with database has been established and from that you get you wrong credential message . So code 200 is for your successfully processed request.