What settings must be configured to permit Http cookies to retrieved from the Http request object in a WCF service. I am using basic Http binding. I have set aspNetCompatibilityEnabled = true and allowCookies="true". Please advise. I am certain the cookie is there with the proper domain. I have created an .aspx test page that calls my utility directly and the cookie value is returned, but calling the same code wrapped in a service does not return a value.
Are you using :
HttpContext.Current.Request.Cookies["CookieName"]?
If you are using this then there no problem.
And make sure that there is no spelling mistake.
If you are using form authentication then you have to pass token for authentication.
Related
I have requirement to develop mule flow to access, login, navigate and then submit form (HTTPS Post). I am using HTTP Connector configured as HTTPS with all required configurations like host/port/path/method/TSL etc. Added Query parameters which I tracked from HTTP trace in Firefox. Also set cookies as Header but I am getting A session is required to access this resource. response instead login to application.
Please find below HTTP Connector and configuration
Any suggestion?
You should not need to set cookies explicitly, and also setting them as HTTP headers will not work. First find out the type of authentication required by the service (basic, oauth, other?), then try to configure it in the HTTP connector.
I have a request, which can be used on an endpoint with and without authentication too, but response is different in these cases. I send request to path like /MyService?wsdl. I tried to use HTTP Authorization Manager added it to HTTP Request element with whole url to this service, but it isn't working. I am sure, that username and password are correct. How is it possible to debug authentication process?
HTTP Authorisation Manager respects JMeter's Scoping Rules so make sure it is located either on the same level as HTTP Request sampler or add it as a child of this sampler (in the latter case it will be applied to this sampler only)
Configure it as follows:
Base URL: protocol followed by IP address or hostname of the application under test
Username: your username
Password: your password
Mechanism: BASIC_DIGEST
Assuming everything goes well you should see Authorization header added to your request
See How to Use HTTP Basic Authentication in JMeter article for more details.
Alternative solution is adding HTTP Header Manager and configuring it to send Authorisation header with the value of ${__base64Encode(username:password,)}
This approach assumes having __Base64Encode function installed, you can obtain it as a part of Custom JMeter Functions bundle using JMeter Plugins Manager
I suggest to use Fiddler which is a Web Debugging Proxy to send requests from JMeter through it. You can configure HTTP Request to use a proxy.
Make sure the Authorization: Basic ... header is sent within the request.
The HTTP Authorization Manager should be placed at the root of the thread group. You can then specify the full request path associated to each authorization.
I have a c# application which consumes a webservice through a client proxy. The webservice is setup to use windows authentication (HTTP 401 challange through Active Directory). My user account configured to be authorized to access the webservice.
When I call the webservice through the browser it worked well. The browser is able to do the 401 challange and does not ask for any user id password (as internally the server and client do it through AD controller).
The problem is that when I try to consume the service through the C# application, it throws HTTP request unauthorized error.
I have tried all the below options for the webservice proxy to do windows authentication.
ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation
ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultCredentials as System.Net.NetworkCredential
ClientCredentials.Windows.AllowedImpersonationLevel =System.Security.Principal.TokenImpersonationLevel.Impersonation
Can someone please help on how I can make the webservice call just like how the browser does. I cannot pass user id and password while calling the service.
I figured out myself a workaround.The service call works well (HTTP 401 challange) with HTTPWebRequest with Credentials = CredentialCache.DefaultCredentials. Browser seems to be using the same approach.The problem is while creating a client proxy which is unable to do this 401 challange.
I could not figureout the reason but may be the service does not have enough meta information to establish a proper handshake with a client proxy.
I have a service stack web service with the CorsFeature enabled.
I am calling a service through AngularJS's $http.get method with the setting withCredentials to true:
$http.get(url,{ withCredentials: true})
How do I securely pass the credentials to be used by the rest api?
On the ServiceStack side you must set your CorsFeature plugin to have allowCredentials = true and set a single origin. You can't have an origin of * when using allowCredentials.
withCredentials basically allows your origin domain and the ServiceStack service endpoint to share cookies, and pass the Authorization HTTP header, (when CORS is correctly configured). So ultimately your credentials could be a session cookie or an Authorization HTTP header.
This Mozilla documentation about CORS is good at explaining how the cross domain withCredentials works.
Because the CORS feature and withCredentials only sets up the ability for the domains to share cookies and pass the Authorization header, and doesn't do the authentication - you will need to find a suitable authentication mechanism.
You can either build your own authentication mechanism, or consider implementing the ServiceStack Authentication provider, which you can read about it here. Essentially you would want to do a post to:
POST server:port/auth/credentials?format=json
{
"UserName": "admin",
"Password": "test"
"RememberMe": true
}
The authentication service would pass back a session cookie, and when you use withCredentials in your later requests, the cookie will be included automatically, and thus your request will authenticate.
To address passing the credentials securely, you will want to use HTTPS to avoid exposing the credentials in transit. This means securing the username and password value, as well as the session token value.
Hope this helps.
I'm constructing an application with 2 sides: client (iPhone) and Server (PHP). Communication using https. The mobile phone gets a 4SQ access token. Then, it sends that token to the server, and the server will make 4SQ API calls using it. My question is about how to send this token.
My idea was to include the token in the HTTP Authentication request's header, but after reading about basic/digest authentication, I suspect it isn't the way of doing it. Actually, the calls to 4SQ API are done using a request parameter
oauth_token=ACCESS_TOKEN
instead of putting the token in Authentication header, or any other place. I'm sure there's a good reason for that, but I can't find it.
Then, which option is the best?
Phone sends token to PHP server as request parameter, like 4SQ does
Phone sends token to PHP server in Authentication header (which kind oh authentication is?)
Any other way
Many thanks in advance, and best regards
I think the most secure and reasonable way would be a HTTPS POST. When the token is part of the query string in a HTTPS request, it is also encrypted. But it will appear clear text in the server log, or, when a browser is used, it could also appear in the browser history. Depending on the HTTP helper library, it could also log the HTTPS URL, when, for example, a request fails.
In my eyes, sending the token in the Authentication header would be strange, since it is not used for authentication between the server and the client.