I want to use Apache Camel to call a rest webservice which takes a bearer token as authorization. I am getting 401 unauthorized access if I use the below code--
#Component
public class LoadFileRouteBuilder extends RouteBuilder{
#Override
public void configure() throws Exception {
from("timer:mytimer?repeatCount=1")
.log("Scheduled job!")
.to("direct:httpRoute");
from("direct:httpRoute")
.log("Http Route started")
.setHeader(Exchange.HTTP_METHOD).constant(HttpMethod.GET)
.setHeader(Exchange.CONTENT_TYPE, constant("application/json"))
.setHeader("Authorization").simple("Bearer "+ myToken)
.to("https://my-rest-ws-url")
.log("Response : ${body}");
}
}
I have also tried using process method to set the authorization token exchange.getIn().setHeader("Authorization", "Bearer "+myToken); didn't work either.
Is it the correct way to send bearer token ?
Related
I've created a self hosted Java applicataion and I would like to use Google sign in to log in into. I followed the follwong example:
https://developers.google.com/identity/sign-in/web/
That of course work, but now I'm getting a little confuse on how I can authorize the calls on the server. In the backend I'm using Grizzly+Jersey.
As described on the Google Sig-In documentation, you can use Google API Client Library for Java in order to check the authentication token on server side.
Client side
After a user successfully signs in, get the user's ID token:
function onSignIn(googleUser) {
var idToken = googleUser.getAuthResponse().id_token;
...
}
And send the idToken to the server in every request using the standard HTTP Authorization header.
Server side
You can use a filter to perform authentication and/or authorization.
To bind filters to your REST endpoints, JAX-RS provides the meta-annotation #NameBinding and can be used as following:
#NameBinding
#Retention(RUNTIME)
#Target({TYPE, METHOD})
public #interface Secured { }
The #Secured annotation will be used to decorate a filter class, which implements ContainerRequestFilter, allowing you to handle the request, get and validate the token.
The ContainerRequestContext helps you to extract information from the HTTP request.
The #Provider annotation marks an implementation of an extension interface that should be discoverable by JAX-RS/Jersey runtime during a provider scanning phase.
#Secured
#Provider
#Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {
#Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the token header from the HTTP Authorization request header
String token =
requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
// Check if the token is present
if (token == null || token.isEmpty()) {
throw new NotAuthorizedException("Token must be provided");
}
// Validate the token
validateToken(token);
}
private void validateToken(String token) {
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier
.Builder(new NetHttpTransport(), new GsonFactory())
.setAudience(Arrays.asList(CLIENT_ID))
.build();
GoogleIdToken idToken = verifier.verify(token);
if (idToken != null) {
Payload payload = idToken.getPayload();
System.out.println("User ID: " + payload.getSubject());
} else {
throw new NotAuthorizedException("Invalid token.");
}
}
}
To bind the filter to your endpoints methods or classes, annotate them with the #Secured annotation created above. For the methods and/or classes which are annotated, the filter will be executed.
#Path("/example")
public class MyEndpoint {
#GET
#Path("{id}")
#Produces("application/json")
public Response myUnsecuredMethod(#PathParam("id") Long id) {
// This method is not annotated with #Secured
// The security filter won't be executed before invoking this method
...
}
#DELETE
#Secured
#Path("{id}")
#Produces("application/json")
public Response mySecuredMethod(#PathParam("id") Long id) {
// This method is annotated with #Secured
// The security filter will be executed before invoking this method
...
}
}
In the example above, the security filter will be executed only for mySecuredMethod(Long) because it's annotated with #Secured.
I am using Retrofit below 2.0 in order to make API call.
The endpoint is "http://api.themoviedb.org/3".
The method is
#GET("/discover/movie")
void getMovies(Callback<MoviesResponse> callback);
They want me to add api_key as parameter. You can see the instructions here.
I am creating interceptor and setting it while building the client.
This is the overridden method of the interceptor.
#Override
public void intercept(RequestFacade request) {
request.addHeader("api_key", MY_API_KEY);
}
For some reason I get Unauthorized error.
"Invalid API key: You must be granted a valid key."
The example they are giving is:
http://api.themoviedb.org/3/movie/550?api_key=###
I found what was wrong. I was adding a header while they were asking for parameter.
#Override
public void intercept(RequestFacade request) {
request.addQueryParam(HEADER_NAME, mApiKey);
}
In Restlet 2.3 I am using a ChallengeAuthenticator with ChallengeScheme.HTTP_BASIC to protect application resources. When the server receives an incorrect set of credentials the server correctly returns a 401 Unauthorized response. Also correctly it adds the following header:
WWW-Authenticate → Basic realm="My security Realm"
The problem is when that response goes back to a browser rather than a server (as is the case with the AngularJS application GUI), the browser natively interprets that 401 response and launches an 'Authentication Required' modal.
What I would like to try and achieve is to read the request headers (easily done) and if the X-Requested-With: XMLHttpRequest header is present I would like to suppress the WWW-Authenticate header in the '401' response.
Currently the WWW-Authenticate header is automatically set so my question is how can I override this default header being set and handle it manually?
In your case, you should use a filter to remove the header WWW-Authenticate from the response. This header corresponds to a challenge request in the response.
Here is the content of the filter:
public class SecurityPostProcessingFilter extends Filter {
public SecurityPostProcessingFilter(
Context context, Restlet next) {
super(context, next);
}
#Override
protected void afterHandle(Request request, Response response) {
String requestedWith
= request.getHeaders().getFirstValue("X-Requested-With");
if ("XMLHttpRequest".equals(requestedWith)) {
response.getChallengeRequests().clear();
}
}
}
You need to add it within the createInboundRoot method of your Restlet application, as described below
public class RestletApplication extends Application {
(...)
#Override
public Restlet createInboundRoot() {
Router router = new Router(getContext());
(...)
ChallengeAuthenticator guard = new ChallengeAuthenticator(
null, ChallengeScheme.HTTP_BASIC, "testRealm");
(...)
guard.setNext(router);
Filter filter = new SecurityPostProcessingFilter(
getContext(), guard);
return filter;
}
}
This will remove the header WWW-Authenticate from the response when the value of the header X-Requested-From is equals to XMLHttpRequest in the request.
FYI, there is a page on the Restlet web site that describes the mapping between HTTP headers and the Restlet API: http://restlet.com/technical-resources/restlet-framework/guide/2.2/core/http-headers-mapping.
Hope it helps you,
Thierry
Another way is to override the ChallengeAuthenticator#challenge method.
By default it set the response status and add a challengeRequest:
ChallengeAuthenticator guard = new ChallengeAuthenticator(getContext(), ChallengeScheme.HTTP_BASIC, "realm") {
public void challenge(org.restlet.Response response, boolean stale) {
String requestedFrom = response.getRequest().getHeaders().getFirstValue("X-Requested-With");
if (!"XMLHttpRequest".equals(requestedFrom)) {
super.challenge(response, stale);
} else {
response.setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
}
};
};
I need to authentication SOAP header and give the response accordingly in my web service. The authentication header will verify the userId and password information.
If authenticated, then SOAP body of the request will be processed, else Invalid Authentication message will be returned
Below is my controller
package com.ws.controller;
#Endpoint
public class MyWSEndpoint
#Autowired(required=true)
private WSService service;
#PayloadRoot(localPart = "myWSRequest", namespace = Constants.TARGET_NAMESPACE)
public #ResponsePayload MyWSResponse getInfo(#RequestPayload MyWSRequest request) throws Exception
{
MyWSResponse response = new MyWSResponse();
response=service.getResponse();
return response;
}
}
i'm using Spring + SOAP
Please advise if i do right or better approach to solve.
Any working samples or projects will be much appreciated
I'm trying to use oauth in a redmine 2.4.2 with the redmine_oauth_provider plugin (https://github.com/a-ono/redmine_oauth_provider).
I have configure a new client in redmine and get then the consumer key and consumer secret.
I try then to make an example using the scribe library (used by jenkins to make the oauth work).
But I can't get the request token, redmine send me back a 401 with body Invalid OAuth Request.
Here is the Service I wrote
package org.scribe.builder.api;
import org.scribe.model.Token;
public class RedmineApi extends DefaultApi10a {
protected final String redmineUrl;
public RedmineApi(String redmineUrl) {
redmineUrl = redmineUrl.trim();
if (!redmineUrl.endsWith("/")) {
redmineUrl += "/";
}
this.redmineUrl = redmineUrl;
}
#Override
public String getAccessTokenEndpoint() {
return redmineUrl + "access_token";
}
#Override
public String getAuthorizationUrl(Token requestToken) {
return redmineUrl + "authorize?oauth_token=" + requestToken.getToken();
}
#Override
public String getRequestTokenEndpoint() {
return redmineUrl + "request_token";
}
}
And the client test
OAuthService service = new ServiceBuilder()
.provider(new RedmineApi("https://nuiton.org/oauth"))
.apiKey("XXX")
.apiSecret("XXX")
.debug()
.build();
Token requestToken = service.getRequestToken();
At runtime I got
using Http Header signature
sending request...
response status code: 401
Exception in thread "main" org.scribe.exceptions.OAuthException: Response body is incorrect. Can't extract token and secret from this: 'Invalid OAuth Request'
And on the redmine side I got
Started POST "/oauth/request_token" for 78.216.18.159 at Wed Feb 05 22:30:13 +0100 2014
Processing by OauthController#request_token as HTML
Current user: anonymous
Rendered text template (0.0ms)
Filter chain halted as # <OAuth::Controllers::ApplicationControllerMethods::Filter:0xf533d024 #options={:interactive=>false, :strategies=>:two_legged}, #strategies=[:two_legged]> rendered or redirected
Completed 401 Unauthorized in 3.5ms (Views: 0.6ms | ActiveRecord: 0.6ms)
Any help will be much appreciated.