I am facing an issue on my project. I have to send a POST request to a vendor's API. But I am getting the response login is required.
The vendor has not exposed the Login API , but has given the login url. It wants us to authenticate on the browser and then send the POST request from our Java code.
Can anyone please help us that if it is possible to this?
I have tried to launch the login url from my Java code. Then I authenticate it. But since I have authenticated in Browser's process so I am not able to send the POST request from my Java code.
Ideally you should make a GET request using the login url (a REST call from the Java code and not via a browser process) which would return you a valid access token or something similar, using which (ideally on the header), you should make the POST request which would allow the vendor's API to authenticate your request.
You would need to provide sample code and what you have tried for me to help you further, but I hope you get the idea.
Related
I'm learning Web services. I have created an Rest API on local machine in eclipse. And the url looks like this http://localhost.com/Web/Test/Client
What It does is when I call this url as POST method with username and parameters in url's body, I get one token which I'm using somewhere else. Upto here its working fine. I pass username and password and I get a token once my API's code verifies the credentials coming in url's body.
So after that I read about security of Rest API so that no body could access my credentials which are coming with url. It says it needs to be converted into HTTPS from HTTP.
But I could not understand more how and where this security needs to be configured in my code. Do I need to write any code to achieve this or any settings are required ? I'm totally blank here.
Can anyone please help me to understand this and tell me what needs to be done to get HTTPS for my url ?
What you need to do here is create a self signed certificate and configure channel security. I highly recommend you to use spring security framework to get this thing done. This article will help you.
To require HTTPS for the login page modify your security configuration by adding the following:
http.requiresChannel()
.antMatchers("/login*").requiresSecure();
I have a web application that when user click on the a link it will generate security information and log on to an external application if the security information is authenticated.
At this point from security concern I don't want to expose the URL and request information on the web page, so instead I am seeking solutions to handle the process behind the scene
I know Apache Components can easily send post request within POJO, jersey client can do as well through web service. However the requirement here is also including to let browser automatically redirect to the 3rd app's front page if the login process succeeded.
My question is what could be the proper solution to handle the login process and go to the external application from web as well.
Say you have:
publicapp.com
secretapp.com
Set up an API in publicapp.com to POST the initial request to itself. When the user submits the initial login form it goes to say publicapp.com/login. This endpoint will pre-process the information then send a server to server request to secretapp.com/login.
If secretapp.com/login accepts the information it responds to publicapp.com with a success and publicapp.com redirects the client to secretapp.com/home, with a short term auth token encoded in a JWT. secretapp.com, swaps the short term token for a full auth token.
In the above scenario, the actual login endpoint is never made public. secretapp.com should also have IP whitelisting to only accepts login attempts from publicapp.com. You can also do a lot of filtering on publicapp.com to eliminate malicious requests without bothering secretapp.com.
I get code from this direct url with my client id and redirect uri;
https://foursquare.com/oauth2/authenticateclient_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
But I can't do it with the rest service. I have to embed this service in my java application and then get access token. I can use that different option,if there is another way you know to get access token.Can you help me?
The Foursquare docs walk through the process in great detail. There are 2 options:
Web Applications Code Flow
Web Applications Token Flow
Both these options will require you to setup an app through the Foursquare Developer site. You'll need to setup a redirect URL for Foursquare to redirect back to. This is usually a publically accessible URL, but a locahost URL also works for testing purposes.
The first, the Code Flow, follows a standard OAuth process:
Direct users (generally done through a link or button) to
https://foursquare.com/oauth2/authenticate?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI`
If the user accepts, they will be redirected back to
https://YOUR_REGISTERED_REDIRECT_URI/?code=CODE
Your server should exchange the code it got in step 2 for an access token. Make a request for
https://foursquare.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&code=CODE
The response will be JSON
{ access_token: ACCESS_TOKEN }
This access token is what you're looking for.
The second method, the token flow is slightly easier:
Redirect users who wish to authenticate to
https://foursquare.com/oauth2/authenticate?client_id=CLIENT_ID&response_type=token&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
If a user accepts, they will be redirected back to
https://YOUR_REGISTERED_REDIRECT_URI/#access_token=ACCESS_TOKEN
This access_token query param is what you're looking for.
Go to your "App Settings" page on the developer console of Foursquare.com
Set the "Redirect URL" under "Web Addresses" to https://www.google.com
Paste and enter the following url in your web browser (replace YOUR_CLIENT_ID with your actual client id):
https://foursquare.com/oauth2/authenticate?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=https://www.google.com
This should redirect you to a google page requesting permission to make the connection.
Accept and then look at the url of your web browser (take note at the CODE part of the url to use in step 5)
It should look like https://www.google.com/?code=CODE
Copy the code value from the previous step.
Paste and enter the following into your web browser (replace placeholders with actual values):
https://foursquare.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=https://www.google.com&code=CODE.
When you paste the link , This should lead you to a page that gives you your access token.
Credit : IBM course intructor.
I am attempting to log into a website using Java's HttpURLConnection. I have figured out how to use a POST request to post to the website and log in, but I have no way of knowing if the login was successful or not.
Looking at some tutorials, I discerned that reloading the page usually works. The problem with this specific implementation is that upon entering credentials, the website opens a pop up window, with the same URL as the parent site.
This can be solved either of two ways. Looking at Chrome's Developer Tools, I realized that the POST request returns whether the login was successful, as seen here
Is it possible to get the popup window or look for the response to the POST request? I'd rather use native java is possible.
Reload will work, if you'll keep the same HTTP session. Actually the website cannot open an popup - the web browser does it according to the login response. You should do the same - that is to check the response. Luckily you don't have to parse the response content, try to check the response code. For login the HTTP 200 may stand for successful login and HTTP 401 for failure.
I should get information from a website by DOM (a random value of an hidden input) and execute a post of username and password in my app (a login).
If I use two separated connection the random value change and not log me in.
Someone knows how I can do this in one connection? Help me please!
You should provide your login information in headers, there is a standard way of doing so called HTTP BASIC authentication. Read more about it here:
http://en.wikipedia.org/wiki/Basic_access_authentication
You can follow this SO post to understand how you can send an http request with BAISC authentication header using JAVA:
Http Basic Authentication in Java using HttpClient?
Your request can be authenticated using the mentioned header. And you can send any other information as request parameter. Using this way you need not to send two requests to get the DOM info as your authentication info will be in header.