I am new to WSO2 API Manager (APIM) using version 1.9.1. I am referring to link : https://docs.wso2.com/display/AM170/Token+API, in this link they've given curl command
curl -k -d "grant_type=password&username=<username>&password=
<password>&scope=<scope1> <scope2>" -H "Authorization: Basic
SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh,
Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Now I am trying to understand above curl command in order to create Junit to map all these headers and body values to my Spring RestTemplate API's. I understand all parameters, but I don't understand below
Authorization: Basic
SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh
Could you please explain what is the use of it? What we called long hex string by name?
You have to decode above string(SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh) and decoded string is IZsIi6HDbB5e8VKdZAnUi_fZ3f8a:Gm0bJ6oWV8fC5OQLLlC6jslACW8a
Normally these strings are combined with colon(clientId:clientSecret) and encoded with base64. IZsIi6HDbB5e8VKdZAnUi_fZ3f8a is the client ID and Gm0bJ6oWV8fC5OQLLlC6jslACW8a is the client secret.
Usage of it:-
You are trying to take the access token using above curl command. when you use above grant type, you have to provide client id and client secret to get access token.
As far as i understood (by reading the same doc) that is base64 encoded string
And it also says that it "Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64."
You can get more info regarding this on http://base64encode.org and What is base 64 encoding used for?
Related
I have a server, written on Java, which is currently running on a
http://localhost:8080
Source code is hidden from me, but I know that all endpoints are handled by Java HttpExchange class, for example endpoint:
http://localhost:8080/generate/init
will be handled like that:
public void init(HttpExchange httpex) throws IOException {
...
}
The next thing I know is that incoming POST requests are handled like that:
byte post_data = (byte) httpex.getRequestBody().read();
My question is, that when I do from a command-line:
echo -e '\x03' | curl -X POST -i --data-binary #- http://localhost:8080/generate/init
What will be the value of post_data?
As I understand curl will send '\x03' exactly as it is:
\x03
And Java HttpExchange method getRequestBody() will return InputStream of it, where read() will translate that InputStream into int. As much as I know, Java doesn't interpret HEX as '\x03', instead it uses Unicode '\u0003'. Therefore I'm afraid of sending wrong data into my server.
If I'm wrong about curl --data-binary, please correct me! I just wish
to be sure, that I pass number "3" by POST request and server
interprets it as number 3, but in bytes ((byte) 3)
I uploaded encrypted object using server-side encryption with customer-provided keys (SSE-C).
Is it possible to download an object using pre-signed URL in AWS S3?
I tried like this
GeneratePresignedUrlRequest generatePresignedUrlRequest1 = new GeneratePresignedUrlRequest("bucketname", "objectpath")
.withMethod(HttpMethod.GET)
.withSSECustomerKey(new SSECustomerKey("base64mykey"))
.withExpiration(new Date( System.currentTimeMillis() + (60 * 60 * 1000)));
The link is generated but when accessing it in the browser I'm getting this error The request signature we calculated does not match the signature you provided. Check your key and signing method. Is there a solution for this?
SSE-C with pre-signed URLs may not work the way you expect.
The input to the request-signing algorithm includes all headers that begin with x-amz-*. This is significant for a reason that will become clearer in a moment.
The signature-generating code needs to know what these values will be when you actually make the request, and that is the only thing .withSSECustomerKey() does -- provides information that the signing algorithm needs so that the signature matches the actual request you eventually send.
The encryption key isn't actually embedded in the pre-signed URL. It needs to be supplied a second time, when the request is actually made.
When using server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers.
x-amz-server-side-encryption-customer-algorithm Use this header to specify the encryption algorithm. The header value must be AES256.
x-amz-server-side-encryption-customer-key Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key-MD5 Use this header to provide the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
So you can use the pre-signed URL from a server using an HTTP client library (by injecting these headers with the request) or you could use it from the browser from Javascript, similarly, or with tools like Postman and Curl, but you can't use it as a clickable or pastable hyperlink, because a URL doesn't provide a way to specify HTTP headers. And, of course, it seems like a bad idea to use it from browser-side JS, too, since that reveals the encryption key in clear text... so if you are planning to download an object stored with SSE-C, that's only appropriate in a secure environment, anyway, because of the need to handle the key in the clear.
Ok but with a curl lime this:
curl -v -T ${S3_UPLOAD_FILE} https://$S3_BUCKET.s3.amazonaws.com/${S3_DESTINATION_FILE} -H "Date: ${S3_DATE}" -H "Authorization: AWS ${S3_KEY}:${S3_SIGNATURE}" -H "Content-Type: ${S3_CONTENT_TYPE}" -H "Content-MD5: ${S3_MD5SUM}" -H "x-amz-server-side-encryption-customer-algorithm:${S3_SSEC_ALGORITHM}" -H "x-amz-server-side-encryption-customer-key:${S3_ENCRYPTION_KEY}" -H "x-amz-server-side-encryption-customer-key-MD5:${S3_ENCRYPTION_MD5}"
I can upload a file ro an s3 bucket with sse-c key. Wath about download?
I want to get the current user's data from spotify.
The documentation says I have to use this command:
curl -X GET "https://api.spotify.com/v1/me" -H "Authorization: Bearer
{your access token}"
I successfully get the token string from Spotify.
My question is: How should I transform this CURL command to java?
You need language bindings and an HTTP client. A lot of this work has been done already in the Android client made by Kaaes.
In your very specific case, you'd use the getMe method as documented here. This returns a UserPrivate object, which contains birthdate, product, email, country, as well as the fields available in the UserPublic object, like display_name.
Full documentation
Using Jersey (Java):
Manager manager = client.resource(baseUrl + "/manager").header("Api-Key", apiKey).get(Manager.class);
What is wrong with the way I'm formatting my request? The developers say that the secret apiKey should be under "Api-Key". I get UnknownHostException when I try this (I know for a fact that my baseUrl/host is correct.
Are you sure that the API-Key is a header value instead of a part of the URL string?
Test your URL strings with curl first to make sure things work as expected. Many APIs look for something like this
curl www.test.com/manager?Api-Key=THE_API_KEY
I'm using the client's browser to submit HTTP request.
For report generation the securityToken is submitted as POST, for report download the same token needs to be submitted by the user browser, this time using GET.
What encoding would you recommend for the securityToken which actually represents encrypted data.
I've tried BASE64 but this fails because the standard can include the "+" character which gets translated in HTTP GET to ' ' (blank space).
Then I tried URL Encoding, but this fails because for HTTP POST stuff such as %3d are transmitted without translation but when browser does HTTP GET with the data %3d is converted to '='.
What encoding would you recommend, to allow safe transmission over HTTP POST & GET without data being misinterpreted.
The environment is Java, Tomcat.
Thank you,
Maxim.
Hex string.
Apache commons-codec has a Hex class that provides this functionality.
It will look like this:
http://youraddress.com/context/servlet?param=ac7432be432b21
Well, you can keep the Base64 and use this solution:
Code for decoding/encoding a modified base64 URL