I am making two HTTP GET requests to my (server) webservice in Java from a PHP website I am developing currently. I use the same function for making the GET requests. Server rejects one request & returns null as response while it accepts the other one & returns the correct response. Both these GET requests when tried from Google Chrome's extension POSTMAN returns correct response.
Why is server acting so weird like this?? For the request that server rejected, it says No 'Access-Control-Allow-Origin' header is present on the requested resource. Why is it so??? So, this means for the request that the server accepted, this particular header is present. I am confused.
The Access-Control-Allow-Origin is some kind of security-header sent by the server to prevent your server being called by random other servers but all processing of these headers is left to the client side. This means that your client-library (your webbrowser for example) checks if the domain currently visited is present in the Access-Control-Allow-Origin-Header. POSTMAN bypasses these checks (since it cannot currently visit any domain) and therefore always returns the response.
What you should check to prevent this issue from happening is that you always include the client-side-domain in Access-Control-Allow-Origin (or simply use * to allow all origins). Make sure to also include it in OPTIONS requests since they are often sent prior to POST or PUT requests.
If your requests are just failing on a certain HTTP-Method make sure to also set the Access-Control-Allow-Methods-Header to include all required HTTP-Methods (or simply use *)
Since POSTMAN always accepts your request it’s a good tool to check if these headers are included in the response. If not, simply add them and you should be fine.
Related
I am running an SpringBoot application and I have a controller which defines Rest Api and accepts a request by a list of ids. Normally it works fine but if number of ids gets bigger, then I receive http 503. Interesting thing is that I cannot see any logs that my request was received by controller as well. Therefore I am not able to understand what is happening. Do you have any idea what can be worth to check ?
503 is a error code, which means service or url or controller, that you are requested is not running/available, make sure your jar file is running and also make sure the url you requested is valid. since service is not available you cant see any logs or error messages. because your controller dint receive any request yet.
The 503 error indicate that the server is not ready to handle the request.
There are some limitations for transferring data through URL , basically the length of the URL
In general the limit was 2047 chars and it is different for different browsers
503 means Service Unavailable.
I think something is wrong with your request.
You can try to add a custom OncePerRequestFilter and log your HTTP Request.
When testing with the jsonplaceholder.typicode.com site java code does not need to set any headers. Reading the json from a URLConnection works fine. However other http endpoints will return a 403 Forbidden unless a HttpURLConnection is used and the User-Agent request property is set.
Is there a way other than trial and error to figure out the required headers for a given http endpoint?
There's nothing in the HTTP protocol that allows you to observe what headers a particular server is expecting. You send a request, and the server sends a response, that's all. (A nice server may, of course, choose to embed a helpful error message in its response.)
So the literal answer to your question is: no, there's no way to determine this beyond trial and error (unless you have access to documentation and/or source code).
The server sending JSON to the API is a Tomcat server in the Gradle packages (it is built in Java).
I am having trouble's making an API call with Angular. I know my API is working because I can view it on "Postman."
var app = angular.module("todo", []);
app.controller("AppCtrl", function($http){
$http.get("192.168.5.100:8080/aggregators/datafile")
.success(function(data){
console.log(data)
})
})
When I run it I get the following error:
XMLHttpRequest cannot load %3192.168.5.100:8080/aggregators/datafile. Cross origin requests are only supported for HTTP.
The problem you're running into is that you can't make cross origin requests from the browser without CORS or using JSONP.
Postman operates outside of the context of the browser (as if you had issued a cURL request, if you're familiar with cURL).
This is for security reasons.
So, how do you implement JSONP? It really depends on the server, but in general, your resource would look for a GET request that had a pre-determined querystring parameter (normally callback for simplicity):
http://192.168.5.100:8080/aggregators/datafile?callback=mycallback
How do you make a JSONP call?
The server wraps the JSON in that callback, causing it to look something like the following:
mycallback({json:object});
This Stack Overflow answer goes into more detail.
The callback is the function the browser should hit when the request is executed, and that's what allows for cross-domain requests.
Now, on to CORS.
CORS is a system for allowing the browser to communicate with the server to determine whether or not it should accept a cross domain request. It's a bit complicated, but in general it involves settings up certain Headers on your API Server; and then executing an Ajax request in a particular fashion (for JQuery, use the withCredentials property for $.ajax). The server checks where the request is from, and if it's a valid source, it let's the browser know and the browser allows the request (I'm being simplistic).
MDN has a thorough explanation of CORS that is worth reading.
I have a jquery plugin and I'm using jsonp for crossdomain call to a jsp file.
I want to strict the jsp return values only to specific websites in our database.
To achieve this I need to somehow get the ip or url of the website the jsonp call triggered and not the client/user ip. I've tried the referer value in the http header but this will not work with IE and I guess this is not the best solution either.
How can I securely now who is calling my jsp file with my plugin, from his website?
Thanks in advance.
The simplest answer would be to issue each website a unique key or other identifier that they include in their request. You parse this identifier and flex your response appropriately.
However with a request originating from the client browser, you would have to be careful and would have to evaluate what you mean by how "securely" you need the request to be handled. (since the untrusted client would be making the request it would be a simple task to harvest and reuse such an identifier)...
Referrer (if present) could be used as a double check, but as you pointed out, this is unreliable and coming from an untrusted client computer, this portion of the request could be faked as well.
If we could assume some server side processing by the website owners, you could have them implement a proxy for the jsonp call (which would ensure such a token would never fall into the hands of the browser)... but we'd have to know if such a safeguard would really be worth it or not :)
I'm writing a server side app in Java using the HttpCore library.
I have an HttpRequest and I'm trying to get the postdata sent from a form. The problem is- when I use request.getEntity() it returns a null object, even though when I look through HTTPFox on what kind of request I'm sending the post data is clearly there.
What am I doing wrong?
There seems to be some confusion. You are sending requests from a browser to the server. The server is likely using the servlet API. There you handle requests using the doPost(..) method of an HttpServlet. You have an HttpServletRequest from which you can get the parameters - request.getParameter("paramName")
HttpCore on the other hand is used to make requests, not to handle requests. It is used as an http client (in the role of the browser).