I need to get username and password from HttpServletRequest to process the basic authentication. What I have is CXF endpoint and the basic auth interceptor. The HttpServletRequest I get like this:
public void handleMessage(Message message)
throws Fault {
HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
}
When I tried to debug the code and I see that:
request.getAuthType() is null
request.getRemoteUser() is null
The username and password I am sending with the request from Soap UI. So the question is how am I able to get the username and password from the request?
EDIT
Header looks like this:
POST http://localhost:8011/GradIrelandUserRegistration HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Authorization: Basic UGF1bGl1czpQYXVsaXVzMTIz
Content-Length: 3170
Host: localhost:8011
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
They say that Authorization is basic, but then why call request.getAuthType() is returning null?
I was able to figure it out my self. In Soap UI I needed to change the Authentication type to:
Preemptive
and then use:
AuthorizationPolicy policy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class.getName());
From the policy object now I am able to get the username and password.
This may be helpful to you
.
I'm bit new in SOAP data parsing so, if not working then let me know brief problem.
.
Also Check this J-Query Plugin for parsing SOAP services with the database. check this Stack Overflow
Related
Is there an API to fetch the device code via Auth0 Java API, we use the following snippet in Go, the question is if there is a standard API or should we make a HTTP request call
url := "https://dev-foo.us.auth0.com/oauth/device/code"
payload := strings.NewReader("client_id=RO6N7mr&scope=openid&audience=https://dev-foo.us.auth0.com/api/v2/")
req, _ := http.NewRequest("POST", url, payload)
The documentation tells you that you need to send a POST request like the following:
POST https://YOUR_DOMAIN/oauth/device/code
Content-Type:
application/x-www-form-urlencoded
client_id=YOUR_CLIENT_ID&scope=SCOPE&audience=API_IDENTIFIER
and the response would look like
HTTP/1.1 200 OK
Content-Type: application/json
{
"device_code":"GmRh...k9eS",
"user_code":"WDJB-MJHT",
"verification_uri":"https://YOUR_DOMAIN/device",
"verification_uri_complete":"https://YOUR_DOMAIN/device?user_code=WDJB-MJHT",
"expires_in":900, //in seconds
"interval":5
}
I have a Spring MVC REST endpoint which I successfully configured to be secured by Kerberos as recommended. On successful authentication everything works. The problem is when it comes to custom 401 error page.
I have it configured as (I'm spring-boot 1.3.5) as follows:
#Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return container -> container.addErrorPages(new ErrorPage(HttpStatus.UNAUTHORIZED, "/error/401.html"));
}
This works nicely which I can confirm by switching to e.g. Basic auth and providing wrong credentials.
When back with Kerberos - if I access my secured endpoint with kinit in place everything works and in curl I see the detailed requests:
curl -v -u : --negotiate http://my-enpoint:8080/
> GET / HTTP/1.1
> Host: ...:8080
> User-Agent: curl/7.43.0
> Accept: */*
< HTTP/1.1 401 Unauthorized
< ...
< WWW-Authenticate: Negotiate
> GET / HTTP/1.1
> Host: ...:8080
> Authorization: Negotiate YIIH7 ...
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< ...
Now if I do kdestroy and do the curl again:
curl -v -u : --negotiate http://my-enpoint:8080/
> GET / HTTP/1.1
> Host:...8080
> User-Agent: curl/7.43.0
> Accept: */*
< HTTP/1.1 401 Unauthorized
< ...
< WWW-Authenticate: Negotiate
... and that's it. In this case spring returns 401 as expected response which is part of the handshake and therefore no error page is sent.
And here comes my two questions:
How can I return the 401 error page when the thing dies in the middle of the handshake?
How could spring possibly fallback to any other authentication as fallback (form, basic) if it tries to negotiate but there is no response from the client at all?
So back with my investigation ...
This behaviour I observed is expected. The clients (browser, curl) doesn't continue with authentication if they can't authenticate. The key to provide custom page is the SpnegoEntrypoint. It allows to specify forwardUrl in it and it's javadoc says:
Instantiates a new spnego entry point. This constructor enables
security configuration to use SPNEGO in combination with login form as
fallback for clients that do not support this kind of authentication.
The point is the forward url any resource which will be included in the first 401 response. You can include any page, not just form login. In my case I'm including custom 401 error page because I don't do any authentication fallback.
#Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint("/error/401.html");
}
And then the communication looks like client sends GET and get's back 401 response with my custom error page in body. If the client is able to negotiate it ignores the response body completely and resubmits the request with appropriate token. If it can't authenticate it displays whatever it gets back - the custom error page.
As a response to your first question:
I had the same use case, but chose an alternative solution in which I extended the SpnegoEntryPoint with one that added a small JSON body to the response to be consumed by REST clients:
public class JsonSpnegoEntryPoint extends SpnegoEntryPoint {
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException ex)
throws IOException, ServletException {
response.getWriter().write("{\"message\": \"Spnego negotiate, expecting to be called with negotiate-flags set\"}");
super.commence(request, response, ex);
}
}
Using ADAL libs for java I managed to get Access,Refresh and ID Tokens using my office365 credentials.
Now my intention is using REST Web APIs, my intention is to create an entity, as a proof of concept. Based on my experience with other venders and REST APIs, once you have a valid token, you just add it as a Authorization header like:
Authorization=Bearer 709709JHKLJHKJLhHKHKJHKH...etc
Is something similar to this in Dynamic CRM 2016?
Here here is nice info about composing a POST http request, but I am missing the Authorization part... Any idea guys?
Here is a valid GET request to pull back accounts.
GET https://<CRM DOMAIN>.com/api/data/v8.1/accounts HTTP/1.1
Authorization: Bearer:<TOKEN GOES HERE>
Host: <CRM DOMAIN>.com
And here is a valid POST
POST https://<CRM DOMAIN>.com/api/data/v8.1/accounts HTTP/1.1
Content-Type: application/json; charset=utf-8
Accept: application/json
Authorization: Bearer:<TOKEN GOES HERE>
Host: <CRM DOMAIN>.com
Content-Length: 224
{
"name": "Sample Account",
"creditonhold": false,
"address1_latitude": 47.639583,
"description": "This is the description of the sample account",
"revenue": 5000000,
"accountcategorycode": 1
}
I am able to set content type using cxf library but I don't know how to set Authorization header. Whenever I set user name and password then it set Authorization header and encode whole value and add Basic. I don't want to do this. I want to add Authorization header with plain string which ever I provide. Please help me to solve out this problem.
AMPServices services = new AMPServices();
CoreXmlPort coreXmlPort = services.getAMPSoapService();
Client client = ClientProxy.getClient(coreXmlPort);
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
HTTPClientPolicy httpClientPolicy=httpConduit.getClient();
String contentType=httpClientPolicy.getContentType();
contentType="application/soap+xml; type=vnd.iShip.AMP.SOAP; charset=UTF-8";
httpClientPolicy.setContentType(contentType);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
authorizationPolicy.setUserName("username");
authorizationPolicy.setPassword("password");
httpConduit.setAuthorization(authorizationPolicy);
It generates following request xml.
POST https://api.iship.com/Root/Enterprises/Pitney%20Bowes/Progistics; HTTP/1.1
Content-Type: application/soap+xml; type=vnd.iShip.AMP.SOAP; charset=UTF-8
Accept: */*
Authorization: Basic aXNoaXAgcGIvd3NkZXZlbDowNzZhNjFjYTM5MDcxODAxODVjNWRkMjM2YTdkMzZhNGQ1ODg5OWFj
User-Agent: Apache CXF 3.1.0
Cache-Control: no-cache
Pragma: no-cache
Host: api.iship.com
Connection: keep-alive
Content-Length: 246
But I want this type of request
POST https://api.iship.com/Root/Enterprises/Pitney%20Bowes/Progistics; HTTP/1.1
Content-Type: application/soap+xml; type=vnd.iShip.AMP.SOAP; charset=UTF-8
Accept: */*
Authorization: username;password
User-Agent: Apache CXF 3.1.0
Cache-Control: no-cache
Pragma: no-cache
Host: api.iship.com
Connection: keep-alive
Content-Length: 246
But I was not able to do it. Please help me to solve out this problem.
Thanks,
Awadhendra
I think you are trying to call is a RestFul Service, so that's why the server side always response with a different content type than you expected (json instead of soap/xml). Is your url endpoint based on http protocol? If yes, do you need send additional parameters to this url?
The issue here is that the client you are using to interact with Webservice expecting XML based Soap Messages , while the service is serving JSON as a return media.
Either convert your client to use the JSON format and communicate using that, or alternatively use the XML based endpoint , consult with webservice provider for that.
im using a generated axis client to consume a service that requires headers
when using SOAPUI, i add the headers and the request looks like this
POST https://fttoo/service/v3.2/SOAP HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Authorization: Bearer 123
Content-Length: 270
Host: my host
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
when trying to set the headers with code i'm doing the following
proxy = (SessionServiceImplServiceSoapBindingStub)locator.getSessionService();
proxy._setProperty("Authorization", "Bearer 123");
this is not working well and i get Error 401, when inspecting the proxy object i see that a property called cachedProperties has the value of {Authorization=Bearer 123}
I've also tried proxy._setProperty(HTTPConstants.HEADER_AUTHORIZATION, "Bearer 123");
and also inside the stub, in the _call object....
given the fact that axis 1 is very old i generated a new web client using CXF instead of Axis, this way i was able to use cxf api to place the headers