Caused by: com.azure.storage.blob.models.BlobStorageException: If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.
If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.
Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.
Status code 403, "AuthorizationFailureThis request is not authorized to perform this operation.
I have tried uploading a document to azure blob.
I have resolved this issue by adding my client IP Address in Firewalls and Virtual Networks.
If you are facing a similar problem you might not have access for reading or writing in the Azure blob.
All you need to do is open the Azure Resource group -> Storage account -> In the Security + networking section you have an option called Networking -> In the Firewall section you can see an option called Add your client IP address, you can check that check box and save your changes.
That's it you'll get access to read or write the blob storage after that.
Related
While reading this HTTP POST between Postman and EventHub, I was directed to this:
https://learn.microsoft.com/en-us/rest/api/eventhub/generate-sas-token#java
I don't know what resourceUri, keyName, and key to use. Do I use the full URL for the eventHub?
Maybe somebody here could clarify where to get these three parameters.
But I don't know what resourceUri, keyName, and key to use. Do I use the full url for the eventHub?
You can get these three parameters from the azure portal as shown in the below screenshot:
--> Goto your EventHub Namespace -->shared access policies--> Select default shared access policy(RootManageSharedAccessKey)-->copy Connection string–primary key.
These are the parameters we need to pass to that method for generating the SAS token.
Endpoint=sb://mmxxxxxxxdows.net/;
SharedAccessKeyName=RootManageSharedAccessKey;
SharedAccessKey=K4Qxxxxxxxxxxxx9o=
I'm trying to make a request to the Walmart API here.
https://walmart.io/docs/affiliate/product-lookup
Here are the steps I'm following.
I create my application here on Walmart and uploaded my public key. I created my keys following these instructions on Mac.
https://walmart.io/key-tutorial
I followed this code to generate my signature.
https://walmart.io/docs/affiliate/onboarding-guide
I plug in all these values into the API explorer, but I keep getting the same error.
Is there an extra step I'm missing?
The 401 Unauthorized is an HTTP status code error that represents the request sent by the client to the server lacks valid authentication
Seems like one of the mandatory header params is missing while consuming api.
Request to please kindly cross check whether all of the mandatory header params are there as part of request.
We should have these below mentioned mandatory header params as part of the request.
One or more header params might be missing in the req.
WM_CONSUMER.ID
WM_SEC.KEY_VERSION
WM_CONSUMER.INTIMESTAMP
WM_SEC.AUTH_SIGNATURE
we need all of the header params and we can generate using below mentioned links.
Generating Auth Signature (WM_CONSUMER.INTIMESTAMP, WM_SEC.AUTH_SIGNATURE)
We can generate Auth Signature by using below mentioned link.
We will have to run below mentioned sample code to generate Auth Signature as seen below. This is going to generate timestamp and valid Auth Signature to consume APIs.
Time Stamp will be valid for couple of mins only. If it expires, we will have to regenerate the same
https://www.walmart.io/docs/affiliate/onboarding-guide
Generating consumer ID (WM_CONSUMER_ID)
Request to please kindly follow below steps to generate consumer ID
Create an account on Walmart IO platform - https://walmart.io by clicking on the user icon just before the search box.
Login to the account and accept "Terms of Use"
Click on "Create Your Application" to create a new application and fill in appropriate details.
Use this tutorial to generate two sets of public/private keys - https://walmart.io/key-tutorial
One set will be used for production.
Other set will be used for stage.
Upload both public keys using - https://walmart.io/key-upload?app_name=<your app name>
Consumer ID will be generated for both sets for prod and stage which can be seen on the dashboard - https://walmart.io/dashboard.
Regards,
Firdos
IOSupport
Small question regarding a Spring Boot 2.4.2 app, where I need to retrieve a password stored inside Vault, containing special/Chinese character please.
Setup:
A Hashicorp Vault instance which is storing our passwords. So far so good, for most of the passwords, it is storing them safely, and we can retrieve them, very happy.
Once the password is retrieved by the app, it is used to make an http request to some third party API. The third party API gives us the password via other channel and we store it inside Vault (question is not here)
We retrieve the password via this way, with the Spring Vault library.
#Value("${password.from.vault}")
private String passwordFromVault;
And use it this way to make the http call
webClient.mutate().baseUrl("https://third-party").build().get().uri("/uri").header("X-the-password", passwordFromVault ).[...]
When the password inside Vault is plain English letter, this is working fine.
Now, for some of the passwords we see them with special Chinese character
$ vault kv get secret/creds
====== Data ======
Key Value
--- -----
password.from.vault password-新年快乐-password
Unfortunately, this seems to cause issues.
The API call started to fail, and after a quick debug session, the third party assured us they see this from their logs
X-the-password: password-????-password
Basically claiming, we are not sending the correct password (the one with special/Chinese character)
I have tried this thinking it was an encoding issue, but not working neither
final String pleaseHelp = new String(passwordFromVault.getBytes(StandardCharsets.ISO_8859_1), StandardCharsets.UTF_8);
webClient.mutate().baseUrl("https://third-party").build().get().uri("/uri").header("X-the-password", pleaseHelp ).[...]
Question, How can I retrieve and send the request so the third party API gets the correct password containing special characters please?
Thank you
If those escaped ascii characters (for instance 新年快乐), if they are inserted from the web UI, are automatically inserted as 新年快乐.
In order to get them at run time, they should be inserted with the vault cli, as \u5317\u4eac for instance
A common SO question, but no specific solid answers.
My setup:
I have a website running on Classic ASP with backed DB. Unfortunately, no SSL Certs are available
I have an Android application that will send a Google Volley to request data from the site using a bespoke but simple API
Currently:
I am still in testing, privately, so currently I just access the site as such:
On the app, the user enters a UserId and Password once.
User navigates to a Fragment which is associated with a specific ASP Page which will return some data
A Volley is sent to /mysite.com/_api/apage.asp?m=md5hashhereabcdefghijk
The server searches user records for a matching hash (built on UserID+SALT+pass). On matching record, it uses the found userid as the User's ID
apage.asp does some sql queries and returns a JSON object
app receives this JSON response and parses.
The problem:
Anyone packet sniffing, or MITM, would be able to plainly see the URLs being accessed (and server responses) and be able to replicate the query via their browser. This is what I'm trying to stop. Any SALTs or secret keys in the app would be easily seen by decompiling the APK.
Issues:
I've read all sorts of different solutions, but none of which really fit my environment. I can't use ASP session variables (RESTful being stateless), I cant use HTTPS(SSL/TLS) as there are no Certs on the Server. I can't use an App-based password as this can be decompiled and easily seen.
I appreciate that you will never get something 100% secure, but can only make people disinterested in hacking a system, or not make it worth while.
Proposed solution:
I want some feedback/thoughts on the following proposed method:
Each request will have its own handshake to authenticate the app
This will go as such:
User opens app for the first time and enters UserID/Password. This will remain with the app until it is uninstalled (or logged out), but I intend to keep the user's app logged in
User navigates in the app to a Fragment that corresponds with a specific page on the server
Volley is sent with :
UserAgent HTTP header 'some value'
generate the same authentication hash for (userid+salt+pass)
encrypt this hash with a public key
one query string /apage.asp?q=abcdefghijk.... sent to server
server decrypts using its private key
server checks this hash as I do currently.
page returns plaintext JSON values (not encrypted)
The same problem happens here whereby a MITM or sniffer could replicate the URL and get the same information back
A Second Proposed Solution:
Would it be better with every request actually starting with a whole handshake?
App sends volley to server requesting a handshake (HELO)
Server gross error check with UserAgent HTTP Header
Server logs the timestamp and IP of the request and generates a unique random code
App receives this code and builds a new hash using that unique code as a Salt
App sends second volley to /apage.asp?m=MD5(UserID+UniqueCode+Password)
Server Gross error check with originating IP, timestamp+-tolerance (30 seconds between the two requests?), UserAgent Request Header.
APage.asp uses this hash to authenticate the request, providing previous steps have successfully passed.
APage.asp returns a JSON object, as requested.
Server flags the log of originating IP/timestamp as EXPIRED, or, just remove the record.
This initial step would make it a lot harder for a sniffer or MITM to replicate the URL calls, as A) Each request would have a randomly returned code B) each code/hash combo can only be used once.
The only thing I can think of is someone decompiles the App, and sees the method of handshake, so could try to replicate this. However, the username/password hash would never match as that is the only thing they cannot get from the hash (as it is salted with the random code)
Thoughts? Could it be improved with some RSA public/private key cryptography? Could I generate my querystring apage.asp?m=abcdeghi..., Generate an MD5 Hash of that, append onto the end, then encrypt before sending?
Many thanks in advance
I want to modify the content of a file stored in the Google Cloud Storage bucket and serve it to the user. The delivery content will change based on the User profile.
By the following ways I am trying to achieve it.
User will request for a particular hash key, this key is mapped to a cloud storage url. The contents are read, modified and served to the User when the hash key is used in the url. Say /serve/hash-key.
User will not know the cloud storage url, nor will have a direct access to the content of the file.
Java servlet is mapped in the server-side to process the User request. To process all /serve/* queries.
User can do the request either through the current tab or through a new tab.
The problem what I am facing is when the request is processed in the Java Servlet, App Engine User details could not be fetched using OAuthServiceFactory class. OAuthRequestException is thrown when getCurrentUser Api is called.
Is there a possible way to achieve this or address the error?