I have a problem with sending API request via postman or Java lib "io.restassured".
When I do the same action on UI the request returns correct response, but when I try the same thing via postman or java code I get:
401 Bad request Your browser sent an invalid
request.
The java code
public static void main(String[] args) {
String requestUrl = "exampleBaseUrl/app/reports/api/rest/v1/graphs?context=shipper&reports_type=freights";
Response response = RestAssured.given().relaxedHTTPSValidation().header("x-csrf-token", "18ea65e740eb0ddddadf0ef435d92564").
when().
get(requestUrl);
}
I assume something is wrong with the authentication, because in dev tools i can see a Get request for CSRF_token, and it looks like this:
the endpoint for the token:
/login?get_csrf_token
and for this request I get following response:
{"csrf_token":"18ea65e740eb0ddddadf0ef435d92564"}
I am not sure how to solve this, I have also tried to get the token via java code by sending a get request to the token's endpoint /login?get_csrf_token
and this one gets my a HTML response with empty username and password input.
Error 401 means your request isn't authorized.
For authorization, usually while logging in you are given a token, which you will have to keep in your cache/local-memory and whenever you communicate with the server you have to add that in your request header (for your own introduction to the server)
It seems like in your case you can get a token from /login?get_csrf_token after logging in. Note that you don't need authorization for a login service.
Now, after getting token from the server, how to add it as a request header? See REST Assured Documentation
Related
Currently writing an automation test to log a user in that has Tableau credentials and call a Tableau endpoint. However, each time I do this, I receive a 403 with a NOT_AUTHORISED message. I've done the exact same call on Postman using the same credentials and I get a 200 on there fine. I ran through this issue with one of our devs and we tried experiment with different ways of calling the same endpoint using REST assured (changing cookies and headers etc), but it's either a 403 or a 401.
The function that calls the endpoint is below:
return given().cookie(cookie).contentType(ContentType.JSON).get("tableau/projects");
The cookie value is a string that contains the access_token, refresh_token, and the tableau_token, and is formatted like below:
"access_token=BLAHBLAHBLAH; refresh_token=BLAHBLAHBLAH; tableau_token=BLAHBLAHBLAH"
I am completely stuck with this one.
Most of the cases I've encountered is using "Bearer token", you just put access_token to header to Authentication (solve 401 error).
.header("Authorization", "Bearer BLAHBLAHBLAH")
But for 403 error, it means you're authenticated, but not allowed to access this resource, you could use the account that has privileges.
JAVA RESTASSURED APITESTNG CUCUMBER
when I send get request using path variable and query param, I get a token in the response body and I will not get proper response until I add that token as a query param and send another get request.
So How can I perform that?
Given Cucumber Feature File
Given API has the following filed <"fieldName">
When API sends a "GET" request to "TranscationAPI"
Then API will receive the response code as 200
And the body will have following field
Should I change it to something like this?
Given API has the following filed <"fieldName">
When API sends a "GET" request to "TranscationAPI"
Then API will receive token as ""
When API sends again "GET" request to "TranscationAPI"
Then API will receive the response code as 200
And the body will have following field
Or I can use handle this through a different method.
Background is the great place to obtain token - see https://cucumber.io/docs/gherkin/reference/#background
It's possible by Java multithreading mechanism - https://www.tutorialspoint.com/java/java_multithreading.htm
This is my first encounter with a JWT token and I'd like to know how is this token returned to the client after it's first created.
Should it come in the Authorization : Bearer header ?
Usually, it's the client that passes the token in Authorization : Bearer header on each request.
I'd like to know how does the server pass this token to the client after user has authenticated and the token gets created. Also in the same header? In a different header?
In my situation, the server will be generating the token not as a response but as part of the request.
For example:-
A user will login to a portal, then click on a link to an authorized application. The JWT containing user claims will be passed to the authorized application as part of the request.
What is the best approach here? GET or POST? Header (which)? Query string? POST body?
Thank you!
there is no standard for how to return JWT token to the client, however, check this URL, it answers your question
https://github.com/dwyl/hapi-auth-jwt2/issues/82#issuecomment-129873082
putting the JWT token in the Authorization header gives us flexibility to send an actual response in a web application. For a REST-only App/API you are free to send the JWT as the response body or a cookie. What matters is how the client stores the JWT and sends it back to the Server, which is done in the Authorization header (or Cookie or URL Token if you prefer) 👍
As for this existing in the "wild", I have not seen an example of the server sending an Authorisation header to the client, but there is nothing in the spec to suggest this is an anti-pattern.
see: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html
If you want to stick to the guidelines you would do follow this example: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#ExAccTokResp
One may be interested to know that the OAuth 2.0 standard specifies the response body for that purpose:
5.1. Successful Response
The authorization server issues an access token and optional refresh
token, and constructs the response by adding the following parameters
to the entity-body of the HTTP response with a 200 (OK) status code:
access_token
REQUIRED. The access token issued by the authorization server.
[...]
So I've been trying to create token based authentication in Java EE lately and I tried to sent token via HTTP Header, but failed so many times.
My question : If I have for example #POST response method and I set header via return response statement
return Response.ok(entity).header(HttpHeader.AUTHORIZATION, authToken).build()
Then I invoke other method that was binded to ContainerRequestFilter and in this filter I try to access header via ContainerRequestContext.getHeaderString(HttpHeaders.AUTHORIZATION) then should it work?
Will I get the value from that header that was set in response method? If not then what should I do to get value of this header in filter method?
The Authorization header(or any other header) must be included by the client in each request
Your client should get the token from the server response, keep it in a secure storage and set the Authorization header when performs a request. Then, with RequestContextFilter your server will be able to recover it
So after reading lots about BasicAuth, OAuth, JWT... etc. i came up with this question.
I have a client where some ppl can log in (Authentication is done). When ppl want to do an api call they use the clients GUI and the client is sending some requests to the a webservice endpoint.
host/resources/{id}
//id=path, res=post
public Response updateResourceById(String id, Resource res) {
....
So a typical update call could be
POST host/resources/1234 -d={ some json for a resource }
Now i don't want every user to have all rights for every reosurce, so i would
need to add some info about the user who is doing a request.
For this i was thinking to use some JSON Token with some payload (or any user info at all). But i was wondering how to send this token correctly in a RESTful API.
My first idea would be to change the code to something like this:
//id=path, token=post
public Response updateResourceById(String id, Token token) {
...
The endpoint would not change only the POST data.
Would this be correct or are there other approaches?
Edit: Also possible would be sending the Token via HTTP Header.
Sending credentials in HTTP
In HTTP, the credentials should be sent in the standard HTTP Authorization header.
Have a look at the RFC 7235, the current reference for authentication in HTTP 1.1:
4.2. Authorization
The Authorization header field allows a user agent to authenticate
itself with an origin server -- usually, but not necessarily, after
receiving a 401 (Unauthorized) response. Its value consists of
credentials containing the authentication information of the user
agent for the realm of the resource being requested.
Authorization = credentials
[...]
Please note that the name of this HTTP header is unfortunate because it carries authentication data instead of authorization. Anyways, this is the standard header for sending credentials.
In a token based authentication, the tokens are credentials. In this approach, hard credentials such as username and password are exchanged for a token that is sent in each request to identify a user.
It never hurts to say that you should use HTTPS when sending sensitive data, such as credentials, over the wire. HTTPS will protect your application against the man-in-the-middle attack.
Reading the authentication token in JAX-RS
You can read the Authorization header in a JAX-RS application as following and then check if the token is valid:
#GET
public Response myMethod(#HeaderParam("Authorization") String token) {
...
}
However, a better approach would be using a ContainerRequestFilter, keeping your endpoints leans and focused on the business logic. For more information on token based authentication and on how to use a ContainerRequestFilter, have a look at this question.