I am building a website using Angular 5 as frontend, and JAX-RS with Jersey as backend. The website requires the user to login using their email and password, which is sent to the API with POST. I then want the client to receive a cookie, but this is where I'm having trouble. The API sends a response with a cookie (I can see the cookie when I test it in Postman), but in Google Chrome it looks like no cookie is received, and no header is named 'Set-Cookie'.
My method that sends the cookie from the backend:
#GET
#Path("cookie")
public Response getCookies(){
NewCookie cookie1 = new NewCookie("cookie1", "test");
return Response.ok().cookie(cookie1)
.build();
}
I'm using a CORS-filter where I set AllowCredentials to true. What have I missed?
Related
I am trying to implement Keycloak as an IAM, the Problem that I have is, that I need to authenticate the user (already working) but also authorize him. The authorization should be accomplished through keycloak directly, but the security information (like roles, etc.) is available over an REST interface externally.
The way it is working now goes as followed:
authentication request (default)
"authorization" request → keycloak server (with extra form param)
keycloak server → CustomProtocolMapper (calls external REST interface and adds claims to Token)
Token → frontend client
This worked until I used a refresh token to refresh the ID Token. The Cookie that is used to authenticate the user is not sent to the keycloak server, because of security reasons (Cookie labeled as "Secure" but connection over HTTP). To fix this I upgrade my keycloak server to use HTTPS/TLS and now i am getting errors because the "HttpRequest" is no longer available. Any ideas on how to get the Request Body of an HTTPS Request inside a CustomProtocolMapper? I know that the Authenticator Providers has access to it, but i dont know/ didnt find anyway to add claims to the Token inside it.
#Override
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession, KeycloakSession keycloakSession,
ClientSessionContext clientContext) {
String contextParamName = mappingModel.getConfig().get(CONTEXT_PARAMETER);
// worked with http
HttpRequest request = keycloakSession.getContext().getContextObject(HttpRequest.class);
String contextId = request.getFormParameters().getFirst("activeContext");
LOGGER.warn("activeContext: " + contextId);
}
Thanks in advance,
best regards
I am implementing a client to Zillow GetDeepSearchResults Api (https://www.zillow.com/howto/api/GetDeepSearchResults.htm) using jax-rs. However I get a captcha verification request as response
I am able to get the captcha properly validated by the end user localhost:8080/Myapp/. But after the validation, I am redirected to the server root (localhost:8080)?
I got the captcha response as a string.
public String getLocation(String address) {
return client
.target(REST_URI)
.path(String.valueOf(address))
.request(MediaType.TEXT_XML)
.get(String.class);
}
I then displayed the captcha
<h:outputText value="#{mainBean.details}" escape="false"></h:outputText>
But after the validation, I am redirected to the server root (localhost:8080)?
How do I catch the response from the API after the validation. I need to get the XML that is returned.
I have a problem with sending API request via postman or Java lib "io.restassured".
When I do the same action on UI the request returns correct response, but when I try the same thing via postman or java code I get:
401 Bad request Your browser sent an invalid
request.
The java code
public static void main(String[] args) {
String requestUrl = "exampleBaseUrl/app/reports/api/rest/v1/graphs?context=shipper&reports_type=freights";
Response response = RestAssured.given().relaxedHTTPSValidation().header("x-csrf-token", "18ea65e740eb0ddddadf0ef435d92564").
when().
get(requestUrl);
}
I assume something is wrong with the authentication, because in dev tools i can see a Get request for CSRF_token, and it looks like this:
the endpoint for the token:
/login?get_csrf_token
and for this request I get following response:
{"csrf_token":"18ea65e740eb0ddddadf0ef435d92564"}
I am not sure how to solve this, I have also tried to get the token via java code by sending a get request to the token's endpoint /login?get_csrf_token
and this one gets my a HTML response with empty username and password input.
Error 401 means your request isn't authorized.
For authorization, usually while logging in you are given a token, which you will have to keep in your cache/local-memory and whenever you communicate with the server you have to add that in your request header (for your own introduction to the server)
It seems like in your case you can get a token from /login?get_csrf_token after logging in. Note that you don't need authorization for a login service.
Now, after getting token from the server, how to add it as a request header? See REST Assured Documentation
This is my first encounter with a JWT token and I'd like to know how is this token returned to the client after it's first created.
Should it come in the Authorization : Bearer header ?
Usually, it's the client that passes the token in Authorization : Bearer header on each request.
I'd like to know how does the server pass this token to the client after user has authenticated and the token gets created. Also in the same header? In a different header?
In my situation, the server will be generating the token not as a response but as part of the request.
For example:-
A user will login to a portal, then click on a link to an authorized application. The JWT containing user claims will be passed to the authorized application as part of the request.
What is the best approach here? GET or POST? Header (which)? Query string? POST body?
Thank you!
there is no standard for how to return JWT token to the client, however, check this URL, it answers your question
https://github.com/dwyl/hapi-auth-jwt2/issues/82#issuecomment-129873082
putting the JWT token in the Authorization header gives us flexibility to send an actual response in a web application. For a REST-only App/API you are free to send the JWT as the response body or a cookie. What matters is how the client stores the JWT and sends it back to the Server, which is done in the Authorization header (or Cookie or URL Token if you prefer) 👍
As for this existing in the "wild", I have not seen an example of the server sending an Authorisation header to the client, but there is nothing in the spec to suggest this is an anti-pattern.
see: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html
If you want to stick to the guidelines you would do follow this example: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#ExAccTokResp
One may be interested to know that the OAuth 2.0 standard specifies the response body for that purpose:
5.1. Successful Response
The authorization server issues an access token and optional refresh
token, and constructs the response by adding the following parameters
to the entity-body of the HTTP response with a 200 (OK) status code:
access_token
REQUIRED. The access token issued by the authorization server.
[...]
im are running two different servers on same instance with different port numbers, one is node(front-end) and another is tomcat(back-end).
Example:
http://localhost:4021 is node server (Angular2 web app),
http://localhost:8090 is tomcat server (Java)
Im able to get data from 8090 before login no issues with that, but when i login 2 cookies will be set into the browser through backend. Whenever we make any request for any data these 2 cookies has to be sent by the browser every time to the server in request headers but they are not being sent.
I tried by sending "withCredentials: true" in request options which did not worked.
let headersDefult = new Headers({'Content-Type':'application/json;charset=UTF-8'});
let requestOptions = new RequestOptions({ headers: headersDefult, withCredentials: true });
httpPOST(link, payload): Observable<any> {
let url = 'http://localhost:8090/';
let self = this;
return this.http.post(url, payload, requestOptions)
.map(this.extractData)
.catch(this.handleError);
}