I'm trying to implemente a request method, but I can't figure out how to sent the X-XSRF-TOKEN to my webservice.
In the webservice, the token is configured to be X-XSRF-TOKEN
<beans:bean id="csrfTokenRepository"
class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<beans:property name="headerName" value="X-XSRF-TOKEN" />
</beans:bean>
I have it in my android App
public class WSConfig {
private static String urlBase = "http://192.168.25.226:8080/webapi/";
private static HttpHeaders httpHeaders;
private static RestTemplate restTemplate = new RestTemplate();
private static HttpEntity<String> httpEntity = new HttpEntity(getXSRF());
private static ResponseEntity<String> response;
public static HttpHeaders getXSRF() {
try {
HttpEntity<String> responseEntity = restTemplate.exchange(urlBase, HttpMethod.GET, null, String.class);
CookieManager cookieManager = new CookieManager();
List<String> cookieHeader = responseEntity.getHeaders().get("Set-Cookie");
httpHeaders = new HttpHeaders();
httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
if (cookieHeader != null) {
for (String cookie : cookieHeader) {
String[] tokens = TextUtils.split(cookie, "=");
if (tokens[0].equals("XSRF-TOKEN")) {
String[] tokenValue = TextUtils.split(tokens[1],";");
httpHeaders.add("X-XSRF-TOKEN", tokenValue[0]);
}
if (tokens[0].equals("JSESSIONID")) {
String[] tokenValue = TextUtils.split(tokens[1],";");
httpHeaders.add("Cookie", "JSSESSIONID="+tokenValue[0]);
}
}
}
} finally {
return httpHeaders;
}
}
public static HttpEntity<String> makeRequest(String uri, HttpMethod method) {
try {
restTemplate.setErrorHandler(new DefaultResponseErrorHandler(){
protected boolean hasError(HttpStatus statusCode) {
return false;
}});
System.out.println(httpEntity.getHeaders());
response = restTemplate.exchange(urlBase + "registrar", HttpMethod.POST, null, String.class);
System.out.println(response.getHeaders());
System.out.println(response.getBody());
} catch (HttpStatusCodeException e) {
e.printStackTrace();
}
return null;
}
}
In my LogCat, I got these results from the System.outs
System.out.println(httpEntity.getHeaders());
{Accept=[application/json], Cookie=[JSSESSIONID=D0D537D4C38D2D69B01BF4F98B540763], X-XSRF-TOKEN=[8c21c671-bba4-4624-ada1-ff1e9e8f2e22]}
System.out.println(response.getHeaders());
{Server=[Apache-Coyote/1.1], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-XSS-Protection=[1; mode=block], X-Frame-Options=[DENY], X-Content-Type-Options=[nosniff], Set-Cookie=[JSESSIONID=7DBA84F6218BC9A8328A97587FC6293A; Path=/webapi/; HttpOnly], Content-Type=[text/html;charset=utf-8], Content-Language=[en], Content-Length=[1073], Date=[Thu, 20 Aug 2015 00:53:46 GMT], X-Android-Sent-Millis=[1440032027763], X-Android-Received-Millis=[1440032027805], X-Android-Response-Source=[NETWORK 403]}
And, the error
System.out.println(response.getBody());
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
I can't figure what I have to do, I'm sending the header correctly, but can't make the post.
UPDATED
I'm think that this error have relation with JSESSIONID, instead of XSRF-TOKEN, someway after my first GET ( to get the XSRF ) the session is getting expired.
SOLUTION
As I said, this error is relationed with JSESSIONID.
When I split the JSESSIONID cookie it is losing something that need to make the cookie alive (the path, maybe?)
So, instead of add the cookie like this
httpHeaders.add("Cookie", "JSSESSIONID="+tokenValue[0]);
I've attached it this way
httpHeaders.add("Cookie", cookie);
Making it, I make sure that all content be attached to the new header.
The final method.
public static HttpHeaders getXSRF() {
try {
HttpEntity<String> responseEntity = restTemplate.exchange(urlBase, HttpMethod.GET, null, String.class);
CookieManager cookieManager = new CookieManager();
List<String> cookieHeader = responseEntity.getHeaders().get("Set-Cookie");
httpHeaders = new HttpHeaders();
httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
if (cookieHeader != null) {
for (String cookie : cookieHeader) {
String[] tokens = TextUtils.split(cookie, "=");
if (tokens[0].equals("XSRF-TOKEN")) {
String[] tokenValue = TextUtils.split(tokens[1],";");
httpHeaders.add("X-XSRF-TOKEN", tokenValue[0]);
}
if (tokens[0].equals("JSESSIONID"))
httpHeaders.add("Cookie", cookie);
}
}
} finally {
return httpHeaders;
}
}
Related
I'm trying to make a request to the Third-party API, but I'm running into some issues using OkHTTP.
I'm using AWS4Signer to sign the request. I'm able to generate the credentials for the same.
Request<Void> requestAws = new DefaultRequest<Void>("sts");
requestAws.setHttpMethod(HttpMethodName.POST);
requestAws.setEndpoint(URI.create("third pary api call which uses https"));
requestAws.addHeader("x-amz-security-token", sessionCredentials.getSessionToken());
requestAws.addHeader("Content-Type", "application/json");
//sign the request
AWS4Signer signer = new AWS4Signer();
signer.setServiceName(Constant.SERVICE_NAME);
signer.setRegionName(Constant.AWS_REGION);
signer.sign(requestAws, new AWSCredentials() {
#Override
public String getAWSSecretKey() {
return sessionCredentials.getAccessKeyId();
}
#Override
public String getAWSAccessKeyId() {
return sessionCredentials.getSecretAccessKey();
}
});
Map<String, String> headers = requestAws.getHeaders();
String x_date = null;
String x_token = null;
String authorization = null;
String x_content = null;
//get and assign values
for (Map.Entry<String, String> entry : headers.entrySet()) {
if (entry.getKey().equals("x-amz-security-token")) {
x_token = entry.getValue();
}
if (entry.getKey().equals("X-Amz-Date")) {
x_date = entry.getValue();
}
if (entry.getKey().equals("Authorization")) {
authorization = entry.getValue();
}
}
logger.info("Headers body response: " + JsonUtils.jsonize(headers));
String json = objectMapper.writeValueAsString(emailRequestBody);
postHandler.post(x_date, x_token, authorization, json);
Below is the request code of okHTTP
String post(String x_date, String x_token, String authorization, String json) throws IOException {
RequestBody body = RequestBody.create(json, JSON);
Request request = new Request.Builder()
.url("https url is here")
.addHeader("Content-Type", "application/json")
.addHeader("X-Amz-Date", x_date)
.addHeader("x-amz-security-token", x_token)
.addHeader("Authorization", authorization)
.post(body)
.build();
try (Response response = client.newCall(request).execute()) {
return response.body().string();
}
}
Below is how the request looks like with headers:
Request{method=POST, url=https://cbc.com/api/send/email, headers=[Content-Type:application/json, X-Amz-Date:20220125T111056Z, x-amz-security-token:FwoGZXIvYXdzEHUaDF6/kQ0g7Mog7W1f7CK0ATG5xhFIXP34wRjziAkJKhw9vE5cbADBOpji7uqtLp5GLGLay+e9O2deFRB4eSpUMOOThDCEQg1tum43iX4a+8Kikuc3fv5gDjbMrdLJYAK3piYVbOAET8BAXdDdkPZVG+nNu31cEWZe9HC60svIj0m95YZ9Xx5rBIDm0AVWtj4JRCmonNm1ymCNRB4GTjhEzgnxlkqEYfdUivFdlORq/IlIssUzzV04fkr0kiqDiE9GrmU51ijAtb+PBjIt9MWbM8+x4z+y+IV4JFjuK4zrVW3Iaw4xUG/C+mpcCrZrunh+8fWgVTR6In1r, Authorization:AWS4-HMAC-SHA256 Credential=medS2y7xvISbOf7ke3IWthyCMV5koeTDD5r3gkxJ/20220125/us-west-2/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=d862c9ed8175770244e17fd3cb216c2a92138183ad427ed67fc5f284a1a75266]}
Below is the response:
Response{protocol=h2, code=403, message=, url=https://cbc.com/api/send/email}
Why the response is returning 403? Can someone help me what I missed? Thank you for your time.
In my method I initially used RestTemplate postForObject method to post request to an endpoint. Now I have to add default OAuth token and pass it as Post request. Is there any way I can pass both request as well as Default Header as part of POST request by using postForObject?
Initiall I used below postForObject
String result = restTemplate.postForObject(url, request, String.class);
I am looking for something like below
restTemplate.exchange(url,HttpMethod.POST,getEntity(),String.class );
Here is my code
private final String url;
private final MarkBuild header;
public DataImpl(#Qualifier(OAuth) MarkBuild header,RestTemplate restTemplate) {
this.restTemplate= restTemplate;
this.header = header;
}
public void postJson(Set<String> results){
try {
Map<String, String> requestBody = new HashMap<>();
requestBody.put("news", "data");
JSONObject jsonObject = new JSONObject(requestBody);
HttpEntity<String> request = new HttpEntity<String>(jsonObject.toString(), null);
String result = restTemplate.postForObject(url, request, String.class);
}
}
Below is getHttpEntity which I want to pass with Post request
private HttpEntity getHttpEntity(Set <String>results) {
return new HttpEntity<>( null, getHttpHeaders() );
}
private HttpHeaders getHttpHeaders() {
return header.build();
}
}
Is there any way I can pass both request as well as Default Header as
part of POST request by using postForObject?
Yes, there is a way to do that, I can give a basic example:
HttpHeaders lHttpHeaders = new HttpHeaders();
lHttpHeaders.setContentType( MediaType.APPLICATION_JSON );//or whatever it's in your case
String payload="<PAYLOAD HERE>"
try
{
String lResponseJson = mRestTemplate.postForObject( url, new HttpEntity<Object>( payload, lHttpHeaders ), String.class);
return lResponseJson;
}
catch( Exception lExcp )
{
logger.error( lExcp.getMessage(), lExcp );
}
Let me know if this doesn't work!!
I have a webservice which gets data from other webservice and return back to the browser.
I want to hide internal client errors
Want to throw 404, 400 etc which
are returned from the webservice in the below method.
How to resolve this problem in a neat way?
Option 1 or Option 2 is clean way?
Option 1
public <T> Optional<T> get(String url, Class<T> responseType) {
String fullUrl = url;
LOG.info("Retrieving data from url: "+fullUrl);
try {
HttpHeaders headers = new HttpHeaders();
headers.setAccept(ImmutableList.of(MediaType.APPLICATION_JSON));
headers.add("Authorization", "Basic " + httpAuthCredentials);
HttpEntity<String> request = new HttpEntity<>(headers);
ResponseEntity<T> exchange = restTemplate.exchange(fullUrl, HttpMethod.GET, request, responseType);
if(exchange !=null)
return Optional.of(exchange.getBody());
} catch (HttpClientErrorException e) {
LOG.error("Client Exception ", e);
throw new HttpClientError("Client Exception: "+e.getStatusCode());
}
return Optional.empty();
}
(or)
Option 2
public <T> Optional<T> get(String url, Class<T> responseType) {
String fullUrl = url;
LOG.info("Retrieving data from url: "+fullUrl);
try {
HttpHeaders headers = new HttpHeaders();
headers.setAccept(ImmutableList.of(MediaType.APPLICATION_JSON));
headers.add("Authorization", "Basic " + httpAuthCredentials);
HttpEntity<String> request = new HttpEntity<>(headers);
ResponseEntity<T> exchange = restTemplate.exchange(fullUrl, HttpMethod.GET, request, responseType);
if(exchange !=null)
return Optional.of(exchange.getBody());
throw new RestClientResponseException("", 400, "", null, null, null);
} catch (HttpStatusCodeException e) {
LOG.error("HttpStatusCodeException ", e);
throw new RestClientResponseException(e.getMessage(), e.getStatusCode().value(), e.getStatusText(), e.getResponseHeaders(), e.getResponseBodyAsByteArray(), Charset.defaultCharset());
}
return Optional.empty();
}
I have written a sample ResponseErrorHandler for you,
public class RestTemplateClientErrorHandler implements ResponseErrorHandler {
private static final Logger logger = LoggerFactory.getLogger(RestTemplateClientErrorHandler.class);
#Override
public boolean hasError(ClientHttpResponse clientHttpResponse) throws IOException {
return RestUtil.isError(clientHttpResponse.getStatusCode());
}
#Override
public void handleError(ClientHttpResponse clientHttpResponse) throws IOException {
String responseBody = "";
if(clientHttpResponse != null && clientHttpResponse.getBody() != null){
responseBody = IOUtils.toString(clientHttpResponse.getBody());
}
switch(clientHttpResponse.getRawStatusCode()){
case 404:
logger.error("Entity not found. Message: {}. Status: {} ",responseBody,clientHttpResponse.getStatusCode());
throw new RestClientResponseException(responseBody);
case 400:
logger.error("Bad request for entity. Message: {}. Status: {}",responseBody, clientHttpResponse.getStatusCode());
throw new RestClientResponseException(StringUtils.EMPTY, 400,StringUtils.EMPTY, StringUtils.EMPTY, StringUtils.EMPTY, StringUtils.EMPTY);
default:
logger.error("Unexpected HTTP status: {} received when trying to delete entity in device repository.", clientHttpResponse.getStatusCode());
throw new RestClientResponseException(responseBody);
}
}
public static class RestUtil {
private RestUtil() {
throw new IllegalAccessError("Utility class");
}
public static boolean isError(HttpStatus status) {
HttpStatus.Series series = status.series();
return HttpStatus.Series.CLIENT_ERROR.equals(series)
|| HttpStatus.Series.SERVER_ERROR.equals(series);
}
}
}
Note : This is common ResponseErrorHandler for your restTemplate and it will catch all the exceptions thrown by restTemplate you don't require try,catch block in each method and you don't need to catch "HttpStatusCodeException" or any other exception.
Please use the below code to register this ErrorHandler.
RestTemplate restTemplate = new RestTemplate();
restTemplate.setErrorHandler(new RestTemplateClientErrorHandler());
You can also find examples here.
You can refactor your client class like this,
public <T> Optional<T> get(String url, Class<T> responseType) {
String fullUrl = url;
LOG.info("Retrieving data from url: "+fullUrl);
HttpHeaders headers = new HttpHeaders();
headers.setAccept(ImmutableList.of(MediaType.APPLICATION_JSON));
headers.add("Authorization", "Basic " + httpAuthCredentials);
HttpEntity<String> request = new HttpEntity<>(headers);
ResponseEntity<T> exchange = restTemplate.exchange(fullUrl, HttpMethod.GET, request, responseType);
if(exchange !=null)
return Optional.of(exchange.getBody());
return Optional.empty();
}
So your method not looking beautiful now ? Suggestions welcome.
Im having an issue where I have a good oauth token with bearer type but whenever I try to make an api call it throws me a 403 Forbidden message. The call is to just get the posts from a sub reddit page(i.e. https://www.reddit.com/r/gaming.json) but with the oauth base url. Not sure if I'm missing header I need or something. Someone please help.
ServiceGenerator:
public class ServiceGenerator {
private static final String OAUTH_BASE_URL = "https://oauth.reddit.com/";
private static final String CLIENT_ID = "XXXXXXX";
private static OkHttpClient.Builder httpClient;
private static Retrofit.Builder builder;
public static <S> S createService(Class<S> serviceClass, final Context context) {
httpClient = new OkHttpClient.Builder();
builder = new Retrofit.Builder()
.baseUrl(OAUTH_BASE_URL)
.addConverterFactory(GsonConverterFactory.create());
final String token_type = PreferenceManager.getDefaultSharedPreferences(context).getString("token_type", "");
final String refresh_token = PreferenceManager.getDefaultSharedPreferences(context).getString("refresh_token", "");
final String access_token = PreferenceManager.getDefaultSharedPreferences(context).getString("access_token", "");
if(!access_token.equals("")) {
httpClient.addInterceptor(new Interceptor() {
#Override
public Response intercept(Chain chain) throws IOException {
Request request = chain.request();
Response response = chain.proceed(request);
Log.d(TAG, "Intercepting request: " + request.url());
if(response.header("No-Authentication") == null){
response = response.newBuilder()
.addHeader("User-Agent", "my user agent")
.addHeader("Authorization", token_type + " " + access_token)
.build();
}
return response;
}
});
httpClient.authenticator(new Authenticator() {
#Override
public Request authenticate(Route route, Response response) throws IOException {
if(responseCount(response) >= 2) {
// If both the original call and the call with refreshed token failed,
// it will probably keep failing, so don't try again.
return null;
}
Log.d(TAG, "Refreshing Token");
String credentials = CLIENT_ID + ":";
String encodedCredentials = Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
// We need a new client, since we don't want to make another call using our client with access token
RedditService tokenClient = createService(RedditService.class);
Call<AccessToken> call = tokenClient.refreshToken("Basic " + encodedCredentials, "refresh_token", refresh_token);
try {
retrofit2.Response<AccessToken> tokenResponse = call.execute();
if(tokenResponse.code() == 200) {
AccessToken newToken = tokenResponse.body();
SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
prefs.edit().putBoolean("logged_in", true).apply();
prefs.edit().putString("token_type", newToken.token_type).apply();
prefs.edit().putString("access_token", newToken.access_token).apply();
prefs.edit().putString("refresh_token", newToken.refresh_token).apply();
return response.request().newBuilder()
.header("Authorization", newToken.token_type + " " + newToken.access_token)
.build();
} else {
return null;
}
} catch(IOException e) {
return null;
}
}
});
}
OkHttpClient client = httpClient.build();
Retrofit retrofit = builder.client(client).build();
return retrofit.create(serviceClass);
}
private static int responseCount(Response response) {
int result = 1;
while ((response = response.priorResponse()) != null) {
result++;
}
return result;
}
}
Client (tried with and without .json):
public interface RedditService {
#FormUrlEncoded
#POST("api/v1/access_token")
#Headers("No-Authentication: true")
Call<AccessToken> getLoginToken(#Header("Authorization") String authorization,
#Field("grant_type") String grant_type,
#Field("code") String code,
#Field("redirect_uri") String redirect_uri);
#FormUrlEncoded
#POST("api/v1/access_token")
#Headers("No-Authentication: true")
Call<AccessToken> refreshToken(#Header("Authorization") String authorization,
#Field("grant_type") String grant_type,
#Field("refresh_token") String redirect_uri);
#GET("/r/{subreddit}/{sort}")
Call<Page> getSubredditPage(#Path("subreddit") String subreddit,
#Path("sort") String sort,
#Query("after") String after);
}
EDIT:
Here's the headers that are being sent along with the request
Content-Type: text/html
Cache-Control: no-cache
Transfer-Encoding: chunked
Accept-Ranges: bytes
Date: Fri, 25 Nov 2016 20:58:55 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-ord1733-ORD
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1480107535.759884,VS0,VE19
Set-Cookie: loid=omeUS2oZLIDWukuAYK; Domain=reddit.com; Max-Age=63071999; Path=/; secure
Set-Cookie: loidcreated=1480107535000; Domain=reddit.com; Max-Age=63071999; Path=/; secure
Server: snooserv
Authorization: bearer XXXXXXXXXXXXXXX
User-Agent: my-user-agent
I'm building a rest API using Spring security Oauth2 to secure it.
The following curl command runs succesfully and I get the token:
curl -X POST -vu clientapp:123456 http://localhost:8080/dms-application-0.0.1-SNAPSHOT/oauth/token -H "Accept: application/json" -d "password=spring&username=roy&grant_type=password&scope=read%20write&client_secret=123456&client_id=clientapp"
The following test to get the token also runs succesfully:
#Test
public void getAccessToken() throws Exception {
String authorization = "Basic " + new String(Base64Utils.encode("clientapp:123456".getBytes()));
String contentType = MediaType.APPLICATION_JSON + ";charset=UTF-8";
// #formatter:off
String content = mvc
.perform(
post("/oauth/token")
.header("Authorization", authorization)
.contentType(
MediaType.APPLICATION_FORM_URLENCODED)
.param("username", "roy")
.param("password", "spring")
.param("grant_type", "password")
.param("scope", "read write")
.param("client_id", "clientapp")
.param("client_secret", "123456"))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$.access_token", is(notNullValue())))
.andExpect(jsonPath("$.token_type", is(equalTo("bearer"))))
.andExpect(jsonPath("$.refresh_token", is(notNullValue())))
.andExpect(jsonPath("$.expires_in", is(greaterThan(4000))))
.andExpect(jsonPath("$.scope", is(equalTo("read write"))))
.andReturn().getResponse().getContentAsString();
// #formatter:on
String token= content.substring(17, 53);
}
However, when calling the rest end point externally from a webapp using Spring RestTemplate gives me a http error 400.
Below the code:
#RequestMapping(value = "/authentication", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
#ResponseBody
public ResponseEntity authenticate(#RequestBody CredentialsDto credentials) {
try {
String email = credentials.getEmail();
String password = credentials.getPassword();
String tokenUrl = "http://" + env.getProperty("server.host") + ":8080" + "/dms-application-0.0.1-SNAPSHOT" + "/oauth/token";
// create request body
JSONObject request = new JSONObject();
request.put("username", "roy");
request.put("password", "spring");
request.put("grant_type","password");
request.put("scope","read write");
request.put("client_secret","123456");
request.put("client_id","clientapp");
// set headers
HttpHeaders headers = new HttpHeaders();
String authorization = "Basic " + new String(Base64Utils.encode("clientapp:123456".getBytes()));
String contentType = MediaType.APPLICATION_FORM_URLENCODED.toString();
headers.set("Authorization",authorization);
headers.set("Accept","application/json");
headers.set("Content-Type",contentType);
HttpEntity<String> entity = new HttpEntity<String>(request.toString(), headers);
// send request and parse result
ResponseEntity<String> loginResponse = restClient.exchange(tokenUrl, HttpMethod.POST, entity, String.class);
// restClient.postForEntity(tokenUrl,entity,String.class,)
if (loginResponse.getStatusCode() == HttpStatus.OK) {
//JSONObject userJson = new JSONObject(loginResponse.getBody());
String response = loginResponse.getBody();
return ResponseEntity.ok(response);
} else if (loginResponse.getStatusCode() == HttpStatus.UNAUTHORIZED) {
// nono... bad credentials
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
} catch (Exception e) {
e.printStackTrace();
return new ResponseEntity(HttpStatus.INTERNAL_SERVER_ERROR);
}
return null;
}
And the error I get:
"Missing grant type"
Any ideas of what can be wrong or any other ways to do it? Because I'm completely stuck on this.
Thank you
Try to do it like this:
MultiValueMap<String, String> map = new LinkedMultiValueMap<String, String>();
map.add("username", "roy");
map.add("password", "spring");
map.add("grant_type", "password");
map.add("scope", "read write");
map.add("client_secret","123456");
map.add("client_id","clientapp");
HttpEntity request = new HttpEntity(map, headers);
One more thing, when you ask for a token make sure not to send a json request, but with this header:
headers.add("Content-Type", "application/x-www-form-urlencoded");