I am trying to stream content of a URL that is secure. The URL is accessible only after you login with username or password. When you are not logged in, you will be redirected to login.jsp. How can I stream such a URL? Is there a way to maintain session? I want to stream and store that content in file system. I cannot even provide password using Apache httpClient authentication because the passwords are one-way encrypted.
Thanks in advance
By setting the Cookie as David Conrad suggested, I got it working using the following code sample.
urlConnection.setRequestProperty("Cookie", "JSESSIONID=" + request.getSession().getId() + "; rememberMe=false")
Related
I have developed Rest API basic authentication, I am able to get the JSON response only when I test using Advanced Rest Client plugin(for Chrome), But how to access the JSON response by passing username and password in URL? How can others consume my rest API? Do I need to give any login popup? How can I achieve this? Any help would be highly appreciated.
your method should be POST and you need to create a encripted token for every login, and you need to active that token up to user logged out or anything else, you can store that token in browser cache, when user logged out then remove that token as well. for every user action you need to verify that token. you can generate token using MD5 also.
i think it may help you.
It doesn't show any of the fields as filled in nor does it try to fill them in. Do you know what other solutions I could use? Right now I am doing
public static void main(String[] args){
WebDriver driver = new FirefoxDriver();
String user = "kek";
String pass = "trekek";
String url = "http://www."+ user + ":" + pass + "#xyz.org/auth.html";
System.out.println(url);
driver.get(url);
}
The format of the URL with the username and password appears to be wrong. You have a www in front of the credentials, try changing it to something like:
String url = "http://"+ user + ":" + pass + "#www.xyz.org/auth.html";
It doesn't show any of the fields as filled in nor does it try to fill them in.
And neither should it! When you use a URL like that, the HTTP specs say that the client sends the server a GET request with some credentials embedded in the URL. What the server does with this depends on how you have implemented the server.
Now you could in theory implement your server to send back a login page with details prepopulated, but I wouldn't.
Putting user details in a URL is insecure. They will show up in server-side logs.
It is horribly insecure if you use an HTTP URL, 'cos that means that the URL will be transmitted in the clear over the network. It is easy for a hacker to snoop an unencrypted connection.
This is not functionality that most users would normally use. (Nor would we want them to; see above!)
This is not the way that a sane person would want to implement (or use) a RESTful API.
Solutions?
If you are implementing Selenium tests for an existing server, then you need to drive the server's login sequence the way it was designed to work. Send the request that triggers the server to give you a login page. Simulate filling in the fields and clicking "login". Extract the session cookies from the response.
If you control the server (i.e. you can change it), you could design an alternative web API for programmatic authentication; i.e. where your Selenium tests don't need to simulate the filling in and submission of a login form. But PLEASE do it securely. User names and passwords should only be transmitted over HTTPS.
http://twitter4j.org/en/code-examples.html - How to provide a Twitter PIN statically during OAuth authentication, the code example talks about providing a PIN if its already available.
Our application is a standalone java application and would prefer to pass credentials via a property file without any human intervention.
Twitter will provide you the PIN code.
In the example, Twitter4J supposes that somebody will copy the URL it gave (with requestToken.getAuthorizationURL() at line 10) in a web browser and will authorize the application via the browser. After that, the user is supposed to write in the example program the PIN code displayed in its browser.
There are two big drawbacks for you in this example :
Human intervention
Which code will you give to your example program if Twitter do not give you a PIN code (and it will happen if the callback URL of your Twitter application is not "oob") ?
You will have to simulate the human intervention to get the PIN code. Unfortunately, Twitter4J does not seem to get methods to do this (I do not see such method in the Javadoc) so you will have to code yourself the following process :
Retrieve the HTML code of the web page at requestToken.getAuthorizationURL().
This HTML page contains a form whose some parameters will be posted with the username (or email) and the user's password to get the PIN code. These parameters are called "oauth_token" (the temporary OAuth token that you already have), "deny" (a tag used if you do not want to authorize the application) and "authenticity_token". All of them are in <input> HTML tags. Pick them.
Simulate the posting of the form. For this you will have to use the POST oauth/authorize endpoint. The URL is https://api.twitter.com/oauth/authorize?oauth_token=<your OAuth Token>. The request has to be authenticated following the Twitter process for Authenticating requests. This is the content of what you will post : "authenticity_token=<the form's "authenticity_token" parameter>&session[username_or_email]=<user's name or email>&session[password]=<the user's password in clear>". If you don't authorize the app, append "&deny=<the form's "deny" parameter>" in the body message. There will not be any problem for you since you have got the credentials (session[xxx] parameters) in a property file and you picked the other parameters in the form (cf 2.).
The Twitter API will give you back an web page. If the authorization was successful, the PIN will be inside. However, be careful. The PIN takes different names depending on the callback URL. If the callback URL is "oob", the PIN code is called OAuth PIN. It is a 4-digit number somewhere in a <div id="oauth_pin"> HTML tag. Otherwise, it is called OAuth Verifier. It is contained in a URL located in a <div class="happy notice callback"> HTML tag. In this URL, the PIN is the oauth_verifier of the request string. It looks like an OAuth token.
Don't hesitate to have a look at the HTML code of the web pages of the 2nd and the 4th step of my process. It is very useful to understand the process.
I spent some time today trying to figure out how to authenticate without user intervention using Twitter4j Library. I came up with the following:
ConfigurationBuilder conf = new ConfigurationBuilder();
conf.setOAuthConsumerKey(CONSUMER_KEY);
conf.setOAuthConsumerSecret(CONSUMER_KEY_SECRET);
conf.setOAuthAccessToken(TOKEN);
conf.setOAuthAccessTokenSecret(TOKEN_SECRET);
Twitter twitter = new TwitterFactory(conf.build()).getInstance();
By using ConfigurationBuilder, I'm now able to authenticate automatically. Of course you need to set values for CONSUMER AND TOKEN keys accordingly. Here's how I verified it:
User user = twitter.verifyCredentials();
System.out.println("Successfully verified credentials of " + user.getScreenName());
Hope this helps!
What I do manually:
I open the URL: http://localhost:8080/webadmin/index.html enter login and password.
And click button wich is really do http get request: http://localhost:8080/rest/platform/domain/list
What I do in java:
String addr = "http://localhost:8080/rest/platform/domain/list?_dc=1325843792402"; //"http://localhost:8080/webadmin/index.html";
URL url = new URL(addr);
HttpURLConnection httpCon = (HttpURLConnection) url.openConnection();
httpCon.setDoOutput(true);
httpCon.setDoInput(true);
httpCon.setUseCaches(false);
httpCon.setAllowUserInteraction(false);
httpCon.setRequestMethod("GET");
OutputStreamWriter out = new OutputStreamWriter(httpCon.getOutputStream());
System.out.println(httpCon.getResponseCode());
System.out.println(httpCon.getResponseMessage());
out.close();
And get response: 401 Unauthorized.
Understandable why: I should create an authorised connection by entering a login and a password. But how I can do this?
On authentication using form fields in a web page, what happens is the following:
You access a login page. The server marks your session using one of the following methods:
Session cookie, present in the HTTP Response headers. You should store this cookie and resend it afterwards.
Redirect to a new URL in which the session is marked (http://localhost:8080/?sessionKey=3292n9fafjwagwao2903j2fswioanw)
(sometimes) hidden HTML form or Javascript variable which contains the session key and which is POST'ed on every click of a link.
Let us suppose the server uses cookies. You then do a POST request containing:
The cookie you received.
Your username and password in the POST data
The server now marks your session as "logged in" and may even give you a new or extra session identifier.
You then access a secured resource, providing a session identifier proving you are logged in.
You can follow this process very nicely using the Google Chrome Developer Network view (press CTRL+SHIFT+J, go to Network.
How do you translate this to Java code?
Do initial request to login page. Recover session cookie from HTTP headers.
Do a POST to the login form destination. Include the session cookie in the HTTP request header and the username/password in the POST data. Recover the session cookie from HTTP headers.
Now access the protected resource. Include the session cookies in the HTTP request header.
Of course, there are other ways of authenticating users at the webserver level (HTTP BASIC authentication, NTLM...), as explained by other answers here. The above method only works for HTML FORM-based authentication (as used by Facebook, Dropbox, ... and almost all major websites out there)
That depends on the authentication scheme. There are several possibilities, including
Basic access authentication
Digest access authentication
NTLM
Microsoft's HTTP Negotiate/SPNEGO
The server will tell you the correct scheme in its 401 answer. Look for the WWW-Authenticate HTTP header in the answer.
For doing HTTP authentication in Java, see this tutorial which contains a lot of useful information.
I wants to know that How can i Manage Session if the client browser has disabled cookie feature..
If I wants to implement it in simple JSP - Servlet, then how can I do that ?
Thanks in advance...
Without cookies, you have two options. The first is passing a sessionId through Urls. This requires a lot of work on the server because every url you send back must have a sessionId appended to it (usually in the form of a query string parameter). For example:
/path/to/page
becomes
/path/to/page?sessionid=ASDFG-ASDFG-ASDFG-ASDFG-ASDFG
The other option you have would be to combine what information you have via http into a "unique" key and create your own session bucket. By combining the Http UserAgent, RemoteIp and RemoteXfip you can get close to uniquely identifying a user, but there is no guarantees that this key is 100% unique.
In the JSP side, you can use JSTL's <c:url> for this.
link
Easy as that. It will automagically append the jsessionid when cookies are disabled.
In the Servlet side you need HttpServletResponse#encodeURL() or -usually the preferred one inside Servlets- HttpServletResponse#encodeRedirectURL() for this.
response.sendRedirect(response.encodeRedirectURL("page.jsp"));
url rewriting
http://www.developertutorials.com/tutorials/java/implement-session-tracking-050611/page5.html
Each URL must be encoded using response.encodeURL("page.jsp")
This will add the Session ID onto the end of each URL so cookies do not have to be enabled.
Note that you will have to do this manually for every single URL in order for it to work.
See this link for more info.