I am using SOAP UI for testing the web services. In the Authentication tab, I have entered the username and password and domain name.
Sample:
WSDL URL: http://localhost:8080/soap/helloTest?wsdl
Username:hello
pass:helloworld
domain: http://mysysfullname:8080
I have given the correct credentials. I also replaced domain as http://localhost:8080.
Even then I am getting invalid credentials only. The username and password are correct and they are not my windows credentials.
Can some one help how to give the credentials.
Adding Raw Request
POST http://localhost:8080/soap/helloTest HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: localhost:8080
Content-Length: 1004
Thanks.
It also depends on the WSS-PasswordType
verify that also.
Try setting SOAP-UI to use Preemptive Authorisation Type.
As per SOAP-ui documentation:
Send Authentication headers with each request without first receiving an authentication challenge. This is a potential security hazard but will improve performance since only one request will be required for authenticated endpoints instead of two.
Related
I have created a web service using dropwizard.
Through this, I am able to create resources, wherein I have created an entity for indexing the document, search request, getting doc by id.
By hitting the API in postman I get the desired result.
For developing the web application I built the front end using ember.js.
But when I send a request to my application I am getting CORS policy exception.
When I am sending request through postman to http://localhost:9090 (9090 is the port number of my ApplicationConnector) then it is responding to the request.
Now when I send request from origin http://localhost:4200 (4200is the default port number for ember.js) to http://localhost:9090 it is giving error :
Access to XMLHttpRequest at http://localhost:9090/{indexName}/{id} >from origin http://localhost:4200 has been blocked by CORS policy: Response to preflight request doesn't pass access control check:
No 'Access->Control-Allow-Origin' header is present on the requested resource.
So can someone please explain how to resolve this issue and if there is any other way apart from enabling CORS in Dropwizard ?
You need to enable CORS in Dropwizard or serve both the frontend and the API from the same host (hostname and port). Otherwise it's forbidden by CORS security feature, which is enabled by default in all major browsers. Postman does not care about CORS.
Could post request with URL parameters be csrf hacked?
If server side has only "Consumes application/json" protection.
Using HTTPS.
If u have appropriate link, pls, share it.
"Some applications will check that the Content-Type HTTP header is "application/json", so it will prevent a CSRF attack. A better security would be to use an authenticity token, this will protect HTTP requests even if the data type is not JSON."
Thx, Adithya!
Summary : I am working on embedding Power BI reports in a ISV application and when i try to call api endpoint to get embedding details of the report it responds with 400 Bad Request . I am directly calling Power BI APIs without use of SDK as microsoft hasn't officially released PowerBI SDK for Java based application . Also , for debugging I used another .net application which uses PowerBI SDK to make the same API call against same workspace and it works without issues.
All other API endpoints like 'list all workspaces','get workspace details',' list all dashboards' in a workspace ' and even 'list all reports in workspace' respond as requested without issues, but the API endpoint listed here :
Power BI get report embedding details using 'workspace_id' and 'report_id'
responds with 400 Bad request with seemingly right credentials and request.
Interfacing Application Context :
The ISV application is built on Spring boot framework(Java) and Angular 2 framework .
Currently,I couldn't find official Microsoft Power BI SDK for Java based application , because of which i am directly referencing APIs from the Power BI API reference doc
ISV application has all necessary permissions to access the APIs listed here :
https://learn.microsoft.com/en-us/power-bi/developer/power-bi-permissions
The application is able to generate token,make authenticated request and get response from power bi for all other api endpoints which are used in the application .
Issue and Debugging
Debugging :
This is the request that PowerBI .NET SDK makes and which works against get report API :
GET https://api.powerbi.com/v1.0/myorg/groups/d864b33b-74dd-4683-9cfd-91c712039147/reports/d618f04d-0b9d-483b-8f9c-cb1210d14595 HTTP/1.1
Authorization: Bearer auth-token
User-Agent: FxVersion/4.7.2117.0 Windows_7_Enterprise/6.1.7601 Microsoft.PowerBI.Api.V2.PowerBIClient/2.0.2.17225
Host: api.powerbi.com
This is the request that my application makes directly referencing API endpoint which returns 400 :
GET https://api.powerbi.com/v1.0/myorg/groups/d864b33b-74dd-4683-9cfd-91c712039147/reports/d618f04d-0b9d-483b-8f9c-cb1210d14595 HTTP/1.1
cache-control: no-cache
Postman-Token: some-token
Authorization: Bearer auth-token
User-Agent: PostmanRuntime/7.1.1
Accept: /
Host: api.powerbi.com
This is due to Accept HTTP header. Microsoft`s REST Method does not support it.
Try:
curl -XGET
"https://api.powerbi.com/v1.0/myorg/groups/{groupId}/reports/{reportId}" -i -H
"Authorization: Bearer {token}" -H "Accept:"
-H "Accept:" will disable this HTTP header. (By default curl sends Accept: * / *)
I want to implement XOAuth 2.0 for my web application in Java.
My application asks for username and password from the user. Now using these credentials I want to authenticate the user through Gmail.
Please suggest libraries, and also how to implement it??
I am new to authentication using Gmail. Need some suggestions.
as I know the purpose of the OAuth 2.0 is to prevent leak of the user's credentials into 3rd party applications.
The abstract flow shows how client (3rd party app) should use the access_token (retrieved with one of the grant types) to access resource.
The specification also defines the basic HTTPS calls to use for example in case of an authorization code grant type (I think this flow best suits for you). This has 2 request, one for the code (user agent redirection is used to send the code to the 3rd party app) and one for the access_token.
Authorization code request&response
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
Token request&response:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
So you do not need to ask a user for the GMail credentials.
Here you can find a spring-security example for an OAuth 2.0 compliant application.
I hope I could help.
I am trying to reverse engineer a web app (which uses flash object to communicate with server). I have grabbed the network traffic via fiddler i.e., Browsed the app using IE and captured network traffic in Fiddler. This first time i am doing something this so i might be asking very basic questions :(
Now, I have those events/requests in Fiddler but I am having hard time understanding them (besides basic HTTP requests). So I am going to post the traffic flow and then its respective traffic here and at the end the questions
FLOW ON IE
Entered the url website.com/app/app-subdomain/web-app
An HTML page is displayed with user & password request
After login, an HTML page is displayed with Flash object in it (the original app)
IN FIDDLER
(requests in order)
The first thing i see is request to URL:www.website.com:443 which results in 200 status. Fiddler shows there are no cookies or whatsoever. Only the "Clients" are there
The second request i see is to URL:app/app-subdomain/web-app. However, here is the part where i am confused at. In fiddler request body, I see a cookie. which is something like this
GET https://www.website.com/app/app-subdomain/web-app HTTP/1.1
Accept: text/html, application/xhtml+xml, \*/\*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: www.website.com
Cookie:
NAME-WEB-SESSION=akcxxxpxkxfaxdxccajkjumxax;
hl=us;
dxxxxcxx=0;
NAMESSO=fdxdfxdfdxcfabxxxcxxcdbfexxxxfxfxxxefxecxxaxxxxxxefxxxxxxxxfxaxx;
XSRF-TOKEN=vXXnjhHE-ptnvmYfKfQVxscHyrGrfbwxyxkGzfWZGoU
So far, the thing which is confusing me, is who generated this cookie ? so lets say i am using Apache HTTPClient, would this cookie be generated by it or do I have to ? If i have to, then how to generate the values of those key-value cookie ?
You didn't specify what the first request was exactly, but more than likely this was just a HTTP CONNECT tunnel through which secure traffic flows. You should NEVER see a cookie on a CONNECT tunnel. Have you cleared your browser's cookies and cache? If not, the cookie you saw was likely set on a previous visit to the site and stored in the client's cookie jar. If you have cleared the cache and cookies, that implies that something on the client (e.g. Flash) generated the cookie via some other, non-standard, process.