I have written a servlet Filter in which I am trying to get the value of custom header=samlRequest, From rest client/postman chrome plugin i am getting the value of samlRequest, but using ajax call i have provide samlRequest key and its value but in java i am getting the only key samlRequest in "Access-Control-Request-Headers", how to get value of samlRequest.
$.ajax({
url: "http://indlin500.corp.test.com:31000/test/Portal/index.html",
type: "GET",
headers: { 'samlRequest': 'eJzVWVlz4roSfs6/oJhHJvECBkMRTsk2+2ow68stY8u2wBuWjQ2//srsyUlmJufOramTSjm41f '},
beforeSend: function(xhr){xhr.setRequestHeader('samlRequest', 'eJzVWVlz4roSfs6/oJhHJvECBkMRTsk2+2ow68stY8u2wBuWjQ2//srsyUlmJufOramTSjm41f ');},
success: function() { alert('Success!' + authHeader); }
});
FirewalledRequest[
weblogic.servlet.internal.ServletRequestImpl#4f839843[ OPTIONS
/testsOSS/Portal/index.html HTTP/1.1 Connection: keep-alive
Access-Control-Request-Method: GET Origin: http://10.19.121.17:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Access-Control-Request-Headers: authorization, samlrequest,
x-partnerkey Accept: / DNT: 1 Referer:
http://10.19.121.17:7001/authentication-uxf-login-0.0.1-SNAPSHOT/customLoginPage.html Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8
]]
Using chrome rest client plugin I am getting samlRequest in the header with value i have provided.
FirewalledRequest[
weblogic.servlet.internal.ServletRequestImpl#24d746a[ GET
/testOSS/Portal/index.html HTTP/1.1 Connection: keep-alive
Cache-Control: no-cache samlRequest: eJzVWVlz4roSfs6/oJhHJvECBkMRTsk2+2ow68stY8u2wBuWjQ2//srsyUlmJufOramTSjm41f User-Agent: Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/55.0.2883.87 Safari/537.36 Postman-Token:
ce7765d0-94b5-a1e1-d6ba-2abada3dfdd6 Accept: / DNT: 1
Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8
]]
When you make a cross-origin request from browser, the browser makes a preflight request before the actual request. It is an OPTIONS request, unlike the intended GET request.
Try adding a CORS filter before the actual filter which will reply OK for any OPTIONS request. A sample code can be found here :
https://amodernstory.com/2014/12/27/using-cors-headers-with-java-example/
by the way, you don't need to set header in request twice. You can remove the beforeSend block from the ajax request.
Related
I am trying to send a post request using Javascript, but the problem is that I do not seem to be able to add custom headers to the request.
The request that I want to send:
OPTIONS /startScan?domain=asite.com&user=38 HTTP/2
Host: MYHOST
Accept: */*
Access-Control-Request-Method: POST
Authorization: A_TOKEN
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
note that MYHOST and A_TOKEN are in my case other values, but replaced them for security reasons.
The request that I send:
OPTIONS /startScan?domain=asite.comm&user=38 HTTP/2
Host: MYHOST
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The code that I use to send this:
var data = JSON.stringify({
"domain": "asite.com",
"user": 38
});
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function() {
if(this.readyState === 4) {
console.log(this.responseText);
}
});
xhr.open("POST", "MYHOST/startScan?domain=asite.com&user=38");
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("Authorization", "A_TOKEN");
xhr.send(data);
The problem:
The problem now is that I am not able to add a custom header to this request. Instead of adding a header that is called Authorization I add a Access-Request-Control-Header which has authorization as value. I have tried using jQuery, XHR (as you can see) and Fetch, but no success with all of them.
Can anyone help me?
I have a react application connecting to a Spring Boot backend application, I use JWT to authorize the user at the backend. I am using fetch to make the calls between the front and backend.
Whenever I try to set the headers of the call all the headers get removed including the Cookie (which contains the JWT). I need to set the headers to specify the content-type of the request.
- Call when I do not set the headers (causing 415)
fetch code:
return fetch(`${urlApiGateway}${url}`, {
method: "POST",
body: body,
credentials: "include",
})
Call:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl-NL;q=0.8,nl;q=0.7
Connection: keep-alive
Content-Length: 13
content-type: text/plain;charset=UTF-8
Cookie: Authorization=Bearer_eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjYXNwZXIubS50b3JlbjJAZ21haWwuY29tIiwiZXhwIjoxNjI1NDg2MzAzLCJpYXQiOjE2MjUzOTk5MDMsInVzZXIiOnsiaWQiOjIsIm5hbWUiOiJjYXNwZXIiLCJlbWFpbCI6ImNhc3Blci5tLnRvcmVuMkBnbWFpbC5jb20iLCJwYXNzd29yZCI6IiIsInBlcm1pc3Npb25zIjoiQURNSU4ifX0.JdW1M7d8HB71yvP7dupomN-bgD_484HHbxmfnOOmvqM
Host: localhost:8080
Origin: http://localhost:3000
Referer: http://localhost:3000/
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
As you can see the headers are present like 'content-type' and 'Cookie'.
- Call when I do set the headers to prevent 415
fetch code:
return fetch(`${urlApiGateway}${url}`, {
method: "POST",
body: body,
headers: { "Content-Type": "application/json" },
credentials: "include",
})
Call:
It seems to be making 4 call, 2 with the previous fetch settings which where the same (no headers set).
2 of the calls look like this
Provisional headers are shown
content-type: application/json
Referer: http://localhost:3000/
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
and 2 look like this
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl-NL;q=0.8,nl;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:8080
Origin: http://localhost:3000
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Where, as you can see, the headers are gone including the Cookie and content-type.
- Spring boot cors
#Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(allowOrigin, "http://localhost:3000")
.allowCredentials(true)
.allowedHeaders("*")
.allowedMethods("GET", "POST", "OPTIONS");
}
I hope someone can help :)
You must pass Authorization Bearer token as header. Try this:
let yourAuthToken = .... // get bearer token from where you store it
return fetch(`${urlApiGateway}${url}`, {
method: "POST",
body: body,
headers: {
'Authorization' : 'Bearer ' + yourAuthToken
}
})
It hadn't anything to do with the js code, it was my cors settings on the backend side. My authorization filter was also being applied to the OPTIONS request which caused a cors error (no http ok status), after changing this it was fixed.
Thank you to all who tried to help me.
I have tried some times and looking for the best result in some similar questions but I have not got any rational result, I have got response with postman and js AJAX but not with axios. my header request is as bellow:
:authority: www.sample.com
:method: POST
path: /api/v1/contact
:scheme: https
accept: application/json, text/plain
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fa;q=0.8
content-length: 549
content-type: application/x-www-form-urlencoded
origin: http://localhost:3000
referer: http://localhost:3000/contact-us
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/83.0.4103.61 Safari/537.36
any idea? thanks a lot.
I've caught this packet sent from my browser to X site when I login:
POST http:/page_to_login HTTP/1.1
Host: host_name
Connection: keep-alive
Content-Length: 63
Accept: application/json, text/javascript, /; q=0.01
Origin: http:/host_name.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://name_host.com
Accept-Encoding: gzip, deflate
Accept-Language: en,it-IT;q=0.8,it;q=0.6,en-US;q=0.4
Cookie: __gads=ID=ba4aa3e1f26167ce:T=1420379969:S=ALNI_Max051cucDaIPAjfr_u43Jz3tF-eQ; mlUserID=qoqCnShSTTHg; ebNewBandWidth_.name_host.com=2137%3A1424452854024; ff11_lastvisit=1424960092; ff11_lastactivity=0; __adnt_intro=1; __utma=85431950.643346397.1420379964.1425039982.1425049087.44; __utmb=85431950.10.10.1425049087; __utmc=85431950; __utmz=85431950.1425032713.42.10.utmcsr=dotnethell.it|utmccn=(referral)|utmcmd=referral|utmcct=/forum/messages.aspx; sly_cook_fc=17313 18 0_; comp_drogat-premier-leagueLeghe2015Quad=0=87834; _ga=GA1.2.643346397.1420379964; _gat=1; rta_nxtml=
And this is how the password and username have sent to the server:
{"u":"my_username","p":"my_password","aliaslega":"","check":"u1-L12"}
How can I encapsulate this information and create js/php functions to automatically login to X site?
i have an iframe with src set to (let say) domainA.com and parent url is domainB.com, from this iframe i make an ajax call to domainA.com/ajax.asp, this works in chrome and firefox, but not with safari and IE. bellow are complete header request for chrome and safari.
REQUEST HEADER (Chrome)
POST /Ajax.asp HTTP/1.1
Host: domainA.com
Connection: keep-alive
Content-Length: 29
Accept: */*
Origin: http://test.takeoutmenuz.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://domainA.com/menu.asp?userid=1025
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6
Cookie: userid=1025; ASPSESSIONIDAQCQASBD=IDGHMLJDBHOKJFBIKMCNDHDA; ZZZZZ=here
REQUEST HEADER (Safari)
POST /Ajax.asp HTTP/1.1
Host: domainA.com
Connection: keep-alive
Content-Length: 29
Accept: */*
Origin: http://test.takeoutmenuz.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://domainA.com/menu.asp?userid=1025
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6
as you see, there is no Cookie header in safari, based on explanation from this page the problem is that Cookie stuff (if i not mistaken). how to make it work without Cookie, should i do something on response header in Ajax.asp or do something in ajax script (i already add withCredential field to it)?