http authorization issue

Post any questions you have about using the Verj.io Studio, including client and server-side programming with Javascript or FPL, and integration with databases, web services etc.

Moderators: Jon, Steve, Ian, Dave

bartbaas
Ebase User
Posts: 32
Joined: Wed Jun 19, 2019 9:46 am

http authorization issue

#1

Postby bartbaas » Wed Nov 02, 2022 11:18 am

Good morning,

We seem to have an issue with http authorization on a REST webservice using resource fields for setting username and password.
Can we get the logging to display the header that is being sent?

the logging states:
FINE: Request:
POST https://<..url..>
Content-Type:application/json

{ <..payload..> }
Nov 02, 2022 11:43:08 AM org.apache.http.impl.auth.HttpAuthenticator generateAuthResponse
WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
Nov 02, 2022 11:43:08 AM com.ebasetech.ufs.utility.LogHelper debug
FINE: Response:
HTTP/1.0 401 <html><head><title>Error</title></head><body>Unauthorized</body></html>
<..>
Nov 02, 2022 11:43:08 AM com.ebasetech.ufs.utility.LogHelper debug
FINE: Finished calling endpoint: <default>

We are using Basic Authentication and set the two variables in the rest security configuration.
This seems to be working ok in our testenvironment, but not in this integration environment.
Also, we can get a good answer when using curl, and by setting the header explicitly in VerjIO, so I'm thinking we're not building a good header somehow.

Maybe it is a configuration issue with respect to the org.apache.http.impl.auth.HttpAuthenticator library, but I wouldn't know where to look
0 x

bartbaas
Ebase User
Posts: 32
Joined: Wed Jun 19, 2019 9:46 am

Re: http authorization issue

#2

Postby bartbaas » Wed Nov 02, 2022 11:19 am

The VerjIO version is 5.11.2 by the way
0 x

Steve
Moderator
Moderator
Posts: 419
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: http authorization issue

#3

Postby Steve » Fri Nov 04, 2022 11:39 am

Hi Bart,

I debugged the Basic Authentication on the rest resource and I could that the &&<fieldname> is being substituted for the field value in for the username and password fields for the Basic Authentication endpoint security.

Verj.io uses Apache HttpClient and you should be able to add a logger to the log42.xml inside:

UserData/Server/apps/ebase/app/ebaseConf/log4j.xml

Add the following Logger to the <Loggers> element. There should be a commented out examples.

<Logger name="org.apache.http" level="ALL" additivity="false">
<AppenderRef ref="Console" />
<AppenderRef ref="File" />
</Logger>

You will need to restart the Verj.io server after adding the Logger. The output should be in the stdout (it maybe the stderr) logs inside the UserData/Server/tomcat/logs directory.

Thanks

Steve
0 x

bartbaas
Ebase User
Posts: 32
Joined: Wed Jun 19, 2019 9:46 am

Re: http authorization issue

#4

Postby bartbaas » Mon Nov 07, 2022 9:07 am

Thnx Steve, we'll give that a go, perhaps we will learn something new.
0 x

bartbaas
Ebase User
Posts: 32
Joined: Wed Jun 19, 2019 9:46 am

Re: http authorization issue

#5

Postby bartbaas » Wed Nov 09, 2022 9:56 am

Not sure where to find this extra logging, but what we did find: It seems that on this particular webservice, Verjio seems to negotiate the login method before sending the authorization header.

Can you confirm this is the case?

from our logging:
WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
Nov 09, 2022 10:42:29 AM com.ebasetech.ufs.utility.LogHelper debug
FINE: Response:
HTTP/1.0 401 <html><head><title>Error</title></head><body>Unauthorized</body></html>
Strict-Transport-Security:max-age=15552000; includeSubDomains; preload&Cache-Control:no-cache, no-store, must-revalidate&Server:JBoss-EAP/7&WWW-Authenticate:Negotiate&Connection:keep-alive&......
0 x

Steve
Moderator
Moderator
Posts: 419
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: http authorization issue

#6

Postby Steve » Fri Nov 11, 2022 1:31 pm

Hi Bart,

I believe that Apache HTTP Client does negotiate first.

It might be easier to just set the Authorization Http Header manually using a mapped resource field. Using the server side JavaScript, you could do something like this:

....
importPackage(import java.util);

//set http auth header
fields.auth.value = "Basic " + Base64.getEncoder().encodeToString(new java.lang.String((user + ":" + pwd)).getBytes()) ;

In the REST resource you can add a request header:

Name
Authorization

Value:
&&auth

Map the resource field "auth" to the form field "auth"

I think this will work for you.

Thanks

Steve
1 x


Who is online

Users browsing this forum: No registered users and 3 guests