Seems like http.get is forbidden since I don't send the cookie value with the request. If I just surf to the link I will get the response, since the browser send the cookie. How I do the same in typescrip code with angular 2?
Looking at this link:
https://angular.io/docs/ts/latest/api/http/index/RequestOptions-class.html
You can specify RequestOptions (such as header values) with your get request. I presume you could use that to send the cookie in the way you need. There's not much else for information in your question, so I think that's as close as I can get.
Http spec:
https://angular.io/docs/ts/latest/api/http/index/Http-class.html
Related
I have a problem with the x-csrf-token validation with regard to a HTTPS-Post-Request. The request comes from a Lambda function triggered by an Amazon Alexa skill and is sent to a XSO Data file running on the SAP Cloud Platform in an SAP HANA Database. I use Javascript/Node.js.
A valid token is set in the request header (see code in the first picture below) but the response header shows for the x-csrf-token "required" (see code in the second picture below). So there is an error with the validation. The same post request with POSTMAN works correctly, but when I try it via a JS File as a Lambda function (in the first picture) there it comes this error with HTTP status code 403 (see code in the second picture below). The POST request itself does work, but the token validation not. GET requests work fine.
Does anybody know a possible solution?
Thank you very much!
1.picture: request
2.picture: response
Please try to get the csrf token first before setting it to the request body. CSRF token changes from device to device as well as the timeframe. I also had a similar issue, and upon implementing the above solution, it started working perfectly.
I am writing this as a separate answer as I had an issue in Spring Boot RestTemplate call. I could arrive at a solution after going through this article.
SAP CSRF Issue
Basically the "set-cookie" header is instructing the browser to set the "Cookie" header. All one has to do (apart from x-csrf-token) is to replace the comma in the string of the cookie with a semicolon. Then set the header "Cookie" to this replaced value;
We have exposed a HTTP endpoint with POST method. To make a successful call the clients has to make the POST call with a request body and other required parameters.
When we hit the endpoint directly in the browser the response says 200 OK. Its a GET call. there is no implementation for GET.
The question is - an endpoint which supports only POST should throw an error while hitting directly on the browser with a GET ?
What should be the best error. Do we have to handle this in GET saying GET is not appropriate method on this end point?
Or is it correct to leave the GET response as 200 OK - to make the clients feel the end point is up and running?
If you're asking about what an HTTP server SHOULD do... the answer is: it has to implement GET and HEAD. See RFC 7231.
I've been stuck on this for a few hours with no luck, so I figured that I would ask here.
I have a service with a bunch of endpoints, most of which accept GET and POST http methods. In that case, my service simply specifies Access-Control-Allow-Origin to be * in the response headers, in the event that one of my apps is on a different domain/port and wants to use the service.
I have one endpoint that uses the DELETE http method, and I can't seem to get it to work. When I call this endpoint from my client app, I get this message in my console:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
I've been reading up on CORS for the past couple hours and have tried a few different things, all of which have not worked. I (think I) at least understand that when I'm using http methods other than GET and POST, the browser sends a pre-flighted request with OPTIONS as the http method.
What is the best way to handle this? Is there a way to disable this pre-flighted request? I specify in my client app that the http method to call this endpoint is DELETE. Should I be putting something specifying headers in my AJAX function that calls this endpoint (I'm using straight JavaScript)?
If I can't figure out a way around this, I'm just going to change my endpoint to use a GET or POST method, but I wanted to find a way to handle this issue before I took the easy way out.
I (think I) at least understand that when I'm using http methods other than GET and POST, the browser sends a pre-flighted request with OPTIONS as the http method.
Yes
Is there a way to disable this pre-flighted request?
No there isn’t. It’s initiated by browsers automatically, with no way to disable it from your JS. As long as you’re sending that DELETE request cross-origin in your JS, browsers will do that preflight.
Should I be putting something specifying headers in my AJAX function that calls this endpoint?
Given the “No 'Access-Control-Allow-Origin' header is present on the requested resource” message you’re getting, no changes you make in your client code will make any difference.
The place where more headers need to be sent to deal with this is instead on the server side.
If I can't figure out a way around this, I'm just going to change my endpoint to use a GET or POST method
You might want to experiment with trying that first. It seems even if you make that change you’re still gonna get that “No 'Access-Control-Allow-Origin' header is present on the requested resource”.
The SO question "No 'Access-Control-Allow-Origin' header is present on the requested resource" is a good place to read up on this to get a better idea of what’s happening.
If I do:
Response response = webTarget.request().get();
URI redirectUri = response.getLocation();
response.getLocation() will be null if Jersey does not need to follow a redirect or automatically follows a redirect.
Only for manual, non automatic redirects will response.getLocation() be non-null.
How do I tell if the Jersey Response followed an automatic redirect? How do I get that URL?
If this is only for debugging purposes, you could register the LoggingFilter with your client which should give you the request / response cycles.
webTarget.register(new LoggingFilter())
If you need to know this in production I think you'll have to handle the redirects yourself. I might be wrong, but I can't see a way to get request history from the client (unless you tracked it yourself of course).
Hope this helps.
Will
I have a question about REST. I´m creating a service, in which the client sends HTTP request with Basic authorization (Header Authorization: Basic user:password). I want the server to control user credentials, and if they are correct, it would send 200 OK, otherwise 401 Unauthorized. If the credentials are OK, I want to send back also user´s ID. My question is, what would be the best way to send that? My options are: headers, or json in the body of the response. Thanks you in advance.
Personally, I would send it back in the body. I don't think there are any standard headers suitable for that type of information, unless you are setting it in a cookie.