java - Using Jersey to get a CSRF token through REST and use it in a login -

-

using jersey 2.19, how csrf token server uses spring security 3 , make successful login? have 2 projects, client uses rest, , server created using jhipster.

first, i'm making request http://localhost:8080 , i'm getting response headers:

cache-control:no-cache, no-store, max-age=0, must-revalidate content-language:en content-length:17229 content-type:text/html;charset=utf-8 date:tue, 21 jul 2015 19:24:40 gmt expires:0 last-modified:thu, 02 jul 2015 17:07:31 gmt pragma:no-cache server:apache-coyote/1.1 set-cookie:csrf-token=0902449b-bac7-43e8-bf24-9ec2c1faa48b; path=/ x-application-context:application:dev:8081 x-content-type-options:nosniff x-xss-protection:1; mode=block

i extract set-cookie header , csrf token there. i'm making post request way:

http://localhost:8080/api/authentication?j_username=user&j_password=user&submit=login

with request headers:

content-type: application/x-www-form-urlencoded x-csrf-token: <extracted token>

using chrome's plugin postman, can make correct post request login, jersey, i'm unable send correctly csrf token (i 403 response).

this response:

{"timestamp":1437507680089,"status":403,"error":"forbidden","message":"expected csrf token not found. has session expired?","path":"/api/authentication"}

this jersey code:

webtarget hosttarget = getclient().target("http://localhost:8080");  response r = hosttarget.request().get(); string header = r.getheaderstring("set-cookie"); string csrf = null;  list<httpcookie> cookies = httpcookie.parse(header);  (httpcookie c : cookies) {     if("csrf-token".equals(c.getname())){         csrf = c.getvalue();         break;     } }  webtarget logintarget = hosttarget.path("/api/authentication"); logintarget = logintarget.queryparam("j_username", username)     .queryparam("j_password", password)     .queryparam("submit", "login");  builder req = logintarget.request(mediatype.application_json_type); if (csrf != null) {     req = req.header("x-csrf-token", csrf); }  response cr = req.post(entity.entity(null,         mediatype.application_form_urlencoded_type));  system.out.println("response: " + cr.readentity(string.class));

thanks time.

after trial , error, found solution. important take in count cookies (as indicated roman vottner) rest configuration communicate spring security. important cookie must present jsessionid , header x-csrf-token (or whatever header name configured in server), capture them in initial request , send them again.

i've decided send cookies server in way.

webtarget hosttarget = getclient().target("http://localhost:8080");  response r = hosttarget.request().get(); string headercookies = r.getheaderstring("set-cookie");  map<string, newcookie> cookies = r.getcookies(); string csrf = cookies.get("csrf-token").getvalue();  webtarget logintarget = hosttarget.path("/api/authentication"); logintarget = logintarget.queryparam("j_username", username)     .queryparam("j_password", password)     .queryparam("submit", "login");  builder req = logintarget.request(mediatype.application_json_type); req = req.header("cookie", headercookies);  if (csrf != null) {     req = req.header("x-csrf-token", csrf); }  response cr = req.post(entity.entity(null,         mediatype.application_form_urlencoded_type));  //the response empty (in case) status code 200 system.out.println("response: " + cr.readentity(string.class));

Comments

Post a Comment

Popular posts from this blog

c - Bitwise operation with (signed) enum value -

-
i using enumerator values flags: typedef enum { = 0x00, b = 0x01u, // u has no influence, expected c = 0x02u, // u has no influence, expected ... } enum_name; volatile unsigned char* reg = someaddress; *reg |= b; according misra-c:2004 bitwise operations shall not done signed type. unfortunately, compiler iar use signed int (or short or char) underlying type of enums, , option can find relates size, not signedness ("--enum-is-int"). according iar c/c++ development guide arm , pages 169 , 211, can define type of enum s if enable iar language extensions ( -e command-line option, or project > options > c/c++ compiler > language > allow iar extensions in ide). in particular, should define "sentinel" value, make sure compiler chooses correct type. prefers signed types, , uses smallest possible integer type, sentinel should largest positive integer corresponding unsigned integer type can describe. example, typedef enum
Read more

xslt - Unnest parent nodes by child node -

-
in xml there items 0-n attributes , item should copied each attribute new item 1 attribute. given xml this: <?xml version="1.0" encoding="utf-8" ?> <items> <item> <name>a</name> <attributes> <attribute> <key>attribute1</key> <value>1</value> </attribute> </attributes> </item> <item> <name>b</name> </item> <item> <name>c</name> <attributes> <attribute> <key>attribute1</key> <value>5</value> </attribute> <attribute> <key>attribute2</key> <value>2</value> </attribute> <attribute> <key>attri
Read more

YouTubePlayerFragment cannot be cast to android.support.v4.app.Fragment -

-
im stuck on 3 days , have tried have come across after lots of searching ,this post last resort, im trying open youtubeplayerfragment using navigation drawer youtubeplayerfragment cannot cast android.support.v4.app.fragment problem edit question : have updated code have used youtubeplayersupportfragment instead of youtubeplayerfragment ,i error in displayview method (case 4: fragment = new youtube(); break;) in main activity saying cannot convert youtube fragment , cannot logcat since cant run it edit question 2: code updated again have runtime problem ,heres logcat 07-22 22:15:09.782: e/androidruntime(20603): fatal exception: main 07-22 22:15:09.782: e/androidruntime(20603): process: net.frankandwalters, pid: 20603 07-22 22:15:09.782: e/androidruntime(20603): java.lang.nullpointerexception: attempt invoke virtual method 'void com.google.android.youtube.player.youtubeplayerview.a()' on null object reference 07-22 22:15:09.782: e/androidruntime(20603): @ com.goog
Read more