I have a website hosted in IIS that uses NTLM authentication. I can access the site without explicitly providing my credentials. The site itself has functionality that makes ajax calls to API endpoints hosted in an HTTP.sys Windows Service.
The ajax calls are configured like this:
const ajaxGet = (url) => $.ajax({
cache: false,
type: "GET",
url: `${url}`,
xhrFields: {
withCredentials: true
}
});
Everything works, but the browser (Chrome) always asks me to enter my credentials at least once when it calls the endpoint for the first time.
Is there a way to automatically use the NTLM credentials provided by IIS authentication instead of having to manually enter them?
Related
I write a signup webpage with nodejs, and in this webpage, I use ajax to call the function signup like this
$.ajax({
method: "POST",
url: "/signup",
data: { tel: tel, password: password}
})
And in app.js, the signup function like this
.post('/signup', async (ctx) => {
//do something
})
And now everyone can call the signup function with the url http://domain/signup without visiting the signup webpage, I think it's a mistake, I only want the local program can call this function, how can I fix this?
Typically it's either API Keys for doling out general access, or IP-based restrictions at either the application or network level.
API Keys are a token that identifies and authenticates an endpoint. You can also use it to track usage and/or ban abuse. For example, see Google Maps' documentation about using their API. Then all API calls have that key:
https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap
This allows the server to parse the key, check against it's key database or whatever, and allow access. You'll need to use HTTPS for this if it's over any public network.
IP or other network restrictions are easier to setup and best when you have a 1:1 relationship with your API. That is, your application alone accesses this API, and you control all the servers, etc.
I have NodeJS service which is protected and exposed using a load balancer. Need to call the drill Query.JSON API which is projected using j_secuirty_check.
Existing logic:
First hit the j_security_check URL with the credentials and receive the cookie.
Hit the query.JSON URL with the received cookie in the above step.
Code Snippet:
var options1 = {
url: 'http://<HOSTNAME>:8047/query.json',
method: 'POST',
json: JSON.parse('{ "queryType":"SQL", "query": "show schemas"}'),
headers : {
cookie : setcookie
}
};
The above method is working without the load balancer.
Example:
backend service running on http://localhost:3000
Drill URL: http://<SOMEIP:PORT>/query.JSON
Issue:
The second request is redirecting to login page thought we set cookie received in the previous step.
Example:
backend service running on https://<LOADBALANCER_URL>
Drill URL: http://<SOMEIP:PORT>/query.JSON
Is this because of https & http protocols or diff domain?
Please share your suggestion.
In case of load balancer the request might be going to another Drillbit WebServer which doesn't issued the cookie in first step. In which case it will not work, your load balancer should have some concept of sticky session or send the request from a client to same WebServer every time.
Introduction
I have a hyperledger env running in secure mode by following this link https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html
and it works fine if I authenticate as specified in the document (hitting http://mydomain:3000/auth/github directly from the browser) and then access the Rest API from the http://mydomain:3000/explorer and could authorize as various participants (i.e, issuing identity and adding them to the wallet and setting one as default at a time) and could see the assets as per the .acl file.
Issue
But I started facing problems when I started integrating the Rest API's from my web application rather directly from the browser. As a first step from my web app, I called the http://mydomain:3000/auth/github to authenticate and then started calling the other APIs (transaction/list, etc.) but I do always get
Error 401: 'Authorization Required'
What i have tried
Gave my web application URL as the 'Redirect URL' in the env variable for the hyperledger. And upon successful authentication (calling http://mydomain:3000/auth/github) it successfully redirected to my webapp home page but afterwards accessing the Rest API's (from web app) again throws 'Authorization Required' error.
Environment variaable as below:
export COMPOSER_PROVIDERS='{
"github": {
"provider": "github",
"module": "passport-github",
"clientID": "CLIENT_ID",
"clientSecret": "CLIENT_SECRET",
"authPath": "/auth/github",
"callbackURL": "/auth/github/callback",
"successRedirect": "http://localhost:8080/home.html",
"failureRedirect": "/"
}
}'
Incorporated passport-github2 mechanism in my web application (i.e, registered my app with the oauth of github) and upon successful login to my web application; called the http://mydomain:3000/auth/github to authenticate to the blockchain and it did not work out as well.
I have a few questions:
Is it feasible to call the secured hyperledger Rest API's from another web application?
If Yes, how to do it? I don't find that information in the hyperledger composer documentation.
Have been trying this for a week now and have no answers. Any help would be greatly appreciated. Please let me know if anything is unclear. Thanks.
I commented about this problem on one of the existing hyperledger github issues(below link) & I want to share the solution that solved this problem for me.
https://github.com/hyperledger/composer/issues/142
Solution: as mentioned by user sstone1
Since the REST server is on a different port number to your web application, you need to specify an additional option to your HTTP client to pass the cookies to the REST server. Using the Angular HTTP client, you add the withCredentials flag, for example:
via Angular:
this.http.get('http://mydomain:3000/api/MyAsset', { withCredentials: true })
via JQuery AJAX:
$.ajax({
url: 'http://mydomain:3000/api/MyAsset',
xhrFields: {
withCredentials: true
},
headers: {
...
}
})
I need an event that is being fired whenever something changes on my google sites site.
There is an XML feed with all the latest changes. I am planning on polling this feed with Zapier and when something changes Zapier will make a http request to a url that I provide so I get my event.
This works fine as long as the site is public, but in my case it is not.
So I think about building a proxy for the feed that google provides. The proxy will call the feed with the proper authentication and pass the contents. Zapier will call the proxy with a Zapier friendly authentication mechanism.
I figured that I need to call the google feed with a service account. So how do I do that with node.js?
I have been looking here:
https://developers.google.com/google-apps/sites/docs/1.0/developers_guide_protocol#ActivityFeed
Figured it out!
I have made a proxy with basic authentication that is accessed via https. This proxy will pass through the activity feed of the Google site that I am interested in.
I built the proxy in node.js with the googleapis module. Here is a piece of the code I use:
var jwtClient = new googleapis.auth.JWT(
client_id_email,
__dirname + 'key.pem',
null, ['https://sites.google.com/feeds/'],
'user#domain.org'
);
jwtClient.authorize(function(err, token) {
if (err) return next(err);
return rest({
path: 'https://sites.google.com/feeds/activity/{domainName}/{siteName}',
headers: {
"GData-Version": "1.4",
Authorization: token.token_type + ' ' + token.access_token
},
params: {
domainName: 'domain.org',
siteName: 'site',
},
}).done(function(result) {
res.set(result.headers);
res.send(result.entity);
}, next);
});
The username (user#domain.org) in the example is a user that the service account impersonates. This user must have acces to the site.
I put the service account key in a file name 'key.pem' in this example.
Now you must allow accesd to the service account for the domain you want to access. You do this on the admin site of the domain (admin.google.com).
Go to security
Go to advanced settings
Go to API client access
There you have to add the client_id of the service client
And now... it works :-) !!! \o/
I have two websites on Azure Web Sites, and I'm using a CNAME to use them with my own domain name.
Let's call the two sites site1.example.com and site2.example.com.
I'm using ASP.NET MVC 4 and SimpleMembership. I want the user to be able to log in on site1.example.com, and for that logged-in state to be accepted by site2.example.com.
Here's what I've done so far:
Both site1 and site2 are pointing at the same membership database (connection string set the same for both in web.config, and InitializeSimpleMembershipAttribute set to look at that connection string)
I have set the cookie domain to .example.com (in web.config, system.web authentication section)
I have manually set the machineKey in the config for system.web to the same thing for both sites
However, if I log in on site1, then I am not logged in on site2. I can see that the .ASPXAUTH cookie is correctly set on .example.com, so it is visible to both.
So, what am I missing?
If you are using AJAX requests to login (like via Web API), try to include
xhrFields: { withCredentials: true }
something like
$.ajax({ method: 'POST',
url: 'yourloginurl.com/api/login',
xhrFields: { withCredentials: true },
success: function (data) { ... } });
After set the domain on httpCookie.
I spend a day to found this solution and this solve my problem.