I have a service running on Navision accessed by url http://navision_ip/NAV/WS/COMPANY/Codeunit/Web_Service
I also have login / password for service.
When I try to open link with Chrome, after entering credentials, I get wsdl.
I also see that Chrome passes Authorization: Negotiate header.
Other browsers return 401 / 400 instead of wsdl and doesn't show the wsdl.
How do I get wsdl in PHP?
You should set the authentication to NTLM = true in the CustomSettings.config file.
I found this blog post very useful:
http://blogs.msdn.com/b/freddyk/archive/2010/01/19/connecting-to-nav-web-services-from.aspx
and for php:
http://blogs.msdn.com/b/freddyk/archive/2010/01/19/connecting-to-nav-web-services-from-php.aspxhttp://blogs.msdn.com/b/freddyk/archive/2010/01/19/connecting-to-nav-web-services-from-php.aspx
Related
I am Currently Working on SSO Project. Like Google, we have accounts.domain.com as SSO Server. And we have three applications hosted on three different servers(application1.com,application2.com,,application3.com,).
Whenever the user wants to log in from those three applications then the user will be redirected to the SSO Server. If the login credential supplied by the user is correct means the SSO Server generates a JWT access token. Now the Generated token have to be attached to the user requested application response header and then the user will be redirected to the requested application along with the "Authorization: Bearer $token".
I am currently facing problem in attaching the generated token to the response header. I am currently using Slim 3 framework along with lcobucci/jwt for JWT token.
My Code :
$username = "Test";
$newResponse = $response->withHeader('Authorization' , "Bearer $token");
return $newResponse->withRedirect("http://application1.com/$username", 301);
When I debug the Response header in accounts.domain.com the Authorization header seems to be set. But on another end (application1.com) not receiving the Authorization Header.
Screenshots
Initial Request from application1.com
SSO Domain Redirect to grab the Cookie
Validate the Session by the Grabbed Cookie and attach the Auth Header attached
Authentication Success but no Authorization Headers Received
My Doubt is whether the problem is because of server configuration(apache2) in .htaccess file (or) my implementation itself is wrong.
Guide me to fix this error.
Environment Details :
Server : Apache 2
Framework : Slim 3
JWT : lcobucci/jwt package
A redirection in the HTTP protocol doesn't support adding any headers to the target location. It's basically just a header in itself and only allows for a URL.
It looks something like this:
HTTP/1.1 307 Temporary Redirect
Location: http://application1.com
When you are adding your Authorization header you are only sending that header back to the client:
HTTP/1.1 307 Temporary Redirect
Location: http://application1.com
Authorization: ...
When you are sending a response redirect and also set some header like Authorization, the browser will not forward this header to the site it is now redirecting to. If you are absolutely bent on passing some parameter to the site the browser will redirect to, you will have to pass that parameter as an URL query parameter.
I am developing an Oauth 2 authentication server and I have a problem with endpoint redirection.
Here is what the RFC says that I try to follow scrupulously:
3.1.2.1. Endpoint Request Confidentiality
The redirection endpoint SHOULD require the use of TLS as described
in Section 1.6 when the requested response type is "code" or "token",
or when the redirection request will result in the transmission of
sensitive credentials over an open network.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.1
Here is my question:
I know if the current request uses HTTPS with the $_SERVER ['HTTPS'] superglobal, but how do I determine if the url I'm going to redirect is using TLS
?
header("Location: $redirectUri");
Do I only rely on the protocol (https: // at the beginning of the URL)? On headers returned by a CURL request made before redirection (check the presence of the Strict-Transport-Security header) ? If not how should I do it?
PS: Normally it is not necessary but in case. Here is the complete code:
https://github.com/alexandre-le-borgne/oauth-server/blob/master/src/OAuth2/Endpoints/AuthorizationEndpoint.php#L185
My conclusion is that it is enough to check the presence of the https at the beginning of the URL.
I'm using this php wrapper, successfully getting a code from pinterest using the link generated according to the docs:
$loginurl = $pinterest->auth->getLoginUrl($callback_url, array('read_public'));
Then when I run this:
$token = $pinterest->auth->getOAuthToken($_GET['code']);
It works fine on my local server, but when I try to run it on our Dreamhost server, I get:
Pinterest error (code: 403) with message: Forbidden
I looked through the error documentation Pinterest supplies, but I can't find anything relating to 403 errors when retrieving oauth tokens.
The only two places I've seen mention of 403 errors when requesting oauth tokens from Pinterest's API have concluded that Pinterest is blocking the ips or the user agent string.
I've tried manually overriding the user agent string to no avail.
I've tried contacting Pinterest to find out if there is anything I'm missing and they directed me here.
Make sure the Dreamhost server is using an HTTPS URL e.g. is using TLS. That could be the reason why you get a 403.
Normally when a publicly-accessible directory requires basic HTTP authentication, the value of $_SERVER['HTTP_AUTHORIZATION'] and/or $_SERVER['REMOTE_USER'] (or $_SERVER['PHP_AUTH_USER'], etc) will be set and accessible to PHP once a valid username/password combination have been provided to the server.
For example, if http://www.example.com/members requires basic authentication, and a user successfully authenticates using the credentials myusername and mypassword by manually typing http://myusername:mypassword#www.example.com/members into their browser, the value of $_SERVER['HTTP_AUTHORIZATION'] would be something like:
Basic bXl1c2VybmFtZTpteXBhc3N3b3Jk
... and the value of $_SERVER['REMOTE_USER'] would simply be:
myusername
However if authentication is not required in the same directory, but the URL is still visited with the username/password inside of it, the values of the username/password don't seem to be set anywhere (running PHP 5.3.10 as CGI/FastCGI on Apache/2.2.22).
From within PHP (and/or .htaccess if necessary), when no authentication is required, is there a way to retrieve the values of the username (and/or password) that have been provided by a visitor who manually added them to the URL?
TLDR; As far as I can see that information is never sent to server so I claim it's not possible.
The way http authentication works if you have it set is that server sends a request for user/pass if it's not already set, and browser then adds that information in encoded form to a Authorization header and sends it to the server along with the request.
As specified in RFC 2617, describing Basic and Digest authentication mechanisms For basic authentication, server sends HTTP 401 Not Authorized status and WWW-Authenticate header fields to request this information. (RFC 2617, Access Authentication Framework)
With tests one can see that if authentication is never configured on the server to be required, server won't request authentication information from browser, and browser won't add user/pass information into the request. RFC does not mandate browser (user agent) to not pass that information, but says instead
A user agent that wishes to authenticate itself with an origin
server--usually, but not necessarily, after receiving a 401
(Unauthorized)--MAY do so by including an Authorization header field
with the request.
In practice, if you watch the sent headers you can see that if this information is requested by the server, it's sent in encoded form using Authorization header like specified by the RFC. However, if you're not using any authentication the request you send just doesn't seem to contain that information in any form. I've confirmed this with IE, Firefox and Chrome browsers myself.
If you want to test this yourself for your setup, this can be done for example using netcat like this:
First, run netcat on your server:
nc -l 8888
Then issue a request from your browser to http://testvalue:testvalue#yourdomain:8888/
As a result, observe from netcat output all the information that get sent to server, something like this:
GET / HTTP/1.1
Host: yourdomain:8888
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
There is no information about user or password anywhere. I claim that unless the server requests it, it won't be there.
The addition of user and password in a url using http(s)://user:pass#site.com has been disabled by at least Internet Explorer for several years now, as far as i know.
https://support.microsoft.com/en-us/kb/834489
So I am not sure if what you are trying to reach is even usefull. I think the browsers dont even pass that part of the url on anymore.
I am trying to use file_get_contents.I have made sure that allow_url_fopen is enabled in php.ini. As of now it is telling me:
[function.file-get-contents]: failed to open stream: HTTP request failed! HTTP/1.1 401 Unauthorized
All I'm doing is the following, which I can access through browser without a problem.
$url=('http://site/#api/users/=john_smith#site.com/properties');
$xmlString=file_get_contents($url);
I believe this is an authentication issue but not sure how I can supply the proper credentials from within the script itself. Any ideas would be greatly appreciated.
In your url try:
http://user:password#site/
(append whatever the rest of the URL for your API should be)
Just put the user info into the URL:
$url = 'http://user:password#domain.tld/foo/bar/whatever';
The 401 Unauthorized status code means that you should have authenticated, but that you haven't, or that you have authenticated with the wrong credentials. It is most commonly used when using HTTP authentication, which is authentication built into the HTTP protocol, and therefore is universal, not only for HTML documents, but for anything transfered over the HTTP protocol.
To authenticate with HTTP authentication, simply add username:password# before the hostname in the URL. For instance:
http://foobar:mysupersecretpassword#example.com/passwordprotected/
This would request the /passwordprotected/ directory from example.com with the username foobar and the password mysupersecretpassword.
It's not any worse than that. :)