I have implemented mod_auth_mellon in my apache httpd 2.4 webserver. I configured Mellon to authenticate when I try to access my oracle JET application.
So far all is good, when I go to http://example.com, I am redirected to my sso login page and after entering my credentials I am sent back to https://example.com.
My problem is that once I return to my application at https://example.com, I need to be able to access the Mellon-nameid attribute so I can retrieve user privilleges from a database talbe based on email address.
According to all the docs I have read, mod_auth_mellon stores the mellonUser attribute in the apache environment, and/or the response headers.
Also according to what I have read, there is no way in my JET application to access the apache environment variables, and so far I haven't found a way to examine the response headers to get the mellonUser from there either.
Is there an alternate way to access the MellonUser attribute? Can it be stored in teh Mellon cookie, or maybe put on the url as a query parameter?
Also any methods for accessing the headers would be appreciated as well.
Just posting here, even though it's an old thread.
So when you use Apache Mellon, you can supply the nameID in a header value. If you are using apache as a proxy, (I.E you successfully authenticated, now go through the proxy), the web server can access the nameID as an attribute. You can also pass whatever other SAML attributes you want (Assuming you already know how to do this, i'll leave this part out).
Now the problem is, that header value is something the web app (Backend) sees BEHIND the proxy. Javascript is ran client side, in the user's actual browser. So in this scenario it would not be able to see this value unless you tell the backend to send it forward.
As an example, if you setup Apache SAML and then have it proxy to a PHP app, and you have a page that simply dumps the headers:
<?php
foreach (getallheaders() as $name => $value) {
echo "$name: $value\n";
}
?>
OR:
<?php
var_dump($_SERVER);
?>
VIOLA, you can see the nameid and whatever other attributes! However, go to your web console, and poke around, or check out your headers... these will be different because you are getting headers from pre-proxy, while the webapp gets headers from the post-proxy.
So what can you do? In my php example, since PHP will parse first, you can grab the variable from the backend, and echo it into a script that will be ran after this is all done.
<script>
username = "<?php echo $YourHeaderNameID; ?>";
</script>
However, there is some danger to this as well. Client side Javascript and be easily modified. So if your username "johnsmith", and you wanted to change the website username to "joeschmoe", that would be trivial. You should probably have the backend provide whatever user information you require, and then use javascript to style, rearrange, do whatever with.
i'm facing the current problem: Since i'm under VPN, when i open a browser, a browser popup appears and ask me for the user and password credentials:
I need to open a browser in robot framework (firefox or chrome is the same) with a logged proxy.
I know that is possible to open a firefox instance with a proxy by using SeleniumLibrary Create Webdriver:
${proxy}= Evaluate selenium.webdriver.Proxy() modules=selenium, selenium.webdriver
${proxy.http_proxy}= Set Variable localhost:8888
Create Webdriver Firefox proxy=${proxy}
The problem is that it seems not possible to pass the credentials (user and password) for the proxy login.
Also, like most of the people suggest, i know that is possible to open the browser logged in with the proxy by using the url formatted like (in past i've also used that on different projects):
https://proxy_user:proxy_password#url_to_reach.com
but for some reason it doesn't work, i still have the browser popup asking me the credentials.
I've also tried by using Input Text Into Alert but it doesn't fill the alert fields:
Input Text Into Alert text=username action=LEAVE
I've also thought that maybe it is possible to do by using some preferencies with chrome or a profile with firefox but i've found nothing about this. Any other method by javascript?
Anyone can help? Thanks a lot
In my web based application login form is window popup ,so that its not possible to automate using selenium webdriver , i have tried using robot class but didn't get the result, can any one suggest a solution for it.
if its authentication then you can try sending username password in URL. Also take a look at AutoIT for such cases.
EDIT: It depends on the type of authentication like HTTP / HTTPS so on and so-forth
One example can be this: https://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters/371918
What is the best way to check if a URL is valid in c?
i am launching url using windows api (ShellExecute) and it always launches default web browser, whether url is right or wrong.
I'm not concerned about establishing a connection, just validity. Is there a method for this?
You may want to use PathIsURL function from the Windows API.
There are two application servers and a switch. When i access application by using application server ip it works fine. However if i use switch ip in my url Bad request error throws up only for firefox and chrome for a few links only.
Here is a detailed explanation & solution for this problem from ibm.
Problem(Abstract)
Request to HTTP Server fails with Response code 400.
Symptom
Response from the browser could be shown like this:
Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
HTTP Server Error.log shows the following message:
"request failed: error reading the headers"
Cause
This is normally caused by having a very large Cookie, so a request header field exceeded the limit set for Web Server.
Diagnosing the problem
To assist with diagnose of the problem you can add the following to the LogFormat directive in the httpd.conf:
error-note: %{error-notes}n
Resolving the problem
For server side:
Increase the value for the directive LimitRequestFieldSize in the httpd.conf:
LimitRequestFieldSize 12288 or 16384
For How to set the LimitRequestFieldSize, check Increase the value of LimitRequestFieldSize in Apache
For client side:
Clear the cache of your web browser should be fine.
If you use Apache httpd web server in version above 2.2.15-60, then it could be also because of underscore _ in hostname.
https://ma.ttias.be/apache-httpd-2-2-15-60-underscores-hostnames-now-blocked/
I just deleted my stored cookies, site data, and cache from my browser...
It worked. I'm using firefox...
Make sure you url encode all of the query params in your url.
In my case there was a space ' ' in my url, and I was making an API call using curl, and my api server was giving this error.
Means the following url
http://somedomain.com?key=some value with space
should be
http://somedomain.com/?key=some%20value%20with%20space
THIS IS CAUSED BY TOO MANY COOKIES!
To SOLVE - Chrome: go into 'developer mode' -> ctrl + shift + i
On top you will see console, network and LITTLE BUTTON THAT LOOKS LIKE ARROWS >>> click on that for APPLICATION
On Left, under STORAGE, find COOKIES.
There will be little DOWN ARROW indicating a drop down, click on this.
now you will see the website something like: www.investing.com
RIGHT CLICK IT and select Clear
Reload.
Works!
Alternatively, clear cookies and cache in a traditional way, and it will work too.
In my case is a cookie-related issue, I had many cookies with extremely big values, and that was causing the problem.
You can replicate this issue here on stackoverflow.com, just open the console and type this:
[ ...Array(5) ].forEach((i, idx) => {
document.cookie = `stackoverflow_cookie${idx}=${'a'.repeat(4000)}`;
});
What is that?
I am creating 5 cookies with a string of length or value of 4000 bytes; then reload the page and you will see the same issue.
I tried it on google.com and you'll get the error but they automatically clear the cookies for you, which is a nice fallback to start fresh.
I was testing my application with special characters & was observing the same error. After some research, turns out the % symbol was the cause. I had to modify it to the encoded representation %25. Its all fine now, thanks to the below post
https://superuser.com/questions/759959/why-does-the-percent-sign-in-a-url-cause-an-http-400-bad-request-error
I'm a bit late to the party, but bumped in to this issue whilst working with the openidc auth module.
I ended up noticing that cookies were not being cleared properly, and I had at least 10 mod_auth_openidc_state_... cookies, all of which would be sent by my browser whenever I made a request.
If this sounds familiar to you, double check your cookies!
in my case:
in header
Content-Typespacespace
or
Content-Typetab
with two space or tab
when i remove it then it worked.
in my magento2 website ,show exactly the same error when click a product,
my solution is to go to edit the value of Search Engine Optimization - URL Key of this product,
make sure that there are only alphabet,number and - in URL Key,
such as 100-washed-cotton-duvet-cover-set,
deleting all other special characters ,such as % .
I got Bad Request, Your browser sent a request that this server could not understand
when I tried to download a file to the target machine using curl.
I solved it by instead using scp to copy the file from the source machine to the
target machine.
If you are getting this error on the WordPress website, check the below solution.
Corrupted Browser Cache & Cookies: Delete your Cookies and clear your cache
Restart your server
For GET Request make sure that passing parameters are url encoded.
if you are using php you can use urlencode function
If you have this same problem and none of the other solutions worked, please check again the url.
In my case it was a space in the end, when it was added to the Cronjob, someone also copied a blank space by accident.
check your data types are correct or not.
for ex: if you send the file, you need to consider to send the full object of the file