Ok so I've read multiple articles on my topic but none seem to help. I'm trying to accomplish the same thing this guy wanted in this article here.
I used the example stated in the answer (https://{yourserver}/defaultcollection/_apis/git/repositories?api-version=1.0 ) in an angular http get request but I'm getting a 401 error saying the credentials i supplied were not valid.
I then downloaded curl and supplied the following command "curl -u username:password http://{myserver}/defaultcollection/_apis/git/repositories?api-version=1.0" and the result came back the same, html saying i do not have valid credentials. Can someone point me in the right direction so I can pull the projects root branch and childrens branches and data along with it?
Essentially I am searching for a way to pull data from the server and display it on my web app. I'll need branches names and history for each branch and child branch.
Update
So I'm now able cURL into this service using the --ntlm switch that Richard recommended. Now to actually get my app connected to the service I found that I could pass windows credentials using:
withCredentials:true
It no longer gives me a 401 error. Instead I am not getting a new error stating:
XMLHttpRequest cannot load http://{servername}/{defaultcollection}/_apis/projects?api-version=1.0. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.
What are my next steps to get this working?
Solution
I took what Richard suggested and created my own asp.net web api to communicate with tfs. I was able to modify the web.config file to allow CORS. I added the following lines to the system.webServer section of the file.
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
Doing this has resolved the error message I was receiving and creating a simple api to get specific information was not too hard to do. Thanks for all the help.
In your curl command add --ntlm as an option.
The command should be as follows:
curl -u username:password --ntlm http://{myserver}/defaultcollection/_apis/git/repositories?api-version=1.0
Be aware that the API doesn't currently support CORS. This means you can make API calls from your own server side code without a problem, but you can't make the calls directly from a browser. There's a UserVoice suggestion to enable this that you can vote for.
Related
I am getting this error when my payment gateway is redirecting user to my react application. Same code works on firebase hosting and doesn't give the error. Redirection url is a POST request
I tried various solutions from Asp.NET Web API - 405 - HTTP verb used to access this page is not allowed - how to set handler mappings
removed WebDav
Assuming there is no CORS issue here.
The issue is the call back to your site is a Post request along with data. Client application's index.html hosted inside IIS is not able to understand how to handle a post request to a html page. You will have to specifically make an entry in Handler Mapping section of IIS configurations.
Inside Request Restrictions add the HTTP Methods you want it for or allow all verbs if it is a specific case.
Or you can directly put it in your web.config with what all verbs you want to allow, as in below snippet
<add name="html" path="*.html" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />
On the Request Filtering page, switch to the "HTTP Verbs" tab - if you see that "POST" has "Allowed" set to False, this is the cause. Remove this entry or changing it to explicitly be allowed will fix the issue.
I have a nodejs express server running on app engine.
If i make a GET request to https://astral-pursuit-252600.appspot.com/users in the browser it works fine to say unauthorized (401).
If I do the same GET request in postman it returns 400 bad request.
Is there any obvious reason why this is occurring?
This is a known issue with postman. This tool sends certain headers by default that you cannot remove. App Engine does not like them for some reason. I had to use the Insomnia tool instead which does not include default headers.
The first thing that I can think about is that, in order to do an API call, you need to use an API key in your request. You should create one, after that you need to obtain an access token. Your requests should be send to an address like https://astral-pursuit-252600.appspot.com/users?key=YOUR_API_KEY and include in your request a header to contain the access token. Something like this : --header 'authorization: Bearer YOUR_ACCESS_TOKEN'.
In order to do that I do not think you need to change manually each request, but you need to change some POSTMAN settings. You can find here a guide with exactly what setting should be changed for this use case.
You can see more details about this topic and a more detailed guide for doing an API calls here.
In case this was not the issue, could you please provide me your POSTMAN settings? I am pretty sure this is about the way POSTMAN does the requests anyway.
I'm testing an application on Google App Engine.
I use the Flexible environment with a custom python runtime.
In my application I need a "session.id" header on HTTP requests.
My web application code extracts the value of session.id and validates it, if it's invalid or missing the web application returns HTTP 401.
When I issue a HTTP POST to my GAE web application using curl and setting the header, e.g.:
curl -v -X POST --data "echo" -H "session.id: someweirdandlargestring" https://*****.appspot.com/echo
it seems GAE proxy removes the "session.id" header, then the web app returns 401. If I send "session.id" as a Cookie everything works fine and the server returns 200. I've debugged the application and the header does not reach the web application.
I've read the docs (https://cloud.google.com/appengine/docs/flexible/python/how-requests-are-handled) and they describe headers that are expected to be removed or added from requests before they reach our actual server. But they say:
For security purposes, some headers are sanitized or amended by intermediate proxies before they reach the application.
What makes believe me GAE is removing the HTTP header I've set.
My questions:
Is this an expected behavior from GAE?
What would you suggest to fix it? In order words: how to make my header entry to reach the web server application code?
Note that using a cookie is not an option in short term.
As #viz has suggested I've tested a header name without the dot. It works.
If I use, let's say, "sessionid", then the header reaches the server.
GAE web servers are discarding malformed http headers.
The best I've found about HTTP header conventions are on NGINX docs http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers:
Valid names are composed of English letters, digits, hyphens, and possibly underscores
If this can help, please let me bring this September 21 update, as I bumped intot he same issue for PHP7, which GAE was seemingly discarding my "api_secret" header for (not really RFC-ish, it is?). I deployed a little debugging tool which dumped the headers, and carried on experiments.
Outcome:
headers are forced to camel case;
apisecret became Apisecret;
api-secret became Api-Secret;
api.secret was discarded;
I finally chose X-Api-Secret, to be in line with RFC2047 recommendation for user-defined headers.
I access a server that I can change in any way. It is only available to me.
GETS / POSTS work in curl, but I get an error in my angular web app
I read a ton of posts about this, and after nothing seemed to work, I installed the CORS extension to Chrome, added *://*/*, and I have to turn it on anytime I'm trying to access the server. But it works.
Most of the posts say this is because the server does not allow access from outside sources. So I did some more digging and found the W3 CORS enabled site, that specifies a filter must be added.
However, when I get the error, I can open the network panel and see that the response came back exactly as I was expecting, so why did I get an error?
This makes it seem like Chrome is not allowing access.
Why must the server be changed to allow this?
Does this mean anyone with this chrome extension can access my server?
It seems like it should be possible to configure a header in my $http.get that would allow this, but everyone keeps saying its the server...
Cross domain calls are not allowed by default. When the browser makes a call to a website or Web-API sitting on a different domain than the domain opened on the browser, it includes a HTTP header "Origin" in the request. The server looks at this header and if it's white-listed it includes the header Access-Control_Allow_Origin in the response. All this happens in a pre-flight request using HTTP Options method before the actual GET/POST call. So for the CORS to work the server has to allow the client domain, so the browser can make further calls.
I'm trying to setup an dataimport-scheduler for solr, everything's working and the deltaimport url is called every 30 minutes, the only problem is I'm using jetty and activated authentication in jetty.xml so the dataimport_scheduler gets:
<index update process> Response message Unauthorized
(saw in log file), How can I solve this?
The DataImportScheduler needs to have access to your solr/dataimport url via http. The error you see in the log file is because of the authentication you added. As far as I know the DataImportScheduler doesn't support authentication out of the box, but it should be easy to add it to the code.
Unfortunately it doesn't use http-client, which would have made things a bit easier and flexible I guess, but you can have a look at this answer to find out how to add http basic authentication to http calls made through the HttpURLConnection class.