I have the following C# code that is attempting to make an https request to a specific url. If I change the URL to point to the QAS server, which is not https then all works fine. I have tried numerous combinations of settings, but nothing that I do seems to get this to work correctly. You can see several of the different combinations of things that I have done in the comments.
var request = (HttpWebRequest)WebRequest.Create(nextUrl);
request.AllowAutoRedirect = false;
request.UseDefaultCredentials = true;
request.KeepAlive = false;
//request.PreAuthenticate = true;
//request.Credentials = CredentialCache.DefaultNetworkCredentials;
//request.Credentials = new NetworkCredential("name", "pass", "domain");
ServicePointManager.ServerCertificateValidationCallback = AcceptAllCertifications;
HttpWebResponse response;
using (response = (HttpWebResponse)request.GetResponse())
{
//Do Something
}
Your code for the certificate callback looks incorrect, it should look:
ServicePointManager.ServerCertificateValidationCallback =
new RemoteCertificateValidationCallback(AcceptAllCertifications);
I'm assuming you have the proper method signature for the AcceptAllCertifications. Also the class you're utilizing if nextUrl is http it will default to unsecure, if it is https it will default to secure.
Related
We use a third party service which - when accessed via a browser - it yields this error :
OK - we should call them and probably tell them to fix this at their side.
But -
Question:
Looking at this simple C# code - Why don't I see any exception about this warning , or in other words - How can I make C# to reflect this warning or unsafe access ?
NB I already know that I can use a more advanced webrequest class using other class - But it doesn't matter for this question. (imho).
void Main()
{
Console.WriteLine(CreatePost("https://------", "dummy")); // No exception/warning here
}
private string CreatePost(string uri, string data)
{
HttpWebRequest request = (HttpWebRequest)
WebRequest.Create(uri); request.KeepAlive = false;
request.ProtocolVersion = HttpVersion.Version10;
request.Method = "POST";
byte[] postBytes = Encoding.GetEncoding("UTF-8").GetBytes(data);
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = postBytes.Length;
Stream requestStream = request.GetRequestStream();
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
// now send it
requestStream.Write(postBytes, 0, postBytes.Length);
requestStream.Close();
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
return new StreamReader(response.GetResponseStream(), Encoding.GetEncoding("UTF-8")).ReadToEnd();
}
Also - I know that browser url address is using GET (unlike the C# post verb) - but I don't think that they've redirected this action to a silenced warning)
You don't see any warning when accessing it via C# because Google Chrome is checking how the SSL is set up and putting the warning in the way to try and protect you (and users of said service). When you access it from C#, it never touches Chrome and so you don't get the warning.
You'll get a similar warning in a few other browsers, but it's not part of the response to the request you're making - just the browser trying to keep you safe.
You could manually check the signature algorithm in your code, and throw an exception if it's not what you deem "secure".
Edit: you can check the signature algorithm by adding a custom validation callback to ServicePointManager, something like this:
ServicePointManager.ServerCertificateValidationCallback =
new RemoteCertificateValidationCallback(
(sender, certificate, chain, errors) => {
var insecureAlgorithms = new List<String> { "SHA1" };
var sslCertificate = (X509Certificate2) certificate;
var signingAlgorithm = sslCertificate.SignatureAlgorithm;
if (insecureAlgorithms.Contains(signingAlgorithm.FriendlyName))
{
return false;
}
// do some other checks here...
return true;
}
);
We are using web service with basic authentication.
It all worked all fine, till owners of web service implemented balancing service.
Which is simply redirects requests to different instances of web service.
The problem is that after being redirected basic authentication fails.
There is "request authentication credentials was not passed" exception.
Additional info:
We have to create request manually.
var req = (HttpWebRequest)WebRequest.CreateDefault(new Uri(Settings.Default.HpsmServiceAddress));
req.Headers.Add("Authorization", "Basic aaaaaaaaaaa");
req.PreAuthenticate = true;
req.AuthenticationLevel = AuthenticationLevel.MutualAuthRequested;
req.UserAgent = "Apache-HttpClient/4.1.1 (java 1.5)";
req.KeepAlive = false;
ServicePointManager.Expect100Continue = false;
req.ContentType = "text/xml; charset=utf-8";
req.Method = "POST";
req.Accept = "gzip,deflate";
req.Headers.Add("SOAPAction", actionName);
byte[] buffer = Encoding.UTF8.GetBytes(envelop);
Stream stm = req.GetRequestStream();
stm.Write(buffer, 0, buffer.Length);
stm.Close();
WebResponse response = req.GetResponse();
string strResponse = new StreamReader(response.GetResponseStream()).ReadToEnd();
response.Dispose();
We are redirected with HTTP 307 redirect
Follow the MSDN for HttpWebRequest.AllowAutoRedirect Property i found this :
The Authorization header is cleared on auto-redirects and
HttpWebRequest automatically tries to re-authenticate to the
redirected location. In practice, this means that an application can't
put custom authentication information into the Authorization header if
it is possible to encounter redirection. Instead, the application must
implement and register a custom authentication module. The
System.Net.AuthenticationManager and related class are used to
implement a custom authentication module. The
AuthenticationManager.Register method registers a custom
authentication module.
Solution is to write a custom Authentication Module.
Here what i've found about it :
http://msdn.microsoft.com/en-us/library/system.net.authenticationmanager.aspx
And here the AllowAutoRedirect properties page :
http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.allowautoredirect.aspx
UPDATE
Can you try to use CredentialCache instead of add header to webrequest ?
CredentialCache myCache = new CredentialCache();
myCache.Add(
new Uri("http://www.contoso.com/"),"Basic",new NetworkCredential(UserName,SecurelyStoredPassword));
req.Credentials = myCache;
Indeed, CredentialCache is working correctly. However, if you would like to add multiple basic auth credentials (for example if there is redirection that you are aware of) you can use following function that I have made:
private void SetNetworkCredential(Uri uriPrefix, string authType, NetworkCredential credential)
{
if (request.Credentials == null)
{
request.Credentials = new CredentialCache();
}
if (request.Credentials.GetCredential(uriPrefix, authType) == null)
{
(request.Credentials as CredentialCache).Add(uriPrefix, authType, credential);
}
}
I hope it will help somebody in the future.
I am trying to do a https GET to JustOneDB it works if I do it from the curl utility. But its NOT working from C#.
I get (400) Bad Request
I searched around and disabled security and all that but its still not working. Any ideas?
Has anyone done this w/ rest and JustOneDB?
This works along w/ all the other rest examples:
curl -k -XGET 'https://username:password#77.92.68.105:31415/justonedb/database/database name'
This DON'T work: I Dummied the string to remove my passcode.
public ActionResult JustOneDb()
{
///////////
HttpWebRequest request = null;
HttpWebResponse response = null;
try
{
String Xml;
//curl -k -XGET 'https://zn0lvkpdhdxb70l2_DUMMY_urshn5e7i41lb3fiwuh#77.92.68.105:31415/justonedb/database/n10lvkpdhdxei0l2uja'
string url = #"https://zn0lvkpdhdxb70_DUMMY_urshn5e7i41lb3fiwuh#77.92.68.105:31415/justonedb/database/n10lvkpdhdxei0l2uja";
request = (HttpWebRequest)WebRequest.Create(url);
request.Method = "GET";
request.Credentials = CredentialCache.DefaultCredentials;
// Ignore Certificate validation failures (aka untrusted certificate + certificate chains)
ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
// Get response
using (response = (HttpWebResponse)request.GetResponse())
{
// Get the response stream
StreamReader reader = new StreamReader(response.GetResponseStream());
Xml = reader.ReadToEnd();
}
return Content(Xml);
}
catch (Exception ee)
{
return Content(ee.ToString());
}
//////////////
ViewBag.fn = "*.xml";
return View();
}
Results:
System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.GetResponse()
at Mvc3Razor.Controllers.MyXmlController.JustOneDb() ...
TIA
FxM :{
Instead of passing the username password in the url, you should create the correct credentials with "username" and "password". You might also want to consider using something like RestSharp instead of the raw WebRequest.
There was a mismatch with the certificate, which has been fixed. It is still self-signed, but now the hostname matches. We will be changing to use a fully signed certificate soon, but in the mean time please let me know if it works with just the self-signed override.
Ok, I copied the code, and the problem is that the HttpWebRequest library is not adding the authentication header in the original request. The solution is to insert the header manually, so if you add the following two lines after the 'request.Method = "GET" line (and remove the username/password from the URL string):
string authInfo = "zn0lvkpdhdxb70l2_DUMMY_urshn5e7i41lb3fiwuh";
request.Headers["Authorization"] = "Basic " + Convert.ToBase64String(Encoding.Default.GetBytes(authInfo));
It should work correctly.
I am trying to write code that will authenticate to the website wallbase.cc. I've looked at what it does using Firfebug/Chrome Developer tools and it seems fairly easy:
Post "usrname=$USER&pass=$PASS&nopass_email=Type+in+your+e-mail+and+press+enter&nopass=0" to the webpage "http://wallbase.cc/user/login", store the returned cookies and use them on all future requests.
Here is my code:
private CookieContainer _cookies = new CookieContainer();
//......
HttpPost("http://wallbase.cc/user/login", string.Format("usrname={0}&pass={1}&nopass_email=Type+in+your+e-mail+and+press+enter&nopass=0", Username, assword));
//......
private string HttpPost(string url, string parameters)
{
try
{
System.Net.WebRequest req = System.Net.WebRequest.Create(url);
//Add these, as we're doing a POST
req.ContentType = "application/x-www-form-urlencoded";
req.Method = "POST";
((HttpWebRequest)req).Referer = "http://wallbase.cc/home/";
((HttpWebRequest)req).CookieContainer = _cookies;
//We need to count how many bytes we're sending. Post'ed Faked Forms should be name=value&
byte[] bytes = System.Text.Encoding.ASCII.GetBytes(parameters);
req.ContentLength = bytes.Length;
System.IO.Stream os = req.GetRequestStream();
os.Write(bytes, 0, bytes.Length); //Push it out there
os.Close();
//get response
using (System.Net.WebResponse resp = req.GetResponse())
{
if (resp == null) return null;
using (Stream st = resp.GetResponseStream())
{
System.IO.StreamReader sr = new System.IO.StreamReader(st);
return sr.ReadToEnd().Trim();
}
}
}
catch (Exception)
{
return null;
}
}
After calling HttpPost with my login parameters I would expect all future calls using this same method to be authenticated (assuming a valid username/password). I do get a session cookie in my cookie collection but for some reason I'm not authenticated. I get a session cookie in my cookie collection regardless of which page I visit so I tried loading the home page first to get the initial session cookie and then logging in but there was no change.
To my knowledge this Python version works: https://github.com/sevensins/Wallbase-Downloader/blob/master/wallbase.sh (line 336)
Any ideas on how to get authentication working?
Update #1
When using a correct user/password pair the response automatically redirects to the referrer but when an incorrect user/pass pair is received it does not redirect and returns a bad user/pass pair. Based on this it seems as though authentication is happening, but maybe not all the key pieces of information are being saved??
Update #2
I am using .NET 3.5. When I tried the above code in .NET 4, with the added line of System.Net.ServicePointManager.Expect100Continue = false (which was in my code, just not shown here) it works, no changes necessary. The problem seems to stem directly from some pre-.Net 4 issue.
This is based on code from one of my projects, as well as code found from various answers here on stackoverflow.
First we need to set up a Cookie aware WebClient that is going to use HTML 1.0.
public class CookieAwareWebClient : WebClient
{
private CookieContainer cookie = new CookieContainer();
protected override WebRequest GetWebRequest(Uri address)
{
HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);
request.ProtocolVersion = HttpVersion.Version10;
if (request is HttpWebRequest)
{
(request as HttpWebRequest).CookieContainer = cookie;
}
return request;
}
}
Next we set up the code that handles the Authentication and then finally loads the response.
var client = new CookieAwareWebClient();
client.UseDefaultCredentials = true;
client.BaseAddress = #"http://wallbase.cc";
var loginData = new NameValueCollection();
loginData.Add("usrname", "test");
loginData.Add("pass", "123");
loginData.Add("nopass_email", "Type in your e-mail and press enter");
loginData.Add("nopass", "0");
var result = client.UploadValues(#"http://wallbase.cc/user/login", "POST", loginData);
string response = System.Text.Encoding.UTF8.GetString(result);
We can try this out using the HTML Visualizer inbuilt into Visual Studio while staying in debug mode and use that to confirm that we were able to authenticate and load the Home page while staying authenticated.
The key here is to set up a CookieContainer and use HTTP 1.0, instead of 1.1. I am not entirely sure why forcing it to use 1.0 allows you to authenticate and load the page successfully, but part of the solution is based on this answer.
https://stackoverflow.com/a/10916014/408182
I used Fiddler to make sure that the response sent by the C# Client was the same as with my web browser Chrome. It also allows me to confirm if the C# client is being redirect correctly. In this case we can see that with HTML 1.0 we are getting the HTTP/1.0 302 Found and then redirects us to the home page as intended. If we switch back to HTML 1.1 we will get an HTTP/1.1 417 Expectation Failed message instead.
There is some information on this error message available in this stackoverflow thread.
HTTP POST Returns Error: 417 "Expectation Failed."
Edit: Hack/Fix for .NET 3.5
I have spent a lot of time trying to figure out the difference between 3.5 and 4.0, but I seriously have no clue. It looks like 3.5 is creating a new cookie after the authentication and the only way I found around this was to authenticate the user twice.
I also had to make some changes on the WebClient based on information from this post.
http://dot-net-expertise.blogspot.fr/2009/10/cookiecontainer-domain-handling-bug-fix.html
public class CookieAwareWebClient : WebClient
{
public CookieContainer cookies = new CookieContainer();
protected override WebRequest GetWebRequest(Uri address)
{
var request = base.GetWebRequest(address);
var httpRequest = request as HttpWebRequest;
if (httpRequest != null)
{
httpRequest.ProtocolVersion = HttpVersion.Version10;
httpRequest.CookieContainer = cookies;
var table = (Hashtable)cookies.GetType().InvokeMember("m_domainTable", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.GetField | System.Reflection.BindingFlags.Instance, null, cookies, new object[] { });
var keys = new ArrayList(table.Keys);
foreach (var key in keys)
{
var newKey = (key as string).Substring(1);
table[newKey] = table[key];
}
}
return request;
}
}
var client = new CookieAwareWebClient();
var loginData = new NameValueCollection();
loginData.Add("usrname", "test");
loginData.Add("pass", "123");
loginData.Add("nopass_email", "Type in your e-mail and press enter");
loginData.Add("nopass", "0");
// Hack: Authenticate the user twice!
client.UploadValues(#"http://wallbase.cc/user/login", "POST", loginData);
var result = client.UploadValues(#"http://wallbase.cc/user/login", "POST", loginData);
string response = System.Text.Encoding.UTF8.GetString(result);
You may need to add the following:
//get response
using (System.Net.WebResponse resp = req.GetResponse())
{
foreach (Cookie c in resp.Cookies)
_cookies.Add(c);
// Do other stuff with response....
}
Another thing that you might have to do is, if the server responds with a 302 (redirect) the .Net web request will automatically follow it and in the process you might lose the cookie you're after. You can turn off this behavior with the following code:
req.AllowAutoRedirect = false;
The Python you reference uses a different referrer (http://wallbase.cc/start/). It is also followed by another post to (http://wallbase.cc/user/adult_confirm/1). Try the other referrer and followup with this POST.
I think you are authenticating correctly, but that the site needs more info/assertions from you before proceeding.
Users are authenticating to a REST WCF Service (my own). The credentials are sent through AJAX with Javascript and JSON format. The service reply with a OK and little info (redirect url) to the client, when authenticated.
Now, There are a new method provided for external authentication, and I have to create a compact code snippet that are easy to paste & run inside a asp.net code file method.
A typical wcf request could end up like this,
http://testuri.org/WebService/AuthenticationService.svc/ExtLogin?cId=197&aId=someName&password=!!pwd
My code snippet so far,
protected void bn_Click(object sender, EventArgs e)
{
WebHttpBinding webHttpBinding = new WebHttpBinding();
EndpointAddress endpointAddress = new EndpointAddress(url);
ContractDescription cd =
ContractDescription.GetContract(typeof(IAuthenticationService));
ServiceEndpoint sep = new ServiceEndpoint(cd);
sep.Behaviors.Add(new WebHttpBehavior());
sep.Address = endpointAddress;
sep.Binding = webHttpBinding;
var resp = new ChannelFactory<IAuthenticationService>(sepREST).CreateChannel();
LoginResult result = resp.ExtLogin(cId, aId, hashPwd);
Response.Redirect(result.RedirectUri);
// I.e. http://testuri.org/Profile.aspx (Require authenticated to visit)
}
I recieve correct authenticated reply in the resp/result objects. So, the communication are fine. When redirecting to the actual website, I'm not authenticated. I can't locate the problem? If I take the URI above (with valid credentials) and paste into my Webbrowser URL, and then manually type the uri, i'm authenticated.
I've spent a day searched the net for this, without success.
There are a LOT of info but none seem to apply.
What am I missing?
I also tried another approach but the same problem persist.
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uriWithParameters);
CookieContainer cookieContainer = new CookieContainer();
request.CookieContainer = cookieContainer;
request.ContentType = "application/json";
request.Accept = "application/json";
request.Method = "GET";
string result;
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
using (Stream stream = response.GetResponseStream())
using (StreamReader reader = new StreamReader(stream, Encoding.UTF8))
result = reader.ReadToEnd();
JavaScriptSerializer jsonDeserializer = new JavaScriptSerializer();
LoginResult contact = jsonDeserializer.Deserialize<LoginResult>(result);
Response.Redirect(result.RedirectUri);
I'm not sure about this answer, but will offer it anyway as nobody else has posted:
I think it's because the request that has been authenticated is the request sent via code.
When you redirect it's a totally different request - so is still not authenticated.
All authentication techniques require some way of maintaining the authenticated state across 'stateless' requests = session cookies or some kind of authentication token.
Whatever token you get back from the call to the authentication service needs to be available to your website requests as well - dumping the token from the request into a cookie might be an option.
Can you see (in something like Fiddler) an auth token being sent as part of the request to 'RedirectUrl'?