I have a webpage which is windows forms authenticated ,and i want to download a copy of this page's HTML in to my server, when user request this page. I have tried something like this
using (WebClient client = new WebClient())
{
string htmlCode = client.DownloadString("http://aksphases:200/lynliste.aspx");
}
which doesn't gives me correct result because of the URL I had passes to system creates new session.And in that case i need to authenticate this web-request,which I can't do.Only way to authenticate this webpage is that user log in manually(I know ways to authenticate werequests by code,but I can't try that here for some special reasons). Is there any other way for me to download current page's HTML which is running in in browser with out authenticating the URL.
You could send the current forms authentication cookie along with the request:
using (WebClient client = new WebClient())
{
client.Headers[HttpRequestHeader.Cookie] =
System.Web.HttpContext.Current.Request.Headers["Cookie"];
string htmlCode = client.DownloadString("http://aksphases:200/lynliste.aspx");
}
This way we are basically transferring the current HTTP request cookies to the remote HTTP call.
If the web server does not allow anonymous access then there is no way around - you must authenticate yourself with the web site.
However, contrary to your belief that log on operation has to be done manually, it can be done via code also. In case of windows authentication, pass credentials via Credentials property. For Forms authentication, you need to POST log-on credentials to login page and then use the authentication cookie from the response in subsequent request (Use tool such fiddler to inspect request/responses from browser to replicate same within your code).
Related
I want to access NiFi and do some actions through external web application created in C# using proxy user request. For that,
I have created C# web application and hosted as secure connection(https).
I need to access NiFi components using its REST API service without authorization token. Added C# web application certificate into NiFi truststore and added certificate name as user (CN=machineName) in NiFi. Also, added "proxy user request" policy for the newly added user.
In C# web application, added "X-ProxiedEntitiesChain = <username>" in header while requesting NiFi API. But it returns "unknown user" error in response. Please find the sample code below,
var httpWebReq=(HttpWebRequest)WebRequest.Create("https://testhost:8080/nifi-api/access");
httpWebReq.Headers["X-ProxiedEntitiesChain"] = "<username>";
httpWebReq.Method = "GET";
var response = (HttpWebResponse)httpWebReq.GetResponse();
var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
return responseString;
Based on the available information the most likely problem is that you are not using a properly authorized user.
Check that you are using the proper username, and confirm that it is actually authorized for access.
(And of course make sure you don't just pass the string "username")
I am writing an app that will talk with Salesforce. Salesforce provides access to APIs via OAuth. I've been attempting to go through the OAuth authentication process described here. Currently, I'm attempting to authorize my app. I have the following code.
// Ask Salesforce for a request token
var request = (HttpWebRequest)(WebRequest.Create(String.Format("https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id={0}&redirect_uri=http://localhost:5004/home/AuthCallback", CONSUMER_KEY)));
request.Method = "POST";
request.ContentType = "application/json";
// Retrieve the request token from the response
var response = (HttpWebResponse)(request.GetResponse());
using (StreamReader reader = new StreamReader(response.GetResponseStream()))
{
string accessCodeData = accessCodeReader.ReadToEnd();
}
This code is triggered when a user clicks a button in my ASP.NET MVC view. When executed, this code calls to Salesforce. I see a request in fiddler. The request header looks like this:
POST /services/oauth2/authorize?response_type=code&client_id={consumerKey}&redirect_uri=http://localhost:5004/home/AuthCallback HTTP/1.1
I am in fact passing my consumer key, I'm just removing it from the example. Regardless, this request returns a 302, with a body size of 0. I might be misunderstanding something. However, I was expecting to get a request token. I was then going to use the request token to get the access token.
What am I doing wrong?
You are misusing the API.
Take a closer look at the sequence diagram at their page (under Obtaining an Access Token): in the auhorization_code flow you are supposed to redirect the browser to their page so that the user sees the login page, provides his/her credentials and you get the token back. Instead, you are trying to POST there using a web request from your server.
This particular flow belongs then to the passive flows group, this group is intended to be used in browser apps, your server redirects the browser to their server and you basically get the response to the uri passed in the redirect_uri parameter and this should point back to your application at your server.
There are other flows, of them one is suited for non-browser apps, it is called resource owner password flow. In this flow it is your application that hosts the login UI and you send the username/password to the authorization server and you get the token back. It is to be read in their docs however whether this flow is supported.
Read more here: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
Take a look how I handle the OAuth2 flow to Google, using the DotNetOpenAuth library. This is a direct solution, applying it to any other provider should be straightforward.
http://www.wiktorzychla.com/2014/11/simple-oauth2-federated-authentication.html
I am trying to download content of a page and convert it to a PDF using HiQPdf, however the page I am trying to access requires login permissions. When I run the code to try and download the content it displays the login page saying you do not have authentication to access this page.
Is it possible to send authentication with HiQPfd?
I was thinking of sending a parameter which lets you view the data temporally but any user could abuse this to view other users data
htmlToPdfConverter.Authentication.Username = "username";
htmlToPdfConverter.Authentication.Password = "password";
I was thinking that I could have the page accept two parameters, username and password and if they are authenticated, give access to the page.
Check out the FAQ: http://www.hiqpdf.com/FAQs.aspx
Once a user is authenticated, Forms Authentication maintains an authentication ticket in a cookie or in the URL so that an authenticated user does not need to supply credentials with each request. When you are already authenticated and you want to convert a page of the same application you can simply set the authentication cookie before converting the web page. The converter can be set to send the authentication cookie to the web server. A simple code to create a HTML to PDF converter object, set the forms authentication cookie and convert an URL to a memory buffer is given below:
HtmlToPdf htmlToPdfConverter = new HtmlToPdf();
htmlToPdfConverter.HttpCookies.AddCookie(
FormsAuthentication.FormsCookieName,
Request.Cookies[FormsAuthentication.FormsCookieName].Value
);
I have a ASP.NET Web API server application and Javascript frontend.
The way Im implementing authentication is by using a Token that is sent and received in the HTTP Response Headers.
When the users log into the application, my server will send back to the client a JSON object with a session Token. The javascript client then stores that in a browser cookie.
Every call that the javascript client makes to the server, the token is sent in to a custom header so the server can decrypt that and validate it in the database so it know if its a valid session.
Everything works great here, If I need to secure that part then adding a SSL will help.
Now, there are calls in the app that I need to use an IFrame so I set the src property to the web api method I need to call.
It's not possible to add a custom HTTP Header when using IFrame, just a simple URL into src property
Of course using this there is no way to send a custom header so what I did was to append a parameter into the scr url like this:
<iframe scr="/api/report/GenerateReport?sessionUid=" + getCookie('sessionuid') ></iframe>
This is my web api method that receives the sessionUid as a parameter.
[HttpGet]
public HttpResponseMessage GenerateReport(string sessionUid) {
// validates session
bool validSession = common.ValidateSession(sessionUid);
if (validSession) {
// do some stuff here
}
}
My question is... how can I secure my token, because if someone steals the sessionuid he then can call all the HttpGet methods that receives sessionUid as a parameter?
Any clue?
If your website is not using SSL, then you cannot 100% secure the communication between your website and user's browser.
Attackers usually hijack you whole HTTP package, including HTTP headers, put session in HTTP header is not enough for security.
The answer to your specific question is to encrypt the querystring parameters.
Similar to the CSV file which can be downloaded from http://download.finance.yahoo.com/d/quotes.csv?s=RHT . How can I downloada file which requires authentication?
I can simply use
My.Computer.Network.DownloadFile("http://download.finance.yahoo.com/d/quotes.csv?s=RHT,MSFT,NOVL&f=sl1c1d1&e=.csv", "h:\s.csv")
To download the file which is available in public. I tried setting the username and password as per the MSDN documentation but all I get is the HTML content of the login page.
If the site uses Cookie based authentication, you'll need to post the login details to the server, collect the cookies, then pass them up on the request for the file.
That's not as easy as it sounds...
There's an example here
http://blogs.msdn.com/dgorti/archive/2005/08/16/452347.aspx
Phil
It all depends on whether or not the web site will interpret your username/password when you provide it in your HTTP request. Some sites/protocols will, and others won't.
Here's an article that shows how you can download with the WebRequest class.
Downloading Files with the WebRequest and WebResponse Classes
All you need in addition to this article is adding your username/password to the WebRequest. You can do it like this:
// Create a request for the specified remote file name
WebRequest request = WebRequest.Create(remoteFilename);
if (request != null)
{
string username = "your username";
string password = "your password";
request.Credentials = new System.Net.NetworkCredential(username, password);
...
}
Unfortunately, if using this method doesn't work, then Yahoo's finance page doesn't allow providing a username/password automatically, and you'd have to login "the old fashioned way" to be able to download your file.
It sounds like the site you are working with is using forms authentication. Unless you have access to a version that uses realm authentication you will probably need to use HttpWebRequest and fake POST request to the site while you have a CookieContainer so you can retain the token. Then you would be able to include that token in a get request to download the CSV file.