I am trying to perform some SSL certificate checking that isn't done in the default AFSecurityPolicy (even with various flags set).
I have subclassed AFSecurityPolicy and am returning NO from evaluateServerTrust:forDomain: for testing purposes. I have verified that my class is being called.
AFNetworking's NSURLConnectionDelegate is in the class AFURLConnectionOperation. In the delegate callback, after I return NO, it is calling
[[challenge sender] cancelAuthenticationChallenge:challenge];
The HTTP request completes and I am getting the expected data from the server.
I would expect the HTTP request to not be made after the authentication challenge is cancelled.
Related
We are using the following stack :
Kotlin 1.6.0 running on JVM 11
com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter 5.0.4
com.netflix.graphql.dgs:graphql-dgs-subscriptions-websockets 5.0.4
com.netflix.graphql.dgs:graphql-dgs-subscriptions-websockets-autoconfigure 5.0.4
org.springframework.boot:spring-boot-starter-security 2.6.7
org.springframework.boot:spring-boot-starter-oauth2-resource-server 2.6.7
We are authenticating using the Google Identity Platform from the client side and passing the resulting Bearer token to the DGS API.
The pure HTTP requests (DgsQuery, DgsMutation) are able to extract the processed/validated token without an issue - and we are able to determine the userId from this.
Expected Results
When calling a subscription graph call we are expecting to extract the same details from the processed Bearer token - so we can then utilise the User Identification within the business logic.
Actual Results
The SecurityContextHolder returns an authorization value that is null. And passing in an invalid token still correctly returns subscribed results, suggesting that the subscription endpoint is not being hooked into the JWT authentication at all.
Question
What would be the recommended approach in providing the same authentication behavior and availability of Security Context to Subscriptions as is available to both DGSQuery and DGSMutation annotated functions?
From research - I understand that this needs to be performed in the initial handshake and then saved to the session.
Worth mentioning - that when calling the server from the GraphiQL UI - therefore using the newest protocol - the authentication occurs and the Security Context is populated with the correct information. However, this then fails with "Trying to execute subscription on /graphql. Use /subscriptions instead!" - which is to be expected with the incompatible client/server versions.
Protocol: A standard to define a method of exchanging data over a network.
If a browser wants to communicate with a server, it has to create an HTTP request and send that HTTP request to the server to convey its request of resources and options. The server receives the request and process it and do the needful and create an HTTP response to send to the browser. The browser has to follow the HTTP specification in creating the HTTP request. The server also has to follow the HTTP specification in creating the HTTP response. This is how the communication between the browser and the server happens in a standard way to avoid conflicts by following the HTTP protocol.
Json Wire Protocol: A client has an object that has to be sent to a server. The client converts this object into a JSON object and sends it to the server. The server parses the JSON object and converts it back to object for use. The server converts the response object into a JSON object and sends it back to the client. The client then converts the JSON object to object for use.
Why the later is called as Json Wire Protocol?
You are pretty correct both about Protocol and JsonWireProtocol. At this point it is worth to mention that, earlier all implementations of WebDriver that communicated with the browser, or a RemoteWebDriver server shall use a common wire protocol. This wire protocol defines a RESTful web service using JSON over HTTP.
JSON Wire Protocol is an abstract specification of how automation behavior like clicking or typing or whatever you actually want to do with your automation script is mapped to selenium or appium or HTTP requests and response. The protocol will assume that the WebDriver API has been "flattened", but there is an expectation that client implementations will take a more Object-Oriented approach, as demonstrated in the existing Java API. The wire protocol is implemented in request/response pairs of "commands" and "responses".
What is JSON Wire protocol?
JSON (JavaScript Object Notation) is a lightweight format for data exchange between client and server. Applications use JSON objects to send and receive data between each other in the web world. JSON data structure is industry standard and can be used for sending and receiving data as Key & Value pair. Some people say its a very nice alternative for XML. We can save JSON files as .json extension.
How JSON looks like?
A simple json file looks like below and there are many online editors which can be used to edit and verify JSON structure.
{
"Student":{
"FirstName":"Pawan",
"LastName":"Garia",
"IdNumber":"12345",
"City" : "New Delhi",
"EmailID" : "email#gmail.com" }
}
Why JSON Wire Protocol was used in first place?
To implement a client-server architecture which can give us the following benefits.
You write test in any programming language.
You can perform or run test on cloud services like SauceLabs, BrowserStack or Selenium Grid setup.
You are not bound to run test only on the local machine.
Different Drivers(FirefoxDriver, ChromeDriver) can be crated for browsers and separate implementation by using the same standards.
So client-server implementation requires a standard set of the specification beforehand so that Server and Client should be in sync with each other in term of what is coming and going on request and response. It’s something like a language of communication with each other. So we need some common specification to solve this kind of requirement and the solution was HTTP.
Why HTTP is the solution?
HTTP is a standard for web and can be a good base for the specification. Every programming language has a good HTTP libraries which can be used for creating client and server for request and response calls.
How JSON Wire protocol worked with HTTP?
HTTP request and response are generally made of GET and POST requests which is out of scope for this discussion.
Current status
From Selenium perspective, JSON Wire Protocol is obsolete now and the WebDriver W3C Living Document is the new implementation.
WebDriver Communication
The WebDriver protocol is organised into commands. Each HTTP request with a method and template defined in the specification represents a single command and hence each command produces a single HTTP response. In response to a command, the remote end will run a series of actions known as remote end steps. These provide the sequences of actions that a remote end takes when it receives a particular command.
Command Processing
The remote end is an HTTP server reading requests from the client and writing responses typically over a TCP socket. In the specification the communication is modeled as the data transmission between a particular local end and remote end with a connection to which the remote end may write bytes and read bytes. The exact details of how this connection works and how it is established is a bigger topic and out of scope for this question. After a connection has been established, the remote end must read bytes from the connection until a complete HTTP request can be constructed from the data. If it is not possible to construct a complete HTTP request, the remote end must either close the connection, return an HTTP response with status code 500, or return an error with error code unknown error.
Outro
Difference between JsonWireProtocol mechanisms and the new standards in W3C Living Document when using Selenium
I was checking the files in the controllers of web module in both OpenERP-7.0 and OpenERP-6.1. Then I found that 6.1 uses jsonrequest (#openerpweb.jsonrequest) 7.0 uses httprequest (#openerpweb.httprequest). What is the difference between the two ?
I didn't look at OpenERP v7 but OpenERP v6.1 uses both - HttpRequest and JsonRequest. I suppose it's the same for OpenERP v7...
Both of them are about communication between client and server. HttpRequest communicates trough the well known GET and POST methods. That means the following:
The client send a request encoded in the url (GET method) or in the http body (POST method)
The server returns an object corresponding to the request. Could be an html page, PNG image, CSS file, JavaScript, XML encoded data or whatever.
JsonRequest is an implementation of another protocol for client/server communication - JSON-RPC 2.0. You may want lo look here for more information. It's a remote procedure call (RPC) protocol which means that it allows the client to initiate the execution of some method on the server passing some arguments to this method. In response the client gets some data as a result of the method invocation.
EDIT - some more words about the decorators #openerpweb.jsonrequest and #openerpweb.httprequest
Some methods are decorated with the #openerpweb.jsonrequest decorator, other methods - with the #openerpweb.httprequest. This means nothing else but that the first group of methods will be available for execution trough the JSON RPC protocol and the second group will be accessible trough the pure HTTP protocol.
Now, what is the difference? And do we need both jsonrequest and httprequest? Let simplify it like this: JSON is more suitable for executing methods on the server and obtain results. HTTP is simpler and easier to use when all we what is to access some resource on the server.
Let's 'decorate' this with some examples for clarity. Take a look at the following method of the web.controllers.main.Export class:
#openerpweb.jsonrequest
def formats(self, req):
""" Returns all valid export formats
:returns: for each export format, a pair of identifier and printable name
:rtype: [(str, str)]
"""
...
This method accepts some arguments and returns a list (Python list object) containing all known export formats. It will be called in a programmatic way in some python code on the client side.
On the other side are the 'http' methods - like the method css() of the web.controllers.main.Web class:
#openerpweb.httprequest
def css(self, req, mods=None):
....
All this method does is to return a CSS file to the client. It's a simple action like accessing an image, a HTML web page or whatever other resource on the server. The resource we are returning here is nothing complicated as a Python list as in the previous example. We don't need a special format to encode it additionally. So we don't need additional data encoding format as JSON and remote procedure call protocol as JSON RPC.
As can be seen in AngularJS's source, any $http.post request that returns an HTTP code in the 200-299 range will trigger the success() callback even if the response contains invalid data (like for example invalid JSON).
I'm specifically setting my call's responseType: 'json' and even then the success callback is fired when something else comes back. This is especially annoying in the development server where PHP's display_errors setting is turned on. When something goes wrong server-side and PHP outputs an error message the AngularJS app doesn't detect this and continues happily.
Is there a way to prevent this? I mean, to make the AngularJS app fire the error() callback when the response data is invalid JSON?
Thanks
so your PHP server responds with a 200 error code even on an error? Not knowing PHP, this feels like a server configuration problem to me. I'd expect a 500 error with a payload. That being said, there are two things that I can think of offhand.
$http includes transformResponse handlers you can set up to inspect the response for problems.
$http also includes the concept of "interceptors" which allow you to pick up the response payload and do something with it. You could use an interceptor to "reject" the response.
More information on transformResponse and "interceptors" in the $http documentation:
http://docs.angularjs.org/api/ng.$http
I'am using Mule 3.3.0 CE and I would have a custom behaviour when an exception is thrown in an http outbound endpoint (i.e when I get a Connection Refused Exception or Connection Timeout Exception). Let's assume that I have this scenario: a SOAP Component and a Http Outbound Endpoint that realize together a cxf service client and let's assume that I can't use any exception strategy.
I would write an Interceptor which intercept the http exception (i.e Connection Refused) and in which I can write a custon behaviour (i.e send the message in a queue).
I need of an interceptor that intercept che http exception and no a SOAP Fault (that could be intercepted with a SOAPFaultInterceptor).
How can I realize this model?
Thank you all for any help
I found the solution. I used a custom interceptor ( component) just before the Http component and I extended the AbstractEnvelopeInterceptor that gives to me the possibility to work before, after and during the component is processing the message.
With this perspective, I implemented the last method. This method's sign contains a boolean value that is setted is an exception occurred. In this way I can leverage this method to handle any kind of exceptions that is related to Http Component.