Re: [twsocket] Basic HTTP Authentication over SSL
Just to bring things up to date, the suggestion by Anro almost worked.
I was able to trace through the unit and found the part which actually sent
the Header and watched it go line by line along with the basic auth.
>From there I realised that there was something wrong with the values and
simply Base64 encoded the token value so that the function actually I ended
up with was as follows:
procedure TForm1.SslHttpCli1BeforeHeaderSend(Sender: TObject;
const Method: String; Headers: TStrings);
begin
if Method = 'GET' then
Headers.Add( 'Authorization: Basic ' + EncodeStr(encBase64, sToken +
':' ));
end;
I spotted a function which gave me the idea to try Base64 encoding. Oddly
enough the sToken returned is already base64 encoded but re-encoding it
worked.
I've also found what I believe is the reason that basic authentication is
never passed to the server
In the function PrepareBasicAuth, the main body of the function is never
executed because "if (FStatusCode = 401) and (FDoAuthor.Count > 0)" is
never true
It turns out that the API never returns a 'WWW-Authenticate' header so that
FDoAuthor.Add is never called, consequentially FDoAuthor.Count is always
zero.
I don't however see why it needs to wait for a 'WWW-Authenticate' header
when we could have already sent the Auth Header when doing the GET
Shouldnt the auth just be sent if the properties have been set?
Isn't that part of the idea behind Basic as opposed to Digest requires an
extra roundtrip to exchange the nonce value?
Any thoughts/feedback much appreciated.
Kind Regards, Wayne
On 18 February 2014 21:37, Wayne Phipps wrote:
> OK, I've tried that now but it's unfortunately made no difference.
>
> Just for info, I've set two breakpoints. One on the function
> THttpCli.PrepareBasicAuth and the second on the procedure
> THttpCli.StartAuthBasic which I rightly or wrongly expected to be called.
>
> The breakpoint at StartBasicAuth never gets hit whilst the
> PrepareBasicAuth never makes it passed "if (FStatusCode = 401) and
> (FDoAuthor.Count > 0) and"
>
> I did notice the following comment in the class file which made me smile:
> { ServerAuth and ProxyAuth properties are still experimental. They are
> likely to change in the future. If you use them now, be prepared to update
> your code later }
>
> In the meanwhile, I'll continue to investigate.
>
> Kind Regards, Wayne
>
>
>
>
>
> On 18 February 2014 18:33, Wayne Phipps wrote:
>
>> Not yet, I didn't spot that function but that sounds like a good plan.
>>
>> Thanks Arno, I'll give that a go.
>>
>> Kind Regards, Wayne
>> On 18 Feb 2014 18:26, "Arno Garrels" wrote:
>>
>>> On Tuesday, February 18, 2014 2:01 PM [GMT+1=CET],
>>> Wayne Phipps wrote:
>>>
>>> > Now we've come to implement the interface in Delphi, we've hit a
>>> > hurdle.
>>> >
>>> >
>>> >
>>> > The process should be as follows:
>>> >
>>> > 1) Use HTTP POST to pass username and password parameters to
>>> > login URL
>>> >
>>> > 2) A token string is returned if login was successful
>>> >
>>> > 3) The token is then used as Basic Authentication using HTTP GET
>>> > to retrieve JSON from different API URL
>>>
>>> Have you tried to add the basic authenticate header line manually at
>>> runtime, something like:
>>>
>>> procedure THttpTestForm.HttpCli1BeforeHeaderSend(Sender: TObject;
>>> const Method: string; Headers: TStrings);
>>> begin
>>> if Method = 'GET' then
>>> Headers.Add('Authorization: Basic ' + TokenString);
>>> end;
>>>
>>> --
>>> Arno
>>>
>>> --
>>> To unsubscribe or change your settings for TWSocket mailing list
>>> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
>>> Visit our website at http://www.overbyte.be
>>>
>>
>
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] Basic HTTP Authentication over SSL
OK, I've tried that now but it's unfortunately made no difference.
Just for info, I've set two breakpoints. One on the function
THttpCli.PrepareBasicAuth and the second on the procedure
THttpCli.StartAuthBasic which I rightly or wrongly expected to be called.
The breakpoint at StartBasicAuth never gets hit whilst the PrepareBasicAuth
never makes it passed "if (FStatusCode = 401) and (FDoAuthor.Count > 0) and"
I did notice the following comment in the class file which made me smile:
{ ServerAuth and ProxyAuth properties are still experimental. They are
likely to change in the future. If you use them now, be prepared to update
your code later }
In the meanwhile, I'll continue to investigate.
Kind Regards, Wayne
On 18 February 2014 18:33, Wayne Phipps wrote:
> Not yet, I didn't spot that function but that sounds like a good plan.
>
> Thanks Arno, I'll give that a go.
>
> Kind Regards, Wayne
> On 18 Feb 2014 18:26, "Arno Garrels" wrote:
>
>> On Tuesday, February 18, 2014 2:01 PM [GMT+1=CET],
>> Wayne Phipps wrote:
>>
>> > Now we've come to implement the interface in Delphi, we've hit a
>> > hurdle.
>> >
>> >
>> >
>> > The process should be as follows:
>> >
>> > 1) Use HTTP POST to pass username and password parameters to
>> > login URL
>> >
>> > 2) A token string is returned if login was successful
>> >
>> > 3) The token is then used as Basic Authentication using HTTP GET
>> > to retrieve JSON from different API URL
>>
>> Have you tried to add the basic authenticate header line manually at
>> runtime, something like:
>>
>> procedure THttpTestForm.HttpCli1BeforeHeaderSend(Sender: TObject;
>> const Method: string; Headers: TStrings);
>> begin
>> if Method = 'GET' then
>> Headers.Add('Authorization: Basic ' + TokenString);
>> end;
>>
>> --
>> Arno
>>
>> --
>> To unsubscribe or change your settings for TWSocket mailing list
>> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
>> Visit our website at http://www.overbyte.be
>>
>
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] Basic HTTP Authentication over SSL
Not yet, I didn't spot that function but that sounds like a good plan.
Thanks Arno, I'll give that a go.
Kind Regards, Wayne
On 18 Feb 2014 18:26, "Arno Garrels" wrote:
> On Tuesday, February 18, 2014 2:01 PM [GMT+1=CET],
> Wayne Phipps wrote:
>
> > Now we've come to implement the interface in Delphi, we've hit a
> > hurdle.
> >
> >
> >
> > The process should be as follows:
> >
> > 1) Use HTTP POST to pass username and password parameters to
> > login URL
> >
> > 2) A token string is returned if login was successful
> >
> > 3) The token is then used as Basic Authentication using HTTP GET
> > to retrieve JSON from different API URL
>
> Have you tried to add the basic authenticate header line manually at
> runtime, something like:
>
> procedure THttpTestForm.HttpCli1BeforeHeaderSend(Sender: TObject;
> const Method: string; Headers: TStrings);
> begin
> if Method = 'GET' then
> Headers.Add('Authorization: Basic ' + TokenString);
> end;
>
> --
> Arno
>
> --
> To unsubscribe or change your settings for TWSocket mailing list
> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
> Visit our website at http://www.overbyte.be
>
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] Basic HTTP Authentication over SSL
On Tuesday, February 18, 2014 2:01 PM [GMT+1=CET],
Wayne Phipps wrote:
> Now we've come to implement the interface in Delphi, we've hit a
> hurdle.
>
>
>
> The process should be as follows:
>
> 1) Use HTTP POST to pass username and password parameters to
> login URL
>
> 2) A token string is returned if login was successful
>
> 3) The token is then used as Basic Authentication using HTTP GET
> to retrieve JSON from different API URL
Have you tried to add the basic authenticate header line manually at
runtime, something like:
procedure THttpTestForm.HttpCli1BeforeHeaderSend(Sender: TObject;
const Method: string; Headers: TStrings);
begin
if Method = 'GET' then
Headers.Add('Authorization: Basic ' + TokenString);
end;
--
Arno
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] Basic HTTP Authentication over SSL
The process should be as follows: 1) Use HTTP POST to pass username and password parameters to login URL 2) A token string is returned if login was successful 3) The token is then used as Basic Authentication using HTTP GET to retrieve JSON from different API URL Step 1 and 2 are normal and simple, step 3 is unusual, basic authentication is rarely used to pass tokens, they are normally sent as parameters with the request or handled as cookies. You really need a proper log in your code so you can see exactly what commands are sent, and the responses received. Look at the Browser demo, which supports authentication and cookies. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Basic HTTP Authentication over SSL
I thought I'd just clarify we're actually using v7.23
The result returned is:
StatusCode= 401
{"responseCode":401,"responseMessage":"Unauthorized"}
Any suggestions welcome.
On 18 February 2014 13:01, Wayne Phipps wrote:
> We are trying to integrate to a HTTP JSON API using Delphi 7.
>
>
>
> Before we started, we tested the remote API using an online service
> http://www.hurl.it/ to better understand the requirements.
>
> Now we've come to implement the interface in Delphi, we've hit a hurdle.
>
>
>
> The process should be as follows:
>
> 1) Use HTTP POST to pass username and password parameters to login
> URL
>
> 2) A token string is returned if login was successful
>
> 3) The token is then used as Basic Authentication using HTTP GET to
> retrieve JSON from different API URL
>
>
>
> We can complete this whole process using hurl.it but only steps 1 & 2 in
> Delphi using the OverByte ICS TSslHttpCli component (I believe v9).
>
> Step 3 in Delphi fails with a 401 Unauthorized error basically not getting
> our token as auth.
>
>
>
> We can even copy the token retrieved using Delphi in step 1 & 2 and paste
> it as basic auth on hurl.it where setp 3 runs without error.
>
>
>
> An code example is as follows:
>
>
>
> procedure TForm1.getOrders(tokenString: string);
>
> var
>
> params : TStringStream;
>
> response: TStringStream;
>
> begin
>
>
>
> memo1.Lines.Append( tokenString );
>
> // create our paramater list
>
> params := TStringStream.Create('');
>
> //params.WriteString ( '&username=' + tokenString);
>
> params.Position := 0; // this also works params.Seek(0,
> soFromBeginning );
>
>
>
> // create our response stream
>
> response := TStringStream.Create('');
>
>
>
> // set our properties
>
> SslHttpCli1.ServerAuth := httpAuthBasic;
>
> SslHttpCli1.Username := tokenString;
>
>
>
> SslHttpCli1.SendStream := params;
>
> SslHttpCli1.RcvdStream := response;
>
>
>
> SslHttpCli1.URL := 'https://secure.bla.com/api/v2.0/bla/blabla';
>
> try
>
> SslHttpCli1.Get;
>
>
>
> except
>
> ShowMessage ('GET Failed !');
>
> ShowMessage ('StatusCode = ' + IntToStr(SslHttpCli1.StatusCode));
>
> ShowMessage ('ReasonPhrase = ' + SslHttpCli1.ReasonPhrase);
>
> Exit;
>
> end;
>
>
>
> // display the response
>
> memo1.Lines.Append( response.DataString );
>
> SslHttpCli1.Close;
>
> params.Free;
>
> response.Free;
>
> end;
>
>
>
> If I look at the working request using Fiddler, it looks like this should
> be a simple process. The Request View in Fiddler shows the following RAW
> data:
>
>
>
> POST http://www.hurl.it/execute_request
> HTTP/1.1
>
> Host: www.hurl.it
>
> Connection: keep-alive
>
> Content-Length: 290
>
> Accept: */*
>
> Origin: http://www.hurl.it
>
> X-Requested-With: XMLHttpRequest
>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/32.0.1700.107 Safari/537.36
>
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>
> DNT: 1
>
> Referer: http://www.hurl.it/
>
> Accept-Encoding: gzip,deflate,sdch
>
> Accept-Language: en-US,en;q=0.8,en-GB;q=0.6
>
> Cookie: _ga=GA1.2.798759816.1392716338
>
>
>
> follow_redirects=&method=GET&url=https%3A%2F%2Fsecure.bla.com
> %2Fapi%2Fv2.0%2Fbla%2Fblabla
> *&username=YmhcOMy4HTVF3WIP9guWYKrMobQKnapLNS5BnE8Y*
> &password=&digest_username=&digest_password=&consumer_key=&consumer_secret=&access_token=&token_secret=&signature_type=query&body=
>
>
>
> For some strange reason, we've not been able to pass the token back to the
> API.
>
>
>
> Apparently, the following would be the equivalent using curl:
>
>
>
> curl -X GET -I --user YmhcOMy4HTVF3WIP9guWYKrMobQKnapLNS5BnE8Y:
> https://secure.bla.com/api/v2.0/bla/blabla
>
>
>
> I've tried setting the ServerAuth type to basic and passing the token as a
> username parameter but without success.
>
>
>
> Any idea how to achieve this seemingly simple process? Basically, it's
> making no sense to me.
>
>
>
>
>
> Kind Regards,
>
>
>
>
>
>
> Wayne Phipps
>
>
>
>
>
>
>
>
>
>
>
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
[twsocket] Basic HTTP Authentication over SSL
We are trying to integrate to a HTTP JSON API using Delphi 7.
Before we started, we tested the remote API using an online service
http://www.hurl.it/ to better understand the requirements.
Now we've come to implement the interface in Delphi, we've hit a hurdle.
The process should be as follows:
1) Use HTTP POST to pass username and password parameters to login URL
2) A token string is returned if login was successful
3) The token is then used as Basic Authentication using HTTP GET to
retrieve JSON from different API URL
We can complete this whole process using hurl.it but only steps 1 & 2 in
Delphi using the OverByte ICS TSslHttpCli component (I believe v9).
Step 3 in Delphi fails with a 401 Unauthorized error basically not getting
our token as auth.
We can even copy the token retrieved using Delphi in step 1 & 2 and paste
it as basic auth on hurl.it where setp 3 runs without error.
An code example is as follows:
procedure TForm1.getOrders(tokenString: string);
var
params : TStringStream;
response: TStringStream;
begin
memo1.Lines.Append( tokenString );
// create our paramater list
params := TStringStream.Create('');
//params.WriteString ( '&username=' + tokenString);
params.Position := 0; // this also works params.Seek(0,
soFromBeginning );
// create our response stream
response := TStringStream.Create('');
// set our properties
SslHttpCli1.ServerAuth := httpAuthBasic;
SslHttpCli1.Username := tokenString;
SslHttpCli1.SendStream := params;
SslHttpCli1.RcvdStream := response;
SslHttpCli1.URL := 'https://secure.bla.com/api/v2.0/bla/blabla';
try
SslHttpCli1.Get;
except
ShowMessage ('GET Failed !');
ShowMessage ('StatusCode = ' + IntToStr(SslHttpCli1.StatusCode));
ShowMessage ('ReasonPhrase = ' + SslHttpCli1.ReasonPhrase);
Exit;
end;
// display the response
memo1.Lines.Append( response.DataString );
SslHttpCli1.Close;
params.Free;
response.Free;
end;
If I look at the working request using Fiddler, it looks like this should
be a simple process. The Request View in Fiddler shows the following RAW
data:
POST http://www.hurl.it/execute_request HTTP/1.1
Host: www.hurl.it
Connection: keep-alive
Content-Length: 290
Accept: */*
Origin: http://www.hurl.it
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/32.0.1700.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
DNT: 1
Referer: http://www.hurl.it/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,en-GB;q=0.6
Cookie: _ga=GA1.2.798759816.1392716338
follow_redirects=&method=GET&url=https%3A%2F%2Fsecure.bla.com
%2Fapi%2Fv2.0%2Fbla%2Fblabla
*&username=YmhcOMy4HTVF3WIP9guWYKrMobQKnapLNS5BnE8Y*
&password=&digest_username=&digest_password=&consumer_key=&consumer_secret=&access_token=&token_secret=&signature_type=query&body=
For some strange reason, we've not been able to pass the token back to the
API.
Apparently, the following would be the equivalent using curl:
curl -X GET -I --user YmhcOMy4HTVF3WIP9guWYKrMobQKnapLNS5BnE8Y:
https://secure.bla.com/api/v2.0/bla/blabla
I've tried setting the ServerAuth type to basic and passing the token as a
username parameter but without success.
Any idea how to achieve this seemingly simple process? Basically, it's
making no sense to me.
Kind Regards,
Wayne Phipps
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
