B4J Question Set HTTP Request Header with HttpUtils2

[JMB]

Hi there,

I am trying to secure a Web Service which currently has no security on it by using Basic HTTP Authentication and am a little bit confused as to how I would call the service in B4J.

I was reading the thread in the B4A section of the forum about setting headers, as per the title of this post.

Could I ask for a more complete example of how to set the headers for Basic HTTP Authentication? I am a little confused between using:

job1.GetRequest.SetHeader()

and setting the username and password via Job.username and Job.password. If I do it that way, how do I then set the header?

Thank you for your help.

Jonathan

 

[Erel]

If the server implements the standard basic authentication or digest authentication methods then you should set Job.Username and Password. No need to set any header.

 

[JMB]

Thanks Erel.

Does the HttpJob Library therefore take care of all the encoding required for transmitting the username and password as base64 encoded?

Jonathan

 

[JMB]

I have tried using this and don't seem to be getting anywhere.

Here is my code

job1.Username = "admin"
job1.Password = "admin@123"
job1.PostString("http://www.***/authenticate1.php","")

When I call the page through a browser, it asks for the username and password as one would expect and logs in when the correct information is passed.

Using the same username and password in the code returns an Unauthorized error.

Any help would be gratefully appreciated.

Jonathan

 

[JMB]

My code on the php page looks like this:

<?php

// Status flag:
$LoginSuccessful = false;

// Check username and password:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){

    $Username = $_SERVER['PHP_AUTH_USER'];
    $Password = $_SERVER['PHP_AUTH_PW'];

    if ($Username == 'admin' && $Password == 'admin@123'){
        $LoginSuccessful = true;
    }
}

// Login passed successful?
if (!$LoginSuccessful){

    /*
    ** The user gets here if:
    **
    ** 1. The user entered incorrect login data (three times)
    **     --> User will see the error message from below
    **
    ** 2. Or the user requested the page for the first time
    **     --> Then the 401 headers apply and the "login box" will
    **         be shown
    */

    // The text inside the realm section will be visible for the
    // user in the login box
    header('WWW-Authenticate: Basic realm="Secret page"');
    header('HTTP/1.0 401 Unauthorized');

    print "Login failed!\n";

}
else {

    // The user entered the correct login data, put
    // your confidential data in here:

    print 'you reached the secret page!';
}

Is there something that I should be doing that I am missing in the PHP code?

JB

 

[EnriqueGonzalez]

for my particular case i solved using this code:

    Dim userPwd As String = "user:password"
  
    Dim su As StringUtils
    Dim byt() As Byte = userPwd.GetBytes("UTF8")
    Dim suUserPwd As String = su.EncodeBase64(byt)
  
    http.Download("http://IPToServer/firstPage/SecondPage")
    http.GetRequest.SetHeader("Authorization:","Basic "&suUserPwd)

Some insight:
-HTTP Autorization:
https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

-Instead of Post i used Download that according to documentation is equal to a get.
-setHeader should be AFTER and not BEFORE the download call (it should be too for POST)
https://www.b4x.com/android/forum/threads/set-http-request-header-with-httputils2.39413/#content

 

[JMB]

Thank you Enrique. Your input is much appreciated.

I am still having no success.

Here is the code based on what you posted.

    Dim userPwd As String = "user:password"
    Dim su As StringUtils
    Dim byt() As Byte = userPwd.GetBytes("UTF8")
    Dim suUserPwd As String = su.EncodeBase64(byt)
    job1.Download("http://IPToServer//authenticate2.php")
    job1.GetRequest.SetHeader("Authorization:","Basic " & suUserPwd)

and the code in the authenticate2.php file is

<?php

// Status flag:
$LoginSuccessful = false;

// Check username and password:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){

    $Username = $_SERVER['PHP_AUTH_USER'];
    $Password = $_SERVER['PHP_AUTH_PW'];

    if ($Username == 'user' && $Password == 'password'){
        $LoginSuccessful = true;
    }
}

// Login passed successful?
if (!$LoginSuccessful){
    header('WWW-Authenticate: Basic realm="Secret page"');
    header('HTTP/1.0 401 Unauthorized');

    print "Login failed!\n";

}
else {

    print 'You reached the secret page!';
}

and it still won't work.

I also tried

    job1.Username = "user"
    job1.Password = "password"
    job1.PostString("http://IPOfServer/authenticate2.php","")

And that doesn't work either.

No idea what I am doing wrong, as I managed to get Erel's site working using:

    job2.Username = "xxx"
    job2.Password = "xxx"
    job2.PostString("http://www.b4x.com/android/vv18/print.php", "a=b")

 

[EnriqueGonzalez]

Could you add into your php code this lines ?

<?phpforeach (getallheaders() as $name => $value) {
echo "$name: $value\n";
}?>

And verify that the headers are actually going into your php page? There are some cases where Apache server filters the headers

http://stackoverflow.com/questions/...m-and-authorization-headers/17490827#17490827

 

[JMB]

This is what I get back...

Waiting for debugger to connect...
Program started.
User-Agent: okhttp/3.5.0
Accept-Encoding: gzip
Connection: close
Host: www.********.co.uk
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Login failed!
JobName = Job1, Success = false
Error: Unauthorized

 

[EnriqueGonzalez]

and for the other side? i mean the php side, what are the values that Echo is logging?

My inquiry is that even when you already have the user and password send to the server your php code is not visualizing it.

 

[JMB]

Thanks for your continued help with this.

I contacted my Host provider as there appear to be problems with passing authorisation information with servers that are CGI/FastCGI enabled.

They set up a script on my host as follows:

<?php$_h = getallheaders();print_r($_h);print_r($_SERVER);?>

I got this back from them after running that code:

[REDIRECT_STATUS] => 200 
[REDIRECT_HANDLER] => hs-php55-script 
[REDIRECT_HTTP_AUTHORIZATION] =>

And his comment was this:

"You can see the HTTP_AUTHORIZATION / AUTHORIZATION header is passed in $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] due to the nature of FastCGI PHP required under shared hosting."

Does that mean that a different header has to be passed to the page?

JMB

 

[JMB]

I am communicating with my host provider to try and figure out why username and password don't seem to be getting to my authentication page

Even sending them using a simple PHP script doesn't work.

Weird.

 

[JMB]

Ok, I have managed to sort this out. It was due to the fact that REDIRECT_HTTP_AUTHORIZATION is being used on the host. This is connected to shared hosting with FastCGI PHP.

Here is the code that finally gave success:

<?php

if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {
  
    list($name, $password) = explode(':', base64_decode($matches[1]));
    $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
    $_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}

// Status flag:
$LoginSuccessful = false;

// Check username and password:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
    $Username = $_SERVER['PHP_AUTH_USER'];
    $Password = $_SERVER['PHP_AUTH_PW'];

    if ($Username == 'user' && $Password == 'pass'){
        $LoginSuccessful = true;
    }
}

// Login passed successful?
if (!$LoginSuccessful){

    header('WWW-Authenticate: Basic realm="Secret page"');
    header('HTTP/1.0 401 Unauthorized');

    print "Login unsuccessful";
}
else {

     // Correct login data received
    print 'Login successful';
}
?>

and here is a test php script to check that it works:

<?php

$username  = "user";
$password = "pass";

$url = "http://www.*******/authenticate.php";

$context = stream_context_create(array(
    'http' => array(
        'header'  => "Authorization: Basic " . base64_encode("$username:$password")
    )
));
$data = file_get_contents($url, false, $context);
print_r($data);
?>

Hope this helps someone.

Thanks very much for your help, Enrique.

JMB