-
-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add view resolver for JSON response by web controllers. #1074
base: master
Are you sure you want to change the base?
Conversation
e18b09c
to
61debd6
Compare
Hello @emerout, curl --location 'http://localhost:8180/steve/manager/signin' I always get back 403 :( |
Hello @erbg, Authentication is a bit tricky because of the CSRF token and the JSESSIONID cookie. Here is the steps: Make a first GET to the signin URL, without any
Then make the signin call, with the CSRF token and session cookie:
Response is a 302 with You can then make some call with the JSESSIONID (the last one, which was in the response to the actual POST signin):
I admit this auth process is not straightforward. There is a way to disable csrf protection in @Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
final String prefix = CONFIG.getSpringManagerMapping();
return http
.csrf().disable() // disable CSRF protection
.authorizeHttpRequests(
req -> req.antMatchers(prefix + "/**").hasRole("ADMIN")
)
// ... I would not advice to do so if steve is exposed to internet. |
hey @emerout thanks. i appreciate your valuable work. this is interesting from a technical perspective! however, the interaction with steve is weird since it was never designed for this use case. as an example, to send some data one needs to do things like this:
i wonder whether this is manageable with more complex flows (i.e. input data). i think bending the implementation just to make it machine-interactable can create some brittle situations. i guess having something instead of nothing is better, but i am hesitant about making this part of the master. if you are okay with it, i want to leave the PR open for anyone interested to cherry pick your solution. |
This pull request permits to invoke the web app controllers and ask to respond with a JSON body instead of a JSP page.
You just need to add
Accept: application/json
header to the http request. Request POST form is like JSP :Content-Type: x-www-form-urlencoded
.Samples below are for occpTags, but should work in the same way with other controllers.
Steve is configured in
profile = dev
mode. Prod mode works the same:JSESSIONID
into the response headerSample request inserting a new tag :
In case of a duplicate tag, we have the following response:
Sample request retrieving tags:
In case of malformed request (redacted):