how to use login credentials for spring app in postman?
hey guys. can smb help me out? i cant use login and password auth in postman for my spring app. i have this websecurityconfig:
if i disable
permitAll, then i select basic auth in postman, enter my username us3rnam3 and pa55word, but in the response i still get login page html. but if i have permitAll disabled and go to my endpoint with browser, i get login page, enter credentials and everything works fine.
if i enable permitAll, then everything is fine in postman and browser too.
can smb explain what im doing wrong? thanks98 Replies
⌛ This post has been reserved for your question.
Hey @bambyzas! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./closeor theClose Postbutton above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
its not my code, but thanks ill fix it
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
if im using login and pass in the browser, why cant postman use it too?
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
ok, but i want to do it
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
if u dont know how to help, then dont waste our time and just say it
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
thats not what i asked
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
im not using bearer token lol
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
im not using any token lol
im using login and password
whats ur problem
ChatGPT response?
thats not what i asked
that's what u asked
can't login in Postman
when disabled permitAll
yes
and idk how to send proper request with postman
all the answers on google are talking about some kind of token, when im not using it
thats why i asked here
csrf token right?
no idea. csrf token, bearer token, cookie
while im just sending my username and password
but in your code you have disabled csrf token check
idk what it is and why should i do smth about it. sorry
I asked Peter maybe he can sort it out
Hm, csrf is disabled afaik.
also permit all means you give permissions regardless of the authentication right?
Is a session-cookie set due to the requests?
No he didn't set any
@bambyzas Could you please check if the servers response (no matter if successful or not) return a cookie to the postman?
Should look like "Set-Cookie: xxxx"
Yes, well at least to the spring-security-layer, there might be some other magic in the app directly.
idk man. here it says theres no cookie (whatever that means), but in cookies scetion theres a cookie
Ok, we have a session cookie. Thanks.
You posted code. In the code a permitAll is disabled throu comment markers
//. Is it the permitAll you are enabling/disabling?i dont understand whats the deal with
permitAll all of you are talking about. but yeah. i just disable/enable this .antMatchers("/communicationTests").permitAll()Ok, now I understand the problem. Let me think...
i just dont understand how to make a proper auth req with postman
thats it
Long story short, do you like to enable the deprecated BasicAuth mechanism for authentication?
um, idk tbh. i want to use the same mechanism my browser successfully uses
Usually if you can set session-cookies you should avoid basicAuth. Unfortunately this will make the postman-test more complicated.
again, why cant i just send my username and password like my browser does?
why do i have to go through all this unnecessary stuff? :/
cookies, tokens, etc
Your browser does two requests.
1. Authentication
2. /communicationTests
This means your postman must send two requests too.
ohhh
Both requests are connected by the jsession-cookie.
now its starting to make sense
Unfortunately there are many authentication methods. BasicAuth is older than the Cookie technology.
okay. but how do i know what auth meth is used?
You said the app is working fine in the browser. Since you are not using basic-auth in the browser, you are definitievly using the jsession-cookie! The jsession-cookie has an unique identifier in the browser-tab, the jsession-cookie-code and the Webapp remember that this jsession-cookie-code has been authenticated. This is why your authentication survive the second request.
In postman you need to have two requests. The first request is the request to /login sending the correct credentials. Then the first request in postman will give you a jsession-cookie having the jsession-cookie-code. You need to use that code in the second request as the session-cookie (I think postman has a special field for the cookie).
To copy the jsession-cookie-code from the browser (using the inspection-tools by the F12 key) to use it in postman Might Work! But spring might notice that the Agent of the Browser is "Chrome" but the Agent of Postman is "Postman". Spring might reject the second request from a different client.
okay. but in the headers i dont have a cookie
You are showing the response-headers. You need to submit the jsession-cookie-code in the request-headers.
im telling u that i dont receive the cookie, and ur telling me that i need to submit it
Ah ok, I thought you already have a authenticated cookie-code.
My bad.
But the header is there!
Unfortunately Postman does not list it.
Postman mention the header in the tab "Cookies".
But trustme, the cookie is a header.
u r talking about this one, right?
Yes. This is the jsession-cookie-code.
ah ok
This jsession-cookie is not authenticated.
wait, so i need to do smth before doing second req?
Yes, you need to send the credentials using postman. Then you will get a jsession-cookie that is authenticated.
or can i start filling the needed fields for my 2nd req?
oh, so i can start constructing my 2nd req
Your screenshot is your second request.
i still get the same error
This is a different error. Right, this error sais "Your credentials are wrong."
"You are not authenticated" != "Your credentails are wrong."
i know, but these creds work in browser
Please show the post-body of your postman-login-attempt.
show the credentials
check form-data
and raw
wdym i didnt send any creds?
This is basic-auth. As I said, basic-auth is disabled. You need to authenticate using jsession-cookie.
im doing it
Auth Type needs to be changed is what he said
Please show the contents of
Spring will compleatly Ignore the basic-auth for security reasons.
Ok, you do send no login and no password to the jsession-cookie.
Basic auth is ignored because it is old, unsafe, obsolete and deprecated
got it
it should look like this
👍🏻
thanks, ffs it finally works
You ROCK!
thank Peter Rader
No thank you mate!
We are not done yet!
i guess ill need to take notes on this stuff, because i was losing my mind over this. thanks for ur patience guys
really? is there smth more to it?
Step 1 is finished. Now you have your authenticated jsession-cookie-code. You need to use that code in the request-Header "Cookie" for the second post-request against
/communicationTest.but when ill be hitting /communicationTest, ill just need to send cookie, or do i need to include the creds? as i understand it, now i kinda "established the connection" so i dont need to send creds, right?
The jsession-cookie-code is your credential from now on!
Sometimes those jsession-cookies are too old and will not be valid because the server think the user has left his PC to go home and forgot to logout.
Absolutly, you have established the authenticated connection using the jsession-cookie-code.
As I said, you need to send a post-request-header having the name "Cookie" and the value of the code to the
/communicationTest url.almost empty req, right? only Cookie header with its val? no body and nothing set in Authorization section
ah, crap, POST isnt supported haha
GET works
thanks
Lets celebrate!
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
You guys rock!
thanks for explaining everything step by step
You could however read this for more detail: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies?retiredLocale=de
MDN Web Docs
Using HTTP cookies - HTTP | MDN
A cookie (also known as a web cookie or browser cookie) is a small piece of data a server sends to a user's web browser. The browser may store cookies, create new cookies, modify existing ones, and send them back to the same server with later requests. Cookies enable web applications to store limited amounts of data and remember state informatio...
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
I do not know either. I reat what you wrote and everything you wrote is correct. Maybe I reflect the emotions better. I tried to act like a wingman, contribute and support to his anger. Feel him deep inside 😛
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.