1. 首頁
  2. 問答
  3. 使用基於FORMAT的認證登錄到IBM Rational Quality Manager服務器應用程序

使用基於FORMAT的認證登錄到IBM Rational Quality Manager服務器應用程序

2017-09-18 124 views
0

我無法理解在嘗試從RESTClient登錄IBM Rational Quality Manager時我做錯了什麼。可能有人會發現這個問題很簡單,但我昨天偶然發現了這個問題,並且兩天內無法解決這個問題。 一切都運行完美,如果我使用curl.exe工具:使用基於FORMAT的認證登錄到IBM Rational Quality Manager服務器應用程序

set COOKIES=cookies.txt 
set USER=jts 
set PASSWORD=jts 
set HOST="https://jazz.server.com:9443/qm" 
curl -k -c %COOKIES% "%HOST%/authenticated/identity" 
curl -k -L -b %COOKIES% -c %COOKIES% -d j_username=%USER% -d j_password=%PASSWORD% "%HOST%/authenticated/j_security_check"

你可以看到,我有JSESSIONID參數一個很好的結果與cookies返回:

# Netscape HTTP Cookie File 
# https://curl.haxx.se/docs/http-cookies.html 
# This file was generated by libcurl! Edit at your own risk. 

#HttpOnly_jazz.server.com FALSE / TRUE 0 LtpaToken2 0VkNWt7dIquUiEJJ4XlPqEgsIKW/PJD2x4ckihZTCC6Iofo+KGtXYUuWhwk8wLnQZCxA0SP9/lgkWte/sH3/3k1HFFbM7UX07pFbh/MxVBcGtzY9Yr2YC6T3jZClxVDOU2R6fQk1SAu8/6Mia9LgrBnqsvauldoChU0ZFEDhI/ogHbyUKsOhM8gZNx8kJrkUCj0NPOci07UjKgILCorDZoiw5uYAIyC07ZBS6CY3juxkwgkYXwRCbyhpZY6dEeQg+CE97OwFhQCO7KesrflVF6xGRmEiz7f5DDG7oscqM72HJ9SF4zSMgKBko38l60ba 
#HttpOnly_jazz.server.com FALSE / TRUE 0 JSESSIONID 0000bzfBh88AbZ6yGgn-IVAccGA:34261533-f9f3-43a1-a58d-95e3dfca7322 
#HttpOnly_jazz.server.com FALSE /qm/authenticated/ TRUE 0 X-com-ibm-team-foundation-auth-loop-avoidance false

但是,如果使用RESTClient實現,我做第一GET請求:

Method:  GET<br> 
URI:  https://jazz.server.com:9443/qm/authenticated/identity

返回標頭是:

Status Code: 200 OK 
Cache-Control: no-cache="set-cookie, set-cookie2" 
Content-Encoding: gzip 
Content-Language: en-US 
Content-Length: 1028 
Content-Type: text/html; charset=UTF-8 
Date: Mon, 18 Sep 2017 17:33:06 GMT 
Expires: Thu, 01 Dec 1994 16:00:00 GMT 
Set-Cookie: JazzFormAuth=Form; Path=/qm; Secure 
X-Powered-By: Servlet/3.0 
X-com-ibm-team-repository-web-auth-msg: authrequired

接下來,我做了第二次POST請求:

Method:  POST<br> 
URI:  https://jazz.server.com:9443/qm/authenticated/j_security_check?j_username=jts&j_password=jts

返回的標題是:

Status Code: 400 Bad Request 
Connection: Close 
Content-Language: en-US 
Content-Length: 757 
Content-Type: text/html;UTF-8 
Date: Mon, 18 Sep 2017 18:35:02 GMT 
X-Powered-By: Servlet/3.0

有人可以告訴我,這裏的區別是什麼?爲什麼它不起作用? 非常感謝您提前給予任何幫助!我現在真的處於停滯狀態!

來源

2017-09-18 Dmitry A. Smirnov

回答

0

我遇到了同樣的問題,你有。可悲的是,設置cookie存儲是不夠的,您必須手動提取jsession值並將其作爲跨站請求僞造頭髮送。我將發佈一個PowerShell腳本的提取,完全是這樣的,對於其他腳本編程環境應該是可以理解和移植的。我已經減少了線到3個基本步驟:

# fetch required cookies with a "failed" attempt at reaching a location 
# that requires auth 
./curl.exe -v -k -L ` 
    --cookie $cookies ` 
    --cookie-jar $cookies ` 
    "${server}authenticated/identity" 

# now that we have the cookies, we can send our login information with proper 
# cookies and credentials 
./curl.exe -v -k -L ` 
    --cookie $cookies ` 
    --cookie-jar $cookies ` 
    --data j_username=$username ` 
    --data j_password=$password ` 
    "${server}j_security_check" 

# get the cookie value that we need to pass as a special header 
$pattern = "JSESSIONID\s+([^\s]+)" 
$cookieValue = Select-String -Path $cookies -Pattern $pattern | 
    %{ $_.matches } | 
    %{ $_.groups[1].value } | 
    Select-Object -Unique 

# we now have the cookies and also the jsessionid that we need. 
./curl.exe -v -k -L ` 
    --cookie $cookies ` 
    --cookie-jar $cookies ` 
    --header X-Jazz-CSRF-Prevent:$cookieValue ` 
    -- other stuff to complete the call.

通知第二到最後一行,其中,所述X-爵士CSRF-防止首部設置爲所述JSESSION ID。這是在試圖模仿來自通常命令行環境的瀏覽器交互時迷失的關鍵點。

來源

2017-10-20 08:46:17 SBI

相關問題

 相關問題