Ошибка java 401

I am trying to crawl a website using a java program.
Until last night it was working perfect, but now the server returns error code 401.

HOWEVER, I can still see the pages that I want through my web browsers.
So, I don’t know what is wrong? If the server add my IP to black list, so why can I see the URLs through the web browsers? If not, what else can cause 401 error?

Two more points:
There is no username and password for this site and authentication is based on my IP.

Also, I tried to change my user agent, and now I get Error 503.

You have a java app.
It throws a 401 or 403 error.
It makes you crazy.
But: you’re not alone. Try this troubleshooting blog.
Here, you find debugging hints and friends.
Together, we’re reproducing the error in a hands-on sample scenario, we add some configuration and create a debugger class to get an idea about what could cause the error.
Short description can be found in the Quick Guide at the end of this blog post.
Involved technologies:
SAP Business Technology Platform, Cloud Foundry Environment, XSUAA, Java Spring Boot.

Quicklinks:
Quick Guide
Sample Code

Content

1. Introduction
2. Sample Application
3. Run Error Scenarios
4. Run Troubleshooting Scenarios
5. Optional: More Info
6. Clean up
Appendix 1: Sample Code
Appendix 2: application.yml

1. Introduction

We have a Java Spring Boot application, which exposes a REST endpoint.
It is protected using Spring Security, with OAuth 2 (via XSUAA binding) and it requires a certain scope to be present in the incoming JWT token.
We call the REST endpoint from anywhere and the request fails with HTTP status code 401 or 403.
We’re getting crazy because we don’t know the reason of the error.
To troubleshoot the error, we need more information.
Now we feel the pain of useful frameworks: they simplify our life, as long as everything works as expected. But if things start going wrong, it is hard to debug.
Fortunately, in the SAP Community, it is easy to find friends…and information.

One important information would be the JWT token itself, which could be invalid or incomplete.
However, since the request is already rejected by Spring Security, our endpoint implementation isn’t invoked at all, so we cannot have a look at the JWT token.
In the sample code below, we’re demonstrating a way how to hock into the Spring framework, before the request is rejected, and thus get the opportunity to analyze the JWT token.

Second useful information would be to view the internal error messages and traces which are logged by Spring or SAP security libraries, but are not written to the Cloud Foundry log, for security reasons.
In the sample code below, we’re showing how to configure Spring to write the traces to the log.

As you’ve probably been browsing the internet in search for help (and friends), you must have reached this blog post with an existing error-throwing java app.
Nevertheless, to make the tutorial complete such that it can be executed by everybody, we start with creating a  simple RESTful application and simple web app.
We simulate the errors and then fix it after analyzing the root cause.

1.1. Prerequisites

To follow this tutorial, we need

  • Access to SAP Business Technology Platform (SAP BTP) and permission to create instances and to deploy applications.
  • Basic Java and Spring Boot skills, Eclipse IDE and Maven installed.
  • Some basic understanding of OAuth and JWT token.
  • The tutorial is using the Cloud Foundry command line client, but all tasks can be done in the cockpit as well.

1.2. Preparation

To follow this tutorial, we create a root folder which will contain our 2 applications:
Java (created later) and web app (approuter).
In addition, we create the deployment descriptor (manifest.yml) and security descriptor (xs-security.json).

C:trouble
approuter
package.json
xs-app.json
manifest.yml
xs-security.json

The final project structure can be found in appendix1.

1.3. Create Instance of XSUAA Service

The XSUAA instance is used to protect our application and to handle user login (together with approuter).
But also, it is responsible to create the authorization artifacts, as defined by below config parameters:
xs-security.json

{
    "xsappname": "backendxsappname",
    "tenant-mode": "dedicated",
    "scopes": [{
            "name": "$XSAPPNAME.scopeforbackend"
        }
    ],
    "role-templates": [{
            "name": "BackendRole",
            "scope-references": ["$XSAPPNAME.scopeforbackend"]
        }
    ],
    "role-collections": [{
        "name": "BackendRoles",
        "role-template-references": [ "$XSAPPNAME.BackendRole" ]
      }
    ]    
}

The command for creating the instance of xsuaa:
cf cs xsuaa application backendXsuaa -c xs-security.json

After service creation we can check the cockpit for the newly created roles and role collection.

2. Create Application

If you already have an application, you can of course skip this chapter.

2.1. Create Spring Boot Project

To create a new Maven project, you can use any basic spring boot archetype and adapt it afterwards, or use the spring toolset in Eclipse.
Below description is based on an easy website starter, not the preferred way, but reproducible by anybody.

2.1.1. Generate Starter Project

Open: https://start.spring.io
Choose “Maven Project”, “Java”, “Spring Boot version 2.7.0”.
Group: com.example
Artifact: backendapp
Name: backendapp
Description: backendapp
Package name: com.example.backendapp
Packaging: Jar
Java: 8
Choose “Add Dependencies” and then select “Spring Web”.
Click “Generate”.

A backendapp.zip file is generated and saved in the “Downloads” folder of our Windows system.
We extract it to c:trouble, our root folder, which will contain the extracted project folder backendapp.
The final project structure can be found in appendix1.

2.1.2. Import Project

We import “trouble” into eclipse, via main menu -> File > Open Projects from File System, then browse to the extracted folder c:trouble.
We need to do the following changes:

2.1.3. Adapt pom file

We add the dependency to the security libraries:

pom.xml

    <dependency>
        <groupId>com.sap.cloud.security.xsuaa</groupId>
        <artifactId>xsuaa-spring-boot-starter</artifactId>
        <version>2.12.2</version>
    </dependency>

The <dependencies> section now looks as follows:

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>com.sap.cloud.security.xsuaa</groupId>
			<artifactId>xsuaa-spring-boot-starter</artifactId>
			<version>2.12.2</version>
		</dependency>
	</dependencies>

Yes, I’ve removed the “test” dependencies and deleted the “test” folder, to run little faster.

2.1.4. Spring Boot Application

The class BackendApplication.java is generated by the Spring Initializer and is marked with the annotation @SpringBootApplication
We find it in our project and are happy with it like it is.

2.1.5. REST Controller

Our application is required to expose a REST endpoint, to be called via HTTP.

Create Java Class
In our package com.example.backendapp we create a new Java Class with name “BackendController.java”.

Define REST endpoint
We expose a simple REST endpoint with name “/endpoint” which does nothing than respond with a silly message when invoked.
Apologies, the focus of this tutorial is in the security configuration.
We need to mark the class as REST controller with an annotation, then define a method marked as endpoint for HTTP “GET” requests:

BackendController.java

@RestController
public class BackendController {

   @GetMapping("/endpoint")
      public String getEndpoint(@AuthenticationPrincipal Token token) {
    	 return "Endpoint successfully invoked";

2.1.6. Security Configuration

Authentication and authorization handling for requests to our endpoint is expressed in Java code.

Create Java Class
We create another java class in our package and we name it e.g. “BackendSecurity.java”.
Here, we basically specify that the endpoint with name “/endpoint” requires that the calling user is authenticated and has the Role “BackendRole” (which contains the scope “scopeforbackend” as defined in our security descriptor).
That’s simple, but can sometimes make life difficult.

BackendSecurity.java

@Configuration
public class BackendSecurity {

   @Autowired
   XsuaaServiceConfiguration xsuaaBinding;
	
   @Bean
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
      http
      .authorizeRequests().antMatchers("/endpoint").hasAuthority("scopeforbackend")
      .and()
      .oauth2ResourceServer().jwt().jwtAuthenticationConverter(getJwtAuthenticationConverter());
      return http.build();
   }

   Converter<Jwt, AbstractAuthenticationToken> getJwtAuthenticationConverter() {
      TokenAuthenticationConverter converter = new TokenAuthenticationConverter(xsuaaBinding);
      converter.setLocalScopeAsAuthorities(true);
      return converter;
   }	
}

Why do we need an “AuthenticationConverter”?
We have to remember that in SAP BTP, XSUAA based, we define scopes with a prefix, to make them unique ($XSAPPNAME.scopeforbackend).
That prefix is generated during deployment, so we cannot simply write it in the code statically.
The “TokenAuthenticationConverter” retrieves the generated prefix in the binding and removes it, such that we can write just the scope name (scopeforbackend) in our filter code.

Summary
We’ve generated a Spring Boot app, we’ve defined a REST endpoint and we’ve configured authentication and authorization restriction, such that users accessing that endpoint are required to have a certain role.

2.2. Web App

Next we create a simple frontend app that calls the backend app.
The frontend app is so simple that it even doesn’t contain any user interface.
We only create an approuter, to simulate a real web app.
We even don’t create the approuter, we only start it and configure it.
The configuration is as follows:
We define a route.
Whenever an end-user invokes that route, he is faced with a login screen.
After successful logon, the XSUAA server issues a JWT token and the user is forwarded to our protected REST endpoint, as configured in the target destination.
Not only the user is forwarded: even the JWT token is forwarded (we configure it in the destination, see below).
This JWT token will reach our endpoint only if all security restrictions (as configured above) are met.
It feels (almost) like a real web app, doesn’t it?

xs-app.json

{
   "authenticationMethod": "route",
   "routes": [
      {
        "source": "^/tobackend/(.*)$",
        "target": "$1",
        "destination": "destination_backend",
        "authenticationType": "xsuaa"
      }
   ]
}

The full app content can be found in appendix1.

2.3. Deploy

Before we can deploy our 2 apps, we need to define the deployment descriptor:
manifest.yml

applications:
- name: backendapp
  routes:
    - route: backendapp.cfapps.sap.hana.ondemand.com
  services:
    - backendXsuaa
- name: backendrouter
  routes:
  - route: backendrouter.cfapps.sap.hana.ondemand.com
  env:
    destinations: >
      [
        {
          "name":"destination_backend",
          "url":"https://backendapp.cfapps.sap.hana.ondemand.com",
          "forwardAuthToken": true
        }
      ]
  services:
    - backendXsuaa
. . .    

The full file content can be found in appendix1.

We can see, 2 apps are defined and both are bound to the same instance of XSUAA.
The destination for approuter is defined as environment variable, to make the tutorial shorter. In productive landscape, we would create real destination configuration in the cockpit.

Before deploy, we need to build the project, so we jump into c:troublebackendapp and run
mvn clean package

Then we can jump to c:trouble and run cf push

After deploy, we don’t configure security settings for our user, as we want to simulate the error scenario.

3. Run Error Scenarios

Remember what we are doing:
We have an application scenario running in SAP BTP, which itself doesn’t contain an error, but it throws an error when it is called.
We want to learn how to troubleshoot such scenario.
So first we need to troublemake the 2 typical error cases: HTTP Status 401 and 403.

3.1. Troublemaking 1: 401

As we know, HTTP status codes starting with a 4 indicate client errors.
Means, the endpoint has not been properly invoked.
Good about that: there doesn’t seem to be a bug in our java code.
Bad about it: we need to find out why it fails.

The 401 text is specified as “Unauthorized”, which we would interpret as “required role not available”, but in fact, 401 means “Not authenticated”. So the server refuses the access to the requested resource, which is our REST endpoint.

To simulate the 401-error-scenario, we simply invoke our REST endpoint directly, not via approuter, with a  browser, hence without authentication.
In my example, the URL is:
https://backendapp.cfapps.sap.hana.ondemand.com/endpoint

In the browser we get error and the developer tools show 401.
To troubleshoot the error, we check the Cloud Foundry logs with
cf logs backendapp –recent
however, there’s no useful information there.

3.2. Troublemaking 2: 403

To simulate the 403-error-scenario, we invoke the approuter URL
E.g.:
https://backendrouter.cfapps.sap.hana.ondemand.com/tobackend/endpoint
This leads to display of a login page.
After entering our user credentials, we get an error message, as expected, and in the dev tools we can see status 403.

The error text is defined as “Forbidden” which means, the user is authenticated, the server accepts the user login, however, the application refuses the request because of missing authorization, the user is in fact “Unauthorized”.

To troubleshoot the error, we check the Cloud Foundry logs, however, there’s no useful information there.

To finally simulate the scenario: we wonder why it is failing….

4. Run Troubleshooting Scenarios

This is the interesting part (= less boring part) of the blog post:
How to find helpful error messages or traces in the Cloud Foundry log.

4.1. Troubleshooting 1: Configure Logging Level

First attempt of troubleshooting is to view the logs, what we’ve already done.
so now we need to configure the frameworks, Spring and security libraries, such that detailed traces are written to the Cloud Foundry logs.

4.1.1. Logging level

There are several ways of changing the configuration: manifest, set-env, application.yml, application.properties.
In our example, we choose the file C:troublebackendappsrcmainresourcesapplication.properties which was generated by the Spring Initializer.
Suggested configuration:

logging.level.org.springframework.web=DEBUG
logging.level.org.springframework=DEBUG
logging.level.org.springframework.security=TRACE
logging.level.com.sap.cloud.security=TRACE

We’re interested in the traces written by Spring Security and SAP security library.
This will produce huge amount of text in the console, including tiny amount of helpful text.

Note:
Same settings for application.yml format can be found in the appendix2.

4.1.2. Spring Security Debug

One more nice logging option is to tell Spring Security to write debug info.
To do so, we open our security config class and add the following annotation:

@Configuration
@EnableWebSecurity(debug = true)
public class BackendSecurity {
. . . 

4.1.3. Test

After build and deploy, we try both troublemaking URLs:
https://backendapp.cfapps.sap.hana.ondemand.com/endpoint
https://backendrouter.cfapps.sap.hana.ondemand.com/tobackend/endpoint
We can seethe overwhelming log output.

4.2. Troubleshooting 2: Create Filter Class

The second troubleshooting suggestion is my preferred one:
It is slower (I’m slow anyways) but more effective and flexible and powerful.
And more fun.

We create a little hook implementation and configure it to be called by the Spring framework prior to the Spring security code.
This gives us the chance to view and analyze the incoming request, before it is aborted.

Before we start with implementation, we need to find out where to place the hook.
So we have a look at the log output.
Quite at the beginning, we can find the debug information written by Spring Security Debug.
We need to view the Security filter chain.
View it…

We take a note of the first entry.
In my example, it is the DisableEncodeUrlFilter.
Here’s the link to the documentation where filters are listed. However, for the following mechanism to work, we need to point to a filter which is really used in our request, so better view the debugger, as it shows the reality.

Now we modify the security configuration of our app, in class BackendSecurity.java.
Here, what we’ve been doing was to add our authorization configuration to http requests, and return a Spring SecurityFilterChain.
The API allows us to specify an additional Filter, and add it in between other existing filters:

addFilterBefore(<myFilter>, <existingFilter>.class)  

So now we only need to create our own filter and insert it into the chain before the Spring security filters.
Our own filter will then be invoked, before the Spring filter would reject eh erroneous request.

To make the tutorial a bit simpler, we create a new class as inner class of the BackendSecurity class.
It is a bean that extends org.springframework.web.filter.GenericFilterBean and overrides the doFilter() method:

public class JwtTroubleFilter extends GenericFilterBean{
	
	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
		HttpServletRequest httpServletRequest = (HttpServletRequest) request;

		String authHeader = httpServletRequest.getHeader("Authorization");		
		if(authHeader == null) {
			System.out.println("===> [TROUBLE] ERROR Authorization header not found");		
			return;
		}
			
		JwtDecoder jwtDecoder = new XsuaaJwtDecoderBuilder(xsuaaBinding).withoutXsuaaAudienceValidator().build();
		String jwtEncoded = authHeader.substring(7);
		Jwt jwtDecoded = jwtDecoder.decode(jwtEncoded);

		System.out.println("===> [TROUBLE] This incoming JWT is sent to my app: " + jwtEncoded);		
		System.out.println("===> [TROUBLE] The incoming JWT decoded: " + jwtDecoded.getClaims().toString());		
		System.out.println("===> [TROUBLE] The incoming JWT is compared to the XSUAA binding of my app.");		
		System.out.println("===> [TROUBLE] The incoming JWT must have my apps clientid in the aud.");		

		System.out.println("===> [TROUBLE] JWT aud:     " + jwtDecoded.getAudience());
		System.out.println("===> [TROUBLE] XSUAA cliId: " + xsuaaBinding.getClientId());

		System.out.println("===> [TROUBLE] JWT sub:     " + jwtDecoded.getSubject());
		System.out.println("===> [TROUBLE] JWT iss:   " + jwtDecoded.getIssuer());
		System.out.println("===> [TROUBLE] XSUAA url: " + xsuaaBinding.getUaaUrl());			
		System.out.println("===> [TROUBLE] JWT scopes: " + String.valueOf(jwtDecoded.getClaimAsStringList(TokenClaims.XSUAA.SCOPES)));
		
		chain.doFilter(request, response);
	}
}

After creating the class, we need to register it with the HttpSecurity builder:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
	http
	.addFilterBefore(new JwtTroubleFilter(), DisableEncodeUrlFilter.class)  
	.authorizeRequests().antMatchers("/endpoint").hasAuthority("scopeforbackend")

That’s all.

We can build and deploy and test our new security filter.

Troublemaking 1: The HTTP 401 Error

After calling the direct URL:
https://backendapp.cfapps.sap.hana.ondemand.com/endpoint
we can easily see the reason of the error in the logs:

Our TroubleFilter has written that the auth header is missing, thus user is not authenticated, no JWT is sent.

Solution:
Use the approuter URL, or manually fetch a JWT token and send it to the endpoint, as it requires authentication via OAuth 2.0

Troublemaking 2: The HTTP 403 Error

After calling the approuter endpoint at
https://backendrouter.cfapps.sap.hana.ondemand.com/tobackend/endpoint
we get the 403 error.
This means, we’re already one step further: user is authenticated, thus accepted by the server.
Now we only need to find out, why the user is not authorized.
In the log we can see helpful info around the JWT token, which is now being sent, but somehow doesn’t seem to be sufficient:

We can see that the clientid is contained in the aud claim.
We can see that the identity zone is ok
We can see the scopes: almost empty.
AHA !!
Almost empty!
Ahhhhhhhhhhh……
(we’re simulating our surprise and relief)
Now we understand: we’ve forgotten to assign the required role to our user…!
Therefore, the required scope (scopeforbackend) is not contained in the “scope” claim of the JWT token.

Solution:
We go to SAP BTP Cockpit->our subaccount->Role Collections->BackendRoles->Edit
Add our user.
Save.

Finally, we open the approuter again, but in different browser (incognito mode), to enforce new user login, such that the role assignment is realized.
As a result, the request is successful and in the log we can see that the required scope is present in the JWT.

5. Optional: More Info

If might be helpful in some cases to use the following snippet to print the full URL that was called:

private void printRequestUrl(HttpServletRequest httpServletRequest) {
	StringBuilder requestURL = new StringBuilder(httpServletRequest.getRequestURL().toString());
	String queryString = httpServletRequest.getQueryString();
	String url;
	if (queryString == null) {
		url = requestURL.toString();
	} else {
		url = requestURL.append('?').append(queryString).toString();
	}
			
	System.out.println("===> [TROUBLE] Incoming request: " + httpServletRequest.getMethod() + " " + url);
	System.out.println("===> [TROUBLE] Incoming request user-agent: " + httpServletRequest.getHeader("user-agent"));
}

6. Cleanup

Once we’ve found the problem, we should change back the log configurations and disable or delete the TroubleFilter.
Alternatively, delete the apps and services, subaccounts and clouds.

cf d -r -f backendrouter
cf d -r -f backendapp
cf ds -f backendXsuaa

Summary

We’ve learned about 2 options for troubleshooting Java Spring applications:

  1. Configure logging levels for the involved components and enable Spring debug option
  2. Implement a hook class that is called before Spring Security would abort the request.

These 2 options don’t solve the problem itself, but enable us to see more logging messages and thus to understand the error.
More options are described in the SAP Help Portal here and here.

Quick Guide

To set logging level for spring application, we can enter the following lines to the application.properties file:

logging.level.org.springframework.web=DEBUG
logging.level.org.springframework=DEBUG
logging.level.org.springframework.security=TRACE
logging.level.com.sap.cloud.security=TRACE

To enable Spring Security debug logs, we add the following annotation to our SecurityConfiguration class

@EnableWebSecurity(debug = true)

To implement a java class that is invoked before Spring Security would reject the request, we proceed as follows:
Find out the list of used Spring Security filters, by enabling Spring debug option and checking the log.
Implement a Filter Bean class that accesses the Authorization header and prints the relevant content of the JWT token.
Register this class in the filter chain before the Spring Security Filters.
See the code snippet in the appendix1

Links

SAP Help Portal:
Authorization Entities documentation.
Reference for xs.security.json parameters.
Application Router main entry and npm.

Monitoring and Troubleshooting
Enable and Provide Application Logs

HTTP Status Codes:
MDN Web Docs (Mozilla Developer Network)
IANA (Internet Assigned Numbers Authority)
HTTP specification (RFC 2616)

OAuth 2.0
Understanding of OAuth for dummies like me.

Appendix 1: Sample Code

For your convenience, see here the structure of the root project containing the 2 applications

xs-security.json

{
    "xsappname": "backendxsappname",
    "tenant-mode": "dedicated",
    "scopes": [{
            "name": "$XSAPPNAME.scopeforbackend"
        }
    ],
    "role-templates": [{
            "name": "BackendRole",
            "scope-references": ["$XSAPPNAME.scopeforbackend"]
        }
    ],
    "role-collections": [{
        "name": "BackendRoles",
        "role-template-references": [ "$XSAPPNAME.BackendRole" ]
      }
    ]    
}

manifest.yml

---
applications:
- name: backendapp
  memory: 1024M
  routes:
    - route: backendapp.cfapps.sap.hana.ondemand.com
  path: backendapp/target/backendapp-0.0.1-SNAPSHOT.jar
  services:
    - backendXsuaa
- name: backendrouter
  path: approuter
  memory: 128M
  routes:
  - route: backendrouter.cfapps.sap.hana.ondemand.com
  env:
    destinations: >
      [
        {
          "name":"destination_backend",
          "url":"https://backendapp.cfapps.sap.hana.ondemand.com",
          "forwardAuthToken": true
        }
      ]
  services:
    - backendXsuaa
    

backendapp

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.7.3</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.example</groupId>
	<artifactId>backendapp</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>backendapp</name>
	<description>Service App exposing REST endpoint</description>
	<properties>
		<java.version>1.8</java.version>
	</properties>
	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>com.sap.cloud.security.xsuaa</groupId>
			<artifactId>xsuaa-spring-boot-starter</artifactId>
			<version>2.12.2</version>
		</dependency>

	</dependencies>
	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

BackendappApplication.java

package com.example.backendapp;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class BackendappApplication {

	public static void main(String[] args) {
		SpringApplication.run(BackendappApplication.class, args);
	}

}

BackendController.java

package com.example.backendapp;

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.core.token.Token;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class BackendController {

	@GetMapping("/endpoint")
    public String getEndpoint(@AuthenticationPrincipal Token token) {
    	return "Endpoint successfully invoked";
    }	
}

BackendSecurity.java

package com.example.backendapp;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.session.DisableEncodeUrlFilter;
import org.springframework.web.filter.GenericFilterBean;

import com.sap.cloud.security.token.TokenClaims;
import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.token.TokenAuthenticationConverter;
import com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoderBuilder;

@Configuration
@EnableWebSecurity(debug = true)
public class BackendSecurity {

	@Autowired
	XsuaaServiceConfiguration xsuaaBinding;
	
	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.addFilterBefore(new JwtTroubleFilter(), DisableEncodeUrlFilter.class)  
			.authorizeRequests().antMatchers("/endpoint").hasAuthority("scopeforbackend")
			.and()
			.oauth2ResourceServer().jwt().jwtAuthenticationConverter(getJwtAuthenticationConverter());
	
		return http.build();
	}

	Converter<Jwt, AbstractAuthenticationToken> getJwtAuthenticationConverter() {
		TokenAuthenticationConverter converter = new TokenAuthenticationConverter(xsuaaBinding);
		converter.setLocalScopeAsAuthorities(true);
		return converter;
	}

	public class JwtTroubleFilter extends GenericFilterBean{
		
		@Override
		public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
			HttpServletRequest httpServletRequest = (HttpServletRequest) request;

			String authHeader = httpServletRequest.getHeader("Authorization");		
			if(authHeader == null) {
				System.out.println("===> [TROUBLE] ERROR Authorization header not found");		
				return;
			}
				
			JwtDecoder jwtDecoder = new XsuaaJwtDecoderBuilder(xsuaaBinding).withoutXsuaaAudienceValidator().build();
			String jwtEncoded = authHeader.substring(7);
			Jwt jwtDecoded = jwtDecoder.decode(jwtEncoded);

			System.out.println("===> [TROUBLE] This incoming JWT is sent to my app: " + jwtEncoded);		
			System.out.println("===> [TROUBLE] The incoming JWT decoded: " + jwtDecoded.getClaims().toString());		
			System.out.println("===> [TROUBLE] The incoming JWT is compared to the XSUAA binding of my app.");		
			System.out.println("===> [TROUBLE] The incoming JWT must have my apps clientid in the aud.");		

			System.out.println("===> [TROUBLE] JWT aud:     " + jwtDecoded.getAudience());
			System.out.println("===> [TROUBLE] XSUAA cliId: " + xsuaaBinding.getClientId());

			System.out.println("===> [TROUBLE] JWT sub:     " + jwtDecoded.getSubject());
			System.out.println("===> [TROUBLE] JWT iss:   " + jwtDecoded.getIssuer());
			System.out.println("===> [TROUBLE] XSUAA url: " + xsuaaBinding.getUaaUrl());			
			System.out.println("===> [TROUBLE] JWT scopes: " + String.valueOf(jwtDecoded.getClaimAsStringList(TokenClaims.XSUAA.SCOPES)));
			
			chain.doFilter(request, response);
		}
	}
	
}

application.properties

logging.level.org.springframework.web=DEBUG
logging.level.org.springframework.security=TRACE
logging.level.org.springframework=DEBUG
logging.level.com.sap.cloud.security=TRACE

Approuter

package.json

{
    "name": "approuter",
    "dependencies": {
        "@sap/approuter": "^10.4.3"
    },
    "scripts": {
        "start": "node node_modules/@sap/approuter/approuter.js"
    }
}

xs-app.json

{
   "authenticationMethod": "route",
   "routes": [
      {
        "source": "^/tobackend/(.*)$",
        "target": "$1",
        "destination": "destination_backend",
        "authenticationType": "xsuaa"
      }
   ]
}

Appendix 2: application.yml

application.yml

---
logging.level:
  com.sap: DEBUG                      
  org.springframework: ERROR          
  org.springframework.security: DEBUG  
  org.springframework.web: DEBUG      

401 == Unauthorized, which means your username/password combo are incorrect

you need a space after «Basic» in the Authorization header

Related videos on Youtube

Spring Boot Whitelabel error page

05 : 28

Spring Boot Whitelabel error page

What is a 401 Error and How Do You Fix It?

06 : 59

What is a 401 Error and How Do You Fix It?

HTTP Status Code 401: What Is a 401 Error "Unauthorized" Response Code?

03 : 48

HTTP Status Code 401: What Is a 401 Error «Unauthorized» Response Code?

What is 401 Error and How to Fix it

04 : 11

What is 401 Error and How to Fix it

ThemeIsle: WordPress Tutorials & Reviews

REST API with Spring Boot - Return Custom HTTP Status Code from RESTful Web Service Endpoint

04 : 59

REST API with Spring Boot — Return Custom HTTP Status Code from RESTful Web Service Endpoint

Spring Boot Custom Error Pages Examples (HTTP 403, 404, 500...)

32 : 09

Spring Boot Custom Error Pages Examples (HTTP 403, 404, 500…)

Sending Proper 401 Unauthorized Response | JWT authentication | Spring boot tutorial [Hindi]

09 : 05

Sending Proper 401 Unauthorized Response | JWT authentication | Spring boot tutorial [Hindi]

What is 401 Unauthorized error | Root cause and solution of  Unauthorized  issue | Common http code

07 : 23

What is 401 Unauthorized error | Root cause and solution of Unauthorized issue | Common http code

Comments

  • Hi I write java program to do a http post request by Http Basic Authentication
    but it always shows error 401. My username and password is right can login the website. I don’t know where wrong?

     import java.io.BufferedReader;
     import java.io.DataOutputStream;
     import java.io.InputStreamReader;
     import java.net.HttpURLConnection;
     import java.net.URL;
     import sun.misc.*;
    
     import javax.net.ssl.HttpsURLConnection;
     import org.apache.commons.codec.*;
    
     @SuppressWarnings("unused")
     public class hello {
    
    /**
     * @param args
     */
    private final String USER_AGENT = "Mozilla/5.0";
    public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        hello http = new hello();
    
    
        //System.out.println("Testing 1 - Send Http GET request");
        //http.sendGet();
    
        System.out.println("nTesting 2 - Send Http POST request");
        http.sendPost();
    }
    
    @SuppressWarnings("unused")
    private void sendPost() throws Exception {
    
        String url = "https://mds.datacite.org/doi";
        URL obj = new URL(url);
        HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();
        String userPassword= "username:password";
        String encoding = new String(org.apache.commons.codec.binary.Base64.encodeBase64(org.apache.commons.codec.binary.StringUtils.getBytesUtf8(userPassword)));
        System.out.println(encoding);
    
    
        //add reuqest header
        con.setRequestMethod("POST");
        con.setRequestProperty("Content-Type", "text/plain");
        con.setRequestProperty("charset", "UTF-8");
        con.setRequestProperty("Authorization","Basic"+encoding);
    
    
        String urlParameters = "doi=xxxxxx&url=http://xxxxx/dataset/1xxx099";
    
        // Send post request
        con.setDoOutput(true);
        DataOutputStream wr = new DataOutputStream(con.getOutputStream());
        wr.writeBytes(urlParameters);
        wr.flush();
        wr.close();
    
        int responseCode = con.getResponseCode();
        System.out.println("nSending 'POST' request to URL : " + url);
        System.out.println("Post parameters : " + urlParameters);
        System.out.println("Response Code : " + responseCode);
    
        BufferedReader in = new BufferedReader(
                new InputStreamReader(con.getInputStream()));
        String inputLine;
        StringBuffer response = new StringBuffer();
    
        while ((inputLine = in.readLine()) != null) {
            response.append(inputLine);
        }
        in.close();
    
        //print result
        System.out.println(response.toString());
    
    }
    

Recents

So I’m trying to post to a URL (which I can’t show, because it’s sensitive information), but I keep getting a 401 error, which means unauthorized. And I have credentials, but I don’t know how to set them. I have a username, password, and a role.

public class GSONPost {

public static void main(String[] args) {

    Person personObj = new Person();
    personObj.setOrganization("ACC");
    personObj.setFirstName("Harry");
    personObj.setLastName("Smith");
    personObj.setPhone1(null);
    personObj.setPhone2(null);
    personObj.setEmail(null);
    personObj.setState("AZ");
    personObj.setLeadDate(null); // Fix Later
    personObj.setCompany("Dan's Mortage");
    personObj.setCompanyContactName("Indiana Jones");
    personObj.setOutsideRep("Joel Martin");

    Person personObj2 = new Person();
    personObj2.setOrganization("ACC");
    personObj2.setFirstName("Richard");
    personObj2.setLastName("Nixon");
    personObj2.setPhone1(null);
    personObj2.setPhone2(null);
    personObj2.setEmail(null);
    personObj2.setState(null);
    personObj2.setLeadDate(null); // Fix Later
    personObj2.setCompany("Dan's Mortage");
    personObj2.setCompanyContactName("Indiana Jones");
    personObj2.setOutsideRep("Joel Martin");

    List<Person> personArrayList = new ArrayList<Person>();
    personArrayList.add(personObj);
    personArrayList.add(personObj2);

    PersonList personList = new PersonList();
    personList.setPersonList(personArrayList);

    Gson gson = new GsonBuilder().setPrettyPrinting().create();

    String json = gson.toJson(personList);

    try {
        // write converted json data to a file named "PersonList.json"
        FileWriter writer = new FileWriter("C:\Users\Dylan\JsonFiles\PersonList.json");
        writer.write(json);
        writer.close();

    } catch (IOException e) {
        e.printStackTrace();
    }

    try

    {


        DefaultHttpClient httpClient = new DefaultHttpClient();
        HttpPost postRequest = new HttpPost(
                "https://myurl/addlist");

        StringEntity input = new StringEntity(json);
        input.setContentType("application/json");
        postRequest.setEntity(input);

        HttpResponse response = httpClient.execute(postRequest);

        BufferedReader br = new BufferedReader(new InputStreamReader((response.getEntity().getContent())));

        String output;
        System.out.println("Output from Server .... n");
        while ((output = br.readLine()) != null) {
            System.out.println(output);
        }

        httpClient.getConnectionManager().shutdown();

    } catch (MalformedURLException e) {

        e.printStackTrace();

    } catch (IOException e1) {

        e1.printStackTrace();

    }
}
}

If anyone can show me a way where I could set my credentials, so that I won’t get a 401 error, or if you guys can see anything else that’s causing the issue and could let me know, that would be great. Thanks in advance.

Я пытаюсь аутентифицировать https-url, но я получаю исключение. Ниже приведен код.

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLEncoder;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;

public class Authenticate {

    /**
     * @param args
     */
    public void authenticateUrl() {

        HostnameVerifier hv = new HostnameVerifier() {

            @Override
            public boolean verify(String urlHostName, SSLSession session) {
                System.out.println("Warning: URL Host: " + urlHostName
                        + " vs. " + session.getPeerHost());
                return true;
            }
        };
        // Now you are telling the JRE to trust any https server.
        // If you know the URL that you are connecting to then this should
        // not be a problem
        try {
            trustAllHttpsCertificates();
        } catch (Exception e) {
            System.out.println("Trustall" + e.getStackTrace());
        }
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
        StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
        try {
            URL url = new URL(
                    "www.stackoverflow.com");

            // Popup Window to request username/password password
            // MyAuthenticator ma = new MyAuthenticator();
            String userPassword = "user" + ":" + "pass";

            // Encode String
            String encoding = URLEncoder.encode(userPassword, "UTF-8");

            // or
            // String encoding = Base64Converter.encode
            // (userPassword.getBytes());

            // Need to work with URLConnection to set request property
            URLConnection uc = url.openConnection();

            uc.setRequestProperty("Authorization", "UTF-8" + encoding);
            InputStream content = (InputStream) uc.getInputStream();
            BufferedReader in = new BufferedReader(new InputStreamReader(
                    content));
            String line;
            while ((line = in.readLine()) != null) {
                pw.println(line);
            }
        } catch (MalformedURLException e) {
            e.printStackTrace();
            pw.println("Invalid URL");
        } catch (IOException e) {
            e.printStackTrace();
            pw.println("Error reading URL");
        } catch (Exception e) {
            e.printStackTrace();
        }
        sw.toString();
    }

    public static void main(String[] args) {
        // TODO Auto-generated method stub
        Authenticate au = new Authenticate();
        au.authenticateUrl();
    }

    // Just add these two functions in your program

    public static class TempTrustedManager implements
            javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public boolean isServerTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }

        public boolean isClientTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }

        public void checkServerTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }

        public void checkClientTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
    }

    private static void trustAllHttpsCertificates() throws Exception {

        // Create a trust manager that does not validate certificate chains:

        javax.net.ssl.TrustManager[] trustAllCerts =

        new javax.net.ssl.TrustManager[1];

        javax.net.ssl.TrustManager tm = new TempTrustedManager();

        trustAllCerts[0] = tm;

        javax.net.ssl.SSLContext sc =

        javax.net.ssl.SSLContext.getInstance("SSL");

        sc.init(null, trustAllCerts, null);

        javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(

        sc.getSocketFactory());

    }
}

Исключение:

java.io.IOException: Server returned HTTP response code: 401 for URL: 
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
    at Authenticate.authenticateUrl(Authenticate.java:62)
    at Authenticate.main(Authenticate.java:84)

Пожалуйста, кто-нибудь может предложить, как решить эту проблему.

01 июль 2012, в 21:25

Поделиться

Источник

3 ответа

Код ошибки 401 означает «Несанкционированный». Я считаю, что ваш код неправильно кодирует заголовок аутентификации. Предполагая, что сервер ожидает базовой аутентификации доступа, код должен выглядеть следующим образом:

String credentials = "ptt" + ":" + "ptt123";
String encoding = Base64Converter.encode(credentials.getBytes("UTF-8"));
URLConnection uc = url.openConnection();
uc.setRequestProperty("Authorization", String.format("Basic %s", encoding));

Подробное описание схем аутентификации HTTP и дайджеста доступно в RFC 2617

Jcs
01 июль 2012, в 19:54

Поделиться

Еще один простой способ — использовать Аутентификатор.

Из документов

Класс Аутентификатор представляет объект, который знает, как получить аутентификацию для сетевого подключения. Обычно он будет делать это, запрашивая у пользователя информацию.

URL url = null;
try {
    url = new URL("YOUR_URL");
    Authenticator.setDefault(new Authenticator() {
        protected PasswordAuthentication getPasswordAuthentication() {
            return new PasswordAuthentication("YOUR_USERNAME","YOUR_PASSWORD".toCharArray());
        }
    });
}catch (MalformedURLException ex) {
        e = new WebServiceException(ex);
}

Abdullah Khan
16 май 2016, в 10:05

Поделиться

Здесь вы можете обращаться с кодом ошибки 401.
Использование HTTPURLCONNECTION
вот мой код, пожалуйста, проверьте, что вы можете помочь этому

URL Url = new URL(<your url string>);
HttpURLConnection connection = (HttpURLConnection) Url.openConnection();
connection.setRequestProperty(<your request header);
connection.setRequestMethod("GET");
connection.setDoInput(true);
connection.connect();

int responseCode = connection.getResponseCode();

if (responseCode == 200) 
    { InputStream is = connection.getInputStream();
      if (is != null) 
         { BufferedReader rd = new BufferedReader(new InputStreamReader(is));
                        response = rd.readLine();
                    }
} else { InputStream is = connection.getErrorStream();

          BufferedReader rd = new BufferedReader(new InputStreamReader(is));

      response = rd.readLine();

} if (response != null)
        AppLog.e("Response-->", response);

Arpan24x7
25 март 2016, в 14:48

Поделиться

Ещё вопросы

  • 1Как расширить компонент Button и разрешить событие пробела
  • 0Как взять СУММУ всех СЧЕТОВ?
  • 0Phalcon datetime в модели запроса об ошибке
  • 0SQLSTATE [HY000]: общая ошибка: 1364 Поле ‘name’ не имеет значения по умолчанию laravel 5.5
  • 1Добавление маркеров в Leaflet.js
  • 0пакет udp не получен в QThread
  • 1Выполнить программу на Python из командной строки без файла скрипта
  • 0TMXTiledMap показывает пустой экран
  • 1Одна горячая кодировка на уровне персонажа
  • 0Magmi — проблема с загрузкой более одного изображения media_gallery
  • 0Идентификатор кнопки Rails и события нажатия кнопки
  • 0Редактировать в состоянии выбрать поле с группировкой в настройках
  • 1C # Reflection: В чем разница между FieldInfo.SetValue () и FieldInfo.SetValueDirect ()?
  • 0Codeigniter возвращает false из моделей
  • 1преобразовать гггг-дд-мм в гггг-мм-дд в Python
  • 0c ++ вектор векторов размера следующего столбца
  • 1Сортировка многомерного массива в JavaScript?
  • 1Представление Flask создает DataFrame, но по-прежнему вызывает «UnboundLocalError: локальная переменная« df », на которую ссылаются до назначения»
  • 1Отключить асинхронную загрузку Google Analytics
  • 0Размер текстового поля Yii timepicker
  • 0Слияние сложных массивов
  • 0Fancybox Закрыть Не работает
  • 0JQuery проблема с выпадающим меню
  • 0cpp удаляет старый указатель и повторно инициализирует его
  • 1Как рассчитать взвешенное сходство с scipy.spatial.distance.cosine?
  • 1Разобрать строку составного запроса в Python
  • 0использование перенаправления htaccess приводит к некоторому странному поведению
  • 1Генерация случайного изображения JPG из консольного приложения
  • 0Как мне запустить этот скрипт в MYSQL?
  • 1Как проверить, если одна дата за другой в Java?
  • 0Winsock send () проблема с однобайтовой передачей
  • 0Выпадающее меню CSS3 при наведении на размер
  • 0Регулярное выражение для соответствия всем между <>, которое находится в квадратных скобках
  • 0Угловая маршрутизация мини контролера до пункта маршрута
  • 1Как связать существующее приложение Angular 2 с Nodejs Server?
  • 0angularjs уменьшит картинку с мобильного телефона
  • 0RewriteRule работает на http, но ломается на https
  • 0Создать приложение Android AR с помощью плагина Unity-ARKit
  • 1Алгоритм: создание шестиугольников с подушкой
  • 0Angular.js 401 Неразрешенный код статуса
  • 1Ember простой поддельный сервис не отображается на странице
  • 1скомпилировать файл Java в Eclipse
  • 0динамическое window.find не работает с jQuery
  • 0найти элемент по названию в сортируемом — jquery
  • 1Негативное правило для EJB WS
  • 0Проблемы с загрузкой формы PHP
  • 0Выберите primary_keys, которые соответствуют условиям из внешнего ключа другой таблицы
  • 1Почему мой массив не усредняет все числа?
  • 0Как читать файл .txt символ за символом без <iostream>?
  • 0ngRepeat не работает в colorbox

Сообщество Overcoder

Понравилась статья? Поделить с друзьями:
  • Ошибка java 110
  • Ошибка jam4211 kyocera 2040
  • Ошибка jam4209 kyocera 2040
  • Ошибка jam4201 kyocera 2035
  • Ошибка jam0501 kyocera m2040dn