Atanas Roussev - Senior Java Developer, UI Engineer, Web Developer Resume - Vancouver » REST Client

a 3D feel

atanas — Mon, 03 May 2010 02:49:23 +0000

REST client HTTP4e version 3 released – code generation for Ruby, C#, Flex, ActionScript, jQuery, Java, Prototype, Cocoa

atanas — Sat, 27 Mar 2010 07:13:29 +0000

Great news. HTTP4e was released few weeks ago. Today I found some time to post it.

New features:

Introducing @file abilities to load external payload to body by simply passing @/file/path
Export HTTP sessions report as HTML
Export and import HTTP4e replay script
Importing raw HTTP packets
Importing http packets directly from Firefox’s Live HTTPHeaders
Enhancing tabs
Fixing Pretty view XML formatting
JMeterone click script generation
PHP, Flex/ActionScript, Cocoa/Objective-C, Ruby, Pythonone click script generation
C#, Visual Basic.NETone click script generation
JavaScript, Prototype, jQuery one click script generation
Apache HTTP Components 4.x one click code generation

Stay tuned for more news and examples.

HTTP4e REST Client on MyRadRails Ruby IDE

atanas — Sat, 06 Mar 2010 02:56:21 +0000

I was playing with Ruby and tried HTTP4e on MyRadRails and it worked as a charm.

This is what I call write once run anywhere. Great job Eclipse!

REST Authentication

atanas — Mon, 15 Feb 2010 08:54:30 +0000

Recently I had to explain how would I design a REST Authentication. My humble thoughts:

Using Basic or Digest is naive.

1. Basic token is a plain Base64 text. To make it worst, you need to send the username and password each time as part of the HTTP packet so any MitM attacker will be able to translate it.

2. The security aspect could be resolved by using Basic over SSL. Yet SSL has it’s performance drawbacks. And in your requirements SSL may not be an option.

3. Using the Digest as being secure, resolves 1 and 2, yet it has disadvantages as:
- The nonce is optional. Skipping the nonce MD5(username:nonce:password) could end up with Digest algorithm of MD5(username:password) which is not secure for simple passwords. Any computer today would be able to reverse engineer a simple password MD5 hash using available dictionaries.
- The Digest is optional. A MitM could tamper the packet and browser could fall back to Basic.

4. Digest and Basic when invoked within a browser environment has the annoying feature of opening a native popup with username/password.

5. Basic/Digest don’t expire. As long as you stole a Basic/Digest security token you can continue with the replay attack.

6. No prevention for tampering. Digest algorithm includes hashing the URI:Method:andBody yet, those algorithms are once again recommendations only and optional.

My prefer approach would be a

Custom Authentication Token a la Amazon

Amazon REST Authentication did a great job of providing a secure REST Authentication. Let’s dissect their token:

Example AWS Call:

GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Mon, 26 Mar 2007 19:37:58 +0000
Authorization: AWS 0PN5J17HBGZHT7JJ3X82:frJIUN8DYpKDtOLCwo//yllqDzg=

where Authorization algorithm header is:

Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature;

and signature:

Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of( YourSecretAccessKeyID, StringToSign ) ) );

and more:

StringToSign = HTTP-Verb + "\n" +
	Content-MD5 + "\n" +
	Content-Type + "\n" +
	Date + "\n" +
	CanonicalizedAmzHeaders +
	CanonicalizedResource;

CanonicalizedResource = [ "/" + Bucket ] +
	 +
	[ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];

CanonicalizedAmzHeaders =

Explaining:

CanonicalizedAmzHeaders: Some special AWS business headers. Skipping..
CanonicalizedResource: a string concatenating elements from HTTP packet being sent – URI, parameters, Method etc. Reason? Preventing HTTP packet tampering. Assuming an attacker stole the Authentication token, then stolen token could be used only within the current REST call as vital elements of the packet are being injected as part of AWS token.
StringToSign and Content-MD5 etc.. – more tampering prevention and obfuscation.
Signature: One way hash encryption of the whole amalgam above.

More thoughts:

The token will contain a time stamp so it will expiry on inactivity.
The token could optionally contain business sensitive data too. userID or any businessID’s.

Lastly, depending on requirements, you may want to consider using OAuth too.

Have a crafty and secure fun!

The RESTful HTTP4e client with BASIC and DIGEST Authentication

atanas — Wed, 14 Oct 2009 06:56:39 +0000

Great news. HTTP4e adds BASIC and DIGEST Authentication support. Bellow is the Configuration Dialog on Ubuntu:

HTTP4e on Linux and Mac OS X

atanas — Sun, 11 Oct 2009 06:48:42 +0000

Another exciting news for HTTP4e. Fonts on Linux and Mac OS X have been finally fixed.

HTTP4e on Mac OS X Leopard:

HTTP4e on Ubuntu:

HTTP4e supports UTF8 Unicode

atanas — Sun, 11 Oct 2009 06:15:04 +0000

A good news for the Bulgarian community. HTTP4e supports unicode which means all those young kids can start start phishing on … drum rolls … unicode

Joke aside, have a look on the screenshots. Chinese and Cyrillic characters right on your favorite RESTful client. Cutie, eh?

Basic Authentication with HTTP4e

atanas — Sun, 11 Oct 2009 05:54:22 +0000

Many people are complaining about HTTP4e don’t supporting Authentication. Yet, a bit of knowledge about Basic Authentication would help them realize that performing authenticated request is nothing more than passing an additional “authentication” header.

Opening Wikipedia at http://en.wikipedia.org/wiki/Basic_access_authentication
the following sequence of packet negotiation is being passed across the wire:

Request One:

GET /private/index.html HTTP/1.0
Host: localhost

HTTP/1.0 401 Authorization Required
Server: HTTPd/1.0
Date: Sat, 27 Nov 2004 10:18:15 GMT
WWW-Authenticate: Basic realm="Secure Area"
Content-Type: text/html
Content-Length: 311

blah blah ...

Request Two:

GET /private/index.html HTTP/1.0
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

HTTP/1.0 200 OK
Server: HTTPd/1.0
Date: Sat, 27 Nov 2004 10:19:07 GMT
Content-Type: text/html
Content-Length: 10476

What does this tell us? Request one is trying to retrieve a resource on server localhost. Receiving a response back with 401 Authorization Required, the client makes second attempt (Request Two) passing this time some magic header and the server seems to like it by giving back 200 OK. The magic header is “Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==”. The formula of the encoded string is nothing else, but Basic64 encoded text, so any online Base64 tool will decode the text to its human readable “username:password” value.

Back to the original post. How does this relate to HTTP4e? Well the tool doesn’t have the GUI utility to plug this header to the request sending. Yet, this doesn’t mean it doesn’t support Base Authentication. All you need to do is pass that magic header into your requests. So if you construct an HTTP call against server www.abc.com protected by Base authentication with username:password, pass this additional header to to that call.

Authorization: Basic

Thanks for reading this far.

Caching Tutorial and why “Pragma: no-cache” doesn’t work

atanas — Thu, 24 Sep 2009 04:31:54 +0000

Many of you probably sill think that the META headers are the solution for No-Caching.

I came across this excellent tutorial by Mark Nottingham http://www.mnot.net/cache_docs/. It explains why ”Pragma: no-cache” doesn’t work and why you should use the Cache Control HTTP Headers instead.

Last-Modified
If-Modified-Since
ETag
If-None-Match
Cache-Control: max-age=3600, must-revalidate

Eclipse HTTP REST Client Tips and Tricks

atanas — Fri, 10 Jul 2009 08:00:41 +0000

The HTTP4e hidden features list is published. The tool has so many hidden features, such as auto complete, panel expand, proxy configuration, etc. Yet folks are totally unaware of them. My bad. It’s interesting how publishing a single list could take a year!