Hello all
Hoping for any suggestions. I have been asked to look into scripting API calls to Nexpose. Authentication ... (code just thrown together in a few minutes so please forgive)
Anyway, this VBS script allows me to authenticate and return a session ID .. no issues
Dim stringXML : stringXML = "<?xml version=""1.0"" encoding=""UTF-8""?><LoginRequest sync-id=""123"" user-id=""<LOGIN ID>"" password=""<PWD>"" />"
Dim httpRequest : Set httpRequest = CreateObject("MSXML2.ServerXMLHTTP.6.0")
httpRequest.Open "POST", "https://<LOCAL NEXPOSE SERVER>.com:3780/api/1.1/xml", FALSE
httpRequest.SetRequestHeader "Content-Type", "text/xml"
httpRequest.Send stringXML
If httpRequest.status = 200 Then
wscript.echo httpRequest.responseText
Else
wscript.echo "CRAP"
End If
wscript.quit
However, when I try to replicate within WB, it fails to authenticate
stringXML = '<?xml version="1.0" encoding="UTF-8"?><LoginRequest sync-id="123" user-id="<LOGIN ID>" password="<PWD>" />'
oHTTP = CreateObject("MSXML2.ServerXMLHTTP.6.0")
oHttp.open("POST","https://<LOCAL NEXPOSE SERVER>.com:3780/api/1.1/xml",@FALSE)
oHttp.SetRequestHeader("Content-Type", "text/xml")
oHttp.Send(stringxml)
If oHttp.Status == 200
message("Nexpose Test",oHTTP.responseText)
Else
message("Nexpose Test","Returned Status of " : oHTTP.Staus)
End if
exit
I get Status code of 200 But the ResponseText (attached) says "Authorization required for API Access"
Any ideas on what I missed? Running latest WinBatch BTW
Thanks all
The first question is what are "<LOGIN ID>" and "<PWD>"? Are they just placeholders for whatever your actual id and password or do they have some special meaning to your API?
placeholders, sorry. actual Nexpose server, Login ID and password in both scripts
This may be far-fetched but I read about a user writing a request from Excel and mentioned that instead of using MSXML2.ServerXMLHTTP.6.0 he used MSXML2.XMLHTTP.6.0 - which seemed to work better as the site used cookies. May not apply here but real easy to test.
I tried MSXML2.XMLHTTP.6.0 but the script dies at "oHttp.Send(stringxml)" with a COM/CLR Exception
Assuming that you are not doing something with substitution in your actual script and that you are executing the script form an admin account, the only thing that comes to mind is UAC. Have no idea why it would make a difference but your VB script is most likely running with the restricted admin token and your WinBatch script is most likely executing with an elevated admin token. It is a very long shot but you could try changing your scripts file extension from ".wbt" to ".wbt_if" and then try running the ".wbt_if" version. If it works then, as far-fetched as it may seem, UAC is the cause.
I found out a different way. I appreciate everyone's thoughts and ideas.
Thanks again everyone
It would have been interesting to have discovered why your WinBatch script was not working correctly. Oh well. The only other thing I could think of is that for some unknown reason the COM Automation object represented by the "MSXML2.ServerXMLHTTP.6.0" moniker is sending a different default user agent when called from WinBatch than when called from VB. I have no idea if or why that would happen but I do know that using this object with HTTPS protocol URLs can have a user agent problem. Of course, this particular problem can be corrected by changing the user agent in the header before connecting to the HTTP server.
If I RTFM, I would have noticed one can encode userid and pwd in Base64, then use basic authorization in header, goes in w/o a hitch. Plus I moved to Nexpose API version 3.
#DefineFunction udfEncodeBase64(str)
hexstr = ChrStringToHex(str)
hBin = BinaryAlloc(StrByteCount( hexstr, 1 ))
BinaryPokeHex(hBin, 0, hexstr)
BinaryOleType(hBin, 103, 0,0,0)
objXML = ObjectCreate('MSXML2.DOMDocument')
objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.nodeTypedValue = hBin
EncodeBase64 = objNode.Text
objNode = 0
objXML = 0
Return EncodeBase64
#EndFunction
text = '<USERID>:<Password>'
token = udfEncodeBase64(text)
url = "https://nexpose.xxxxx.com:3780/api/3/sites"
oHttp = CreateObject("WinHTTP.WinHTTPRequest.5.1")
oHttp.open("GET",url,@FALSE)
oHttp.SetRequestHeader("Authorization", "Basic %token%")
oHttp.SetRequestHeader("Content-Type", "application/json")
oHttp.SetRequestHeader("cache-control","no-cache")
oHttp.Option(0) = "http_requester/0.1"
oHttp.Option(4) = 13056
oHttp.Option(6) = @FALSE
ohttp.Option(12) = @TRUE
oHttp.send()
Live and learn I guess. Again, thanks all
Thanks for the information. I suspect I and perhaps others will find it useful down the road.
I agree with Tony and apologize for my rabbit hole. One question: did moving to the newer Nexpose API require
oHttpoHttp.SetRequestHeader("Content-Type", "application/json")
'instead of
oHttp.SetRequestHeader("Content-Type", "text/xml")
this type of programming is new to me. People found found I could code and suddenly getting side requests to access OnSpring, Nexpose and BitSight. So leaning on the fly.
No, Nexpose didn't to my knowledge. I googled for VB example of Base64 and translated
So, for a GET, changing oHttp.SetRequestHeader("Content-Type", "application/json") to oHttp.SetRequestHeader("Content-Type", "text/xml") does not seem to matter for Nexpose. Results are the same and in same format (JSON).
Now a POST, not sure yet as I haven't gotten that far