Copy link to clipboard
Copied
Hello Community,
I am trying to write a folder level js script in acrobat pro that makes a HTTP post request to a server. It requires the value of the SSO token as the header in the request. When I made the request using postman by adding a header in the request as key="Cookie" and value="SSO=....;", it successfully hit the server and returned a response. On the other hand, when I tried to do it using the below code, it doesn't seem to hit the server and gets a redirection. I am not able to figure out what's the issue. Any help regarding this would be greatly appreciated.
Thanks.
ajax=app.trustedFunction(function(furl)){
app.beginPriv();
Net.http.request({
cVerb: "POST",
cURL: furl,
aHeaders: [ { name: "Cookie" , value: "SSO=....;" }],
oHandler: callbackfn
});
app.endPriv();
});
callbackfn = {
response : function(...){
...
}
};
ajax("https://...");
Copy link to clipboard
Copied
Are you sure that the request from Acrobat has all of the required headers? Is the empty body a problem?
Have you been able to successfully post to a site that does not require cookies?
Copy link to clipboard
Copied
No, the empty body is not the problem because through postman I am able to successfully make the request using an empty body. Also, I have been able to successfully post to a URL that does not require cookies.
For the 'all required headers' thing, would I need to pass all the headers that are appearing in the request headers under postman including "User-Agent", "Cache-Control" etc?
Copy link to clipboard
Copied
Not all of the cookies are necessary, but some are, such as content-type. I don't know exactly what's needed, but browsers add a lot to an HTTP request, and afik the net.http request only adds the content length. So I'd suggest you put it all in, and also check for any kind of hand shaking.
But TestScreen is correct that this seems like a security problem. Usually, there is some kind of authorization process for getting onto a secure site. These days everything is REST. I'd talk to the site developers to find out the proper way to do this.
Copy link to clipboard
Copied
I analyzed using Wireshark what was getting passed along with the request and found out that the much needed "Cookie" is not getting passed along with the request. All other headers can be passed but not the cookie. So, why is this? Is this due to some security policy of acrobat? How can we resolve this issue? Thanks.
Copy link to clipboard
Copied
I've used cookies without this issue. Doesn't mean there isn't some kind of security issue. Adding the request domain to the trusted list. Also make sure the header format is correct.
Copy link to clipboard
Copied
"Adding the request to the trusted list"
When you say this I guess you mean the "trusted sites" shown in the screenshot below, the path to which is Preferences > Security(advanced) > View Windows trusted sites > Trusted sites> sites.
I added the endpoint URL there and it still did not work.
As for the correct header format thing, I am adding in the format as in the code above. I think this format is correct since I am able to pass other headers using this.
Copy link to clipboard
Copied
I mean the Acrobat Enhanced Security Preferences. Look in the Acrobat "Preferences". These settings determine how acrobat interacts with external documents/locations when it comes to security issues.
Copy link to clipboard
Copied
I tried playing with the settings in the 'Preferences' you described above. But still, it is not working 😞
Copy link to clipboard
Copied
What do you mean “gets a redirection”?
Copy link to clipboard
Copied
I mean it doesn't hit the intended URL because of something and the URL is made such that the incomplete request gets a redirection to some other URL(like login page).
Copy link to clipboard
Copied
So you are trying to get to s page that needs login. And it hits the server but the server doesn’t pass it on. The whole idea of bypassing login with cookies is very suspect. Your front end probably does some security tests like cookie origin, cross domain checks or whatever. Maybe it sends challenge/response. We can’t know and external inspection can’t find out. If one could just copy cookies to bypass login the internet would be a very unsafe place. You need to liaise with your server developers to find a secure route for whatever thing you must do.
Copy link to clipboard
Copied
Hi, I am understanding what you are saying but the organization I am developing it for, do it using this only. I can't challenge this way of bypassing login using cookies.
Copy link to clipboard
Copied
Could anyone help with more inputs as to why is acrobat behaving strangely with the cookie?
Copy link to clipboard
Copied
Is there a cross domain issue?
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html