We all started somewhere! Share your experience on the Get Advice: Let's Get Started Sweepstakes thread and be entered to win a $100 credit on your Constant Contact account.

Getting 401 - Unauthorized error using sample java application

propelgrowth07
Regular Participant

Getting 401 - Unauthorized error using sample java application

I have downloaded and compiled the java sample application provided through Constant Contact.  When I run it and attempt to "Get Lists" I'm getting an Unauthorized 401 error.  I'm confused as to why this is because I am using the api key provided to me through constant contact and the username and password I used to get the api key in the first place.  Is there a different "Site Owner User Name" and password I should be using?  Are there any other common causes of this error that could be causing it?  Any help would be greatly appreciated.


Thank You,


 


Mark Wolters

7 REPLIES 7
DaveBerard
Moderator

Hi Mark,


 


I'm sorry for the confusion with the Java Sample Application.  That was created prior to our changing Authentication models from Digets to Basic Authentication over SSL.  The Application is not configured to use the correct Authentication type and is not configured to make the requests over HTTPS. 


 


We have created updated samples for the most commonly used languages we've found, PHP and .NET.  It is unlikely that we will provide an updated Java asample application, however the changes should be fairly simple to update it to Basic Authentication over HTTPS.  Here is a link to our guide for updating Authentication.  

Dave Berard
Senior Product Manager, Constant Contact
propelgrowth07
Regular Participant

Dave,


Thanks so much for your quick reply, it was very helpful.  Unfortunately whereas before I was getting the following message along with a 401 error:


WARNING: Unable to respond to any of these challenges: {basic=BASIC realm="api.constantcontact.com" oauth=OAuth realm="api.constantcontact.com"}


Now I am still receiving the 401 error but with only a problem with OAuth, i.e.:


WARNING: Unable to respond to any of these challenges: {oauth=OAuth realm="api.constantcontact.com"}


I'll dig around and see if there's anything helpful in the forums regarding this already but if there's a simple solution that you can point me towards that'd be great!


 


Thanks,


Mark Wolters

DaveBerard
Moderator

Hi Mark,


 


OAuth is no longer available due to a security hole in the protocol itself.  The hole has since been patched, however we have not investigated the impact to our customers in re-enabling it.  The only protocol you should need is Basic over HTTPS.

Dave Berard
Senior Product Manager, Constant Contact
propelgrowth07
Regular Participant

Once again thank you Dave, I appreciate the help.  My problem here is that I'm far from a security expert, so maybe I'm not understanding where the decision to use oauth is being made...there is nothing in the code to enable oauth, the only authentication I'm using now is basic.  But when I attempt to access http://api.constantcontact.com/ws/customers/propelgrowth07/lists I get the 401 - Unauthorized error.  The reference to oauth is being made in the Tomcat log, here's a cut'n'paste of everything from the startup message on:


INFO: Server startup in 2258 ms

log4j:WARN No appenders could be found for logger (com.propel.constantcontact.webservices.ListServlet).

log4j:WARN Please initialize the log4j system properly.

Aug 14, 2009 11:49:41 AM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge

WARNING: Unable to respond to any of these challenges: {oauth=OAuth realm="api.constantcontact.com"}

Aug 14, 2009 12:02:42 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge

WARNING: Unable to respond to any of these challenges: {oauth=OAuth realm="api.constantcontact.com"}


So then my question is why is the WWWAuthChallenge being processed wanting the client app to use oauth?  Again, apologies for my lack of knowledge on the subject, but is the use of oauth set somewhere on the server?  If so, how do I change that to not expect the client app to use oauth?


Again thanks for all the help,


Mark Wolters


 


 

DaveBerard
Moderator

I think I see the problem.  Java is probably attempting to use multiple Authentication types because of the 401 response.  The real cause is the request URI.  All requests must be made to an HTTPS URI.  


 


Incorrect: http://api.constantcontact.com/ws/customers/propelgrowth07/lists


Correct: https://api.constantcontact.com/ws/customers/propelgrowth07/lists


 


Simply changing the request URI (No XML changes need to be made) should fix your issues.

Dave Berard
Senior Product Manager, Constant Contact
propelgrowth07
Regular Participant

Dave,


Changing http to https goes against the instructions for using Basic authentication in the description of how to modify your app to use Basic...in any event I attempted it and when I tried to connect I get the same 401 failure and the "Unable to respond to any of these challenges: " for Basic and Oauth.  Is it possible there's something wrong with my key?  Is there any way someone at CC can verify that the URL is accessible using Basic authentication? 

DaveBerard
Moderator

I think there may be some confusion on the API requirements for Basic Authentication.  Here is an exerpt from the documentation:


 


Use HTTPS instead of HTTP - For URI's you use to call any API, use HTTPS instead of HTTP.  However, in the XML body you send in, DO NOT change HTTP to HTTPS (see example below).


 


Notice that it is required for the request URI to be HTTPS.  All XHML URIs should stay HTTP as they are used for IDs or for 3rd party documents which do not have HTTPS versions.  All accounts are available via HTTPS.  If you are worried your key is not valid, I would recommend testing using a REST Client.  These tools will allow you to test your URIs and XML and make sure that you are using correct information.  Once you've set this up, it is much easier to develop an application as you've taken a set of variables out of the equation.

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page