| Sign In/My Account | View Cart |
|
|
 |
US Post Office Web Tools gives away your password
 brian d foy URL: http://www.usps.com/webtools/technical.htm... I applied for a User-ID and password so I could use the US Post Office's web services. They have some promising looking tools: zip code lookup, city/state lookup, address verification, and some other things. A couple of hours after I applied for an account, I got my welcome email. I was on to the next task though, so I filed it. Tonight I wanted to take it for a spin. I wrote a little program to give it a go. I didn't follow their technical details because I don't want to put a long XML string in the query string of the XML. This is an idempotent request, but I'll put that stuff in the message body anyway and use a POST request. Here's the code. Notice I have my ID and password in the environment. The USPS says on just about every other page that I can't give out those credentials. I can't share them and I can't tell anyone else what they are. Fair enough. Look at the request scheme though! It's plain ol' HTTP. That's plaintext floating across the air, or copper, or whatever. I tried sticking https in there, but it never makes a connection. Every time I test this little application, I'm exposing my credentials. You don't have to hack ChoicePoint to get that.
use HTTP::Request;
use LWP::UserAgent;
my $content =<<"HERE";
API=Verify&XML=<AddressValidateRequest
USERID="$ENV{USPS_ID}"
PASSWORD="$ENV{USPS_PASS}">
<Address ID="0">
<Address1>5250 N. Kenmore Suite 157</Address1>
<City>Chicago</City>
<State>IL</State>
<Zip5>60640</Zip5>
</Address>
</AddressValidateRequest>
HERE
my $ua = LWP::UserAgent->new();
my $request = HTTP::Request->new( POST =>
'http://testing.shippingapis.com/ShippingAPITest.dll' );
$request->content( $content );
print $request->as_string;
my $response = $ua->request( $request );
print $response->as_string;
Okay, it's their system and a password to their system. Obviously they know what they are doing. They are the government after all. Not so fast. Check out this response: All I really have is a User-ID and password. I can't actually use the service, even on the testing service. It turns out that I have to request that separately. Ughh. Not only that, they are using IIS. Oh boy, so this service will down a lot, won't it? I'll have to wait to see about that because I need someone to authorize me to use the web service I signed up for two weeks ago. HTTP/1.1 200 OK Connection: close Date: Fri, 25 Feb 2005 11:04:46 GMT Server: Microsoft-IIS/5.0 Client-Date: Fri, 25 Feb 2005 11:04:40 GMT Client-Peer: 56.0.134.43:80 Client-Response-Num: 1 <Error> <Number>80040b1a</Number> <Description>API Authorization failure. User 931THEPE4647 is not authorized to use API Verify.</Description> <Source>UspsCom::DoAuth</Source> </Error> brian d foy is a Perl trainer for Stonehenge Consulting Services and is the publisher of The Perl Review. Showing messages 1 through 4 of 4.
Return to weblogs.oreilly.com. Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.
|
|
Sponsored By: |
||||||||||||
©2009, O'Reilly Media, Inc. (707) 827-7000 / (800) 998-9938 All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. |
About O'Reilly
Academic Solutions Authors Contacts Customer Service Jobs Newsletters O'Reilly Labs Press Room Privacy Policy RSS Feeds Terms of Service User Groups Writing for O'Reilly |
More O'Reilly Sites
O'Reilly Radar Ignite Tools of Change for Publishing Digital Media Inside iPhone O'Reilly FYI makezine.com craftzine.com hackszine.com perl.com xml.com Partner Sites InsideRIA java.net O'Reilly Insights on Forbes.com |
Content Archive Business Technology Computer Technology Microsoft Mobile Network Operating System Digital Photography Programming Software Web Web Design |
Have you had any follow up with this? I just registered and spent about 1/2-hour dicking around with requests that return "80040b1a API Authorization" failures.
According to the USPS email WRT the username and pwd:
"They are necessary for you to begin sending calls to the Test Server as soon as you are ready."
Well, I'm ready. Where the heck does it mention that I need to activate anything?
Also, are the requests returned as well formatted XML? Their lame-assed responses for errors leave me expecting disapointment.