add authorization header (user/password) before sendRedirect

[eunever32]

Hi

I need to send a request to another web server

The username and password are sent in the header (Authorization)

But when I try as follows:
response.addHeader("Content-Type", "application/x-www-form-
urlencoded");
response.addHeader("Authorization", "Basic SUJJASDFASDFASDFUM=");
response.sendRedirect(the_remote_url)

The remote server complains the username and password is not set. So
apparently setting the header in the response is not correct.

Is there anyway to get the authorization header into the request.

Thanks in advance

 

[Lothar Kimmeringer]

I need to send a request to another web server

The username and password are sent in the header (Authorization)

But when I try as follows:
response.addHeader("Content-Type", "application/x-www-form-
urlencoded");
response.addHeader("Authorization", "Basic SUJJASDFASDFASDFUM=");
response.sendRedirect(the_remote_url)

The redirection is a specific HTTP response code. The headers
in that response are not part of that, so the browser receiving
that response will ignore it.

The remote server complains the username and password is not set. So
apparently setting the header in the response is not correct.

Is there anyway to get the authorization header into the request.

Not really, you might try to add the username/password-combination
to the URL you redirect to, like http://user:password@server:port/
The correct behavior is browser-dependent, so it might work with
one but not with another.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[Daniel Pitts]

Hi

I need to send a request to another web server

The username and password are sent in the header (Authorization)

But when I try as follows:
response.addHeader("Content-Type", "application/x-www-form-
urlencoded");
response.addHeader("Authorization", "Basic SUJJASDFASDFASDFUM=");
response.sendRedirect(the_remote_url)

The remote server complains the username and password is not set. So
apparently setting the header in the response is not correct.

Is there anyway to get the authorization header into the request.

Thanks in advance

Try setting a cookie instead, that is more likely to succeed. Otherwise
you'll need to proxy the request, rather than redirect.

 

[Roedy Green]

Is there anyway to get the authorization header into the request.

see http://mindprod.com/jgloss/authentication.html

 

[Lothar Kimmeringer]

Try setting a cookie instead, that is more likely to succeed. Otherwise
you'll need to proxy the request, rather than redirect.

I doubt that you can set a cookie for a different domain than
the one you are serving.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[Daniel Pitts]

I doubt that you can set a cookie for a different domain than
the one you are serving.

Was that a requirement that I missed? I saw nothing about domains at all
in the OPs post.

 

[Lothar Kimmeringer]

Was that a requirement that I missed? I saw nothing about domains at all
in the OPs post.

If you

| [...] need to send a request to another web server

it's rare that the different webserver resides at the same
domain, but is somewhere else.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[eunever32]

Was that a requirement that I missed? I saw nothing about domains at all
in the OPs post.

If you

| [...] need to send a request to another web server

it's rare that the different webserver resides at the same
domain, but is somewhere else.

Regards, Lothar
--
Lothar Kimmeringer                E-Mail: (e-mail address removed)
               PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
                 questions!

Thanks for all the suggestions.
I tried the http://authority@server:port/

But this wasn't recognised.
I am not sure about the use of a cookie and anyway would this be a
cookie of the remote server of the local server?

I tried using URLConnection and this worked in our development
environment but not the live environment;(

So I then tried apache-commons HttpClient which worked(!) but the
JSESSIONID was not present in the returned html which meant any
further http requests returned "user/password not found." Could this
be because the server doesn't think the client supports cookies?

Any suggestions on how to proceed?

I would be happy with the HttpClient if it worked but am concerned
that it may not be future-proof (should the server side change in
future).

 

[Daniel Pitts]

So I then tried apache-commons HttpClient which worked(!) but the
JSESSIONID was not present in the returned html which meant any
further http requests returned "user/password not found." Could this
be because the server doesn't think the client supports cookies?

Any suggestions on how to proceed?

I would be happy with the HttpClient if it worked but am concerned
that it may not be future-proof (should the server side change in
future).

HttpClient from the apache-commons is a great toolkit.

Usually, JSESSIONID is set as a cookie. You will probably have to
inspect the response from the downstream server, and re-write the
cookies to match your domain. Then, when you make a request, make sure
that you pass the users cookies to the downstream server.

 

[eunever32]

HttpClient from the apache-commons is a great toolkit.

Usually, JSESSIONID is set as a cookie.  You will probably have to
inspect the response from the downstream server, and re-write the
cookies to match your domain.  Then, when you make a request, make sure
that you pass the users cookies to the downstream server.

Hi

Request 1: PC -> Tomcat -> LoadBalancer ->ServerNode
Request 2, 3, 4, 5 etc: PC->LoadBalancer->ServerNode
The arrangement is the first request to RemoteServer is as follows:
HttpClient originates on the Tomcat; html response is streamed into
response to the browser
!Subsequent requests from PC go directly to RemoteServer! Hence
missing cookie.


I know a little more about the issue and the problem is because we're
hitting a load-balancer first
and then a server-node behind the load-balancer.

If we bypass the load-balancer everything works.

However the requirement is to route through the load balancer.

There is a cookie required for the load-balancer which the browser is
not sending.

The jsessionid is okay because that's on the URL

I guess if I can get the Cookie into the browser that might work.

I have tried setting the Cookie in the response but didn't work.

This is the code:
String[] cookieParams = h.getValue().split(";");
String[] currentParam = cookieParams[0].split("=");
Cookie cookie = new Cookie(currentParam[0], currentParam[1]);
cookie.setDomain("load-balancer-host");
response.addCookie(cookie);

Does the setDomain look correct?

Is there an alternative way to test this? For example if jsessionid
can be passed in the URL,
can the cookie for the load-balancer-node also be set on the URL?
Because I did try this but to no avail.

Thoughts suggestions appreciated.

 

[Daniel Pitts]

HttpClient from the apache-commons is a great toolkit.

Usually, JSESSIONID is set as a cookie. You will probably have to
inspect the response from the downstream server, and re-write the
cookies to match your domain. Then, when you make a request, make sure
that you pass the users cookies to the downstream server.

Hi

Request 1: PC -> Tomcat -> LoadBalancer ->ServerNode
Request 2, 3, 4, 5 etc: PC->LoadBalancer->ServerNode
The arrangement is the first request to RemoteServer is as follows:
HttpClient originates on the Tomcat; html response is streamed into
response to the browser
!Subsequent requests from PC go directly to RemoteServer! Hence
missing cookie.


I know a little more about the issue and the problem is because we're
hitting a load-balancer first
and then a server-node behind the load-balancer.

If we bypass the load-balancer everything works.

However the requirement is to route through the load balancer.

There is a cookie required for the load-balancer which the browser is
not sending.

The jsessionid is okay because that's on the URL

I guess if I can get the Cookie into the browser that might work.

I have tried setting the Cookie in the response but didn't work.

This is the code:
String[] cookieParams = h.getValue().split(";");
String[] currentParam = cookieParams[0].split("=");
Cookie cookie = new Cookie(currentParam[0], currentParam[1]);
cookie.setDomain("load-balancer-host");
response.addCookie(cookie);

Does the setDomain look correct?

Is there an alternative way to test this? For example if jsessionid
can be passed in the URL,
can the cookie for the load-balancer-node also be set on the URL?
Because I did try this but to no avail.

Thoughts suggestions appreciated.

You're server node is going to have to set the cookie, not your original
request to tomcat. The reason is you can't set a cookie on another domain.

 

[eunever32]

Request 1: PC -> Tomcat -> LoadBalancer ->ServerNode
Request 2, 3, 4, 5 etc: PC->LoadBalancer->ServerNode
The arrangement is the first request to RemoteServer is as follows:
HttpClient originates on the Tomcat; html response is streamed into
response to the browser
!Subsequent requests from PC go directly to RemoteServer! Hence
missing cookie.

I know a little more about the issue and the problem is because we're
hitting a load-balancer first
and then a server-node behind the load-balancer.

If we bypass the load-balancer everything works.

However the requirement is to route through the load balancer.

There is a cookie required for the load-balancer which the browser is
not sending.

The jsessionid is okay because that's on the URL

I guess if I can get the Cookie into the browser that might work.

I have tried setting the Cookie in the response but didn't work.

This is the code:
String[] cookieParams = h.getValue().split(";");
String[] currentParam = cookieParams[0].split("=");
Cookie cookie = new Cookie(currentParam[0], currentParam[1]);
cookie.setDomain("load-balancer-host");
response.addCookie(cookie);

Does the setDomain look correct?

Is there an alternative way to test this? For example if jsessionid
can be passed in the URL,
can the cookie for the load-balancer-node also be set on the URL?
Because I did try this but to no avail.

Thoughts suggestions appreciated.

You're server node is going to have to set the cookie, not your original
request to tomcat. The reason is you can't set a cookie on another domain..

Thanks Daniel
If it's not possible to use a cookie, is there any other way to get
the value into the request? Would it be a header or a parameter?

 

[Daniel Pitts]

On Dec 7, 8:01 pm, Daniel Pitts
(e-mail address removed) wrote:
So I then tried apache-commons HttpClient which worked(!) but the
JSESSIONID was not present in the returned html which meant any
further http requests returned "user/password not found." Could this
be because the server doesn't think the client supports cookies?
Any suggestions on how to proceed?
I would be happy with the HttpClient if it worked but am concerned
that it may not be future-proof (should the server side change in
future).
HttpClient from the apache-commons is a great toolkit.
Usually, JSESSIONID is set as a cookie. You will probably have to
inspect the response from the downstream server, and re-write the
cookies to match your domain. Then, when you make a request, make sure
that you pass the users cookies to the downstream server.
--
Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>
Hi
Request 1: PC -> Tomcat -> LoadBalancer ->ServerNode
Request 2, 3, 4, 5 etc: PC->LoadBalancer->ServerNode
The arrangement is the first request to RemoteServer is as follows:
HttpClient originates on the Tomcat; html response is streamed into
response to the browser
!Subsequent requests from PC go directly to RemoteServer! Hence
missing cookie.
I know a little more about the issue and the problem is because we're
hitting a load-balancer first
and then a server-node behind the load-balancer.
If we bypass the load-balancer everything works.
However the requirement is to route through the load balancer.
There is a cookie required for the load-balancer which the browser is
not sending.
The jsessionid is okay because that's on the URL
I guess if I can get the Cookie into the browser that might work.
I have tried setting the Cookie in the response but didn't work.
This is the code:
String[] cookieParams = h.getValue().split(";");
String[] currentParam = cookieParams[0].split("=");
Cookie cookie = new Cookie(currentParam[0], currentParam[1]);
cookie.setDomain("load-balancer-host");
response.addCookie(cookie);
Does the setDomain look correct?
Is there an alternative way to test this? For example if jsessionid
can be passed in the URL,
can the cookie for the load-balancer-node also be set on the URL?
Because I did try this but to no avail.
Thoughts suggestions appreciated.

You're server node is going to have to set the cookie, not your original
request to tomcat. The reason is you can't set a cookie on another domain..

Thanks Daniel
If it's not possible to use a cookie, is there any other way to get
the value into the request? Would it be a header or a parameter?

You can not make the client user-agent do anything at all. You can only
intercept and proxy, or redirect. Your cookie should be set by your
server-node. Tomcat could use a redirect to send the client to a
particular URL on your server/load-balancer. The response of *that* URL
should be the one that sets the cookie! Hint, if your Tomcat instance
is the only one that knows the proper value, of the redirect URL contain
a query parameter.