Databases
StackOverflow2013
Postsdbo
POHow do I connect to a remote URL which requires Spring Security forms authentication (Java)?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow do I connect to a remote URL which requires Spring Security forms authentication (Java)?
    text
    copied!<p>I've searched and searched but can't seem to find the answer to what seems like a straightforward authentication scenario.</p> <p>We have an existing Java web application that uses form-based authorization provided by Spring. We are attempting to access this application via our portal site without challenging the user to enter their credentials (SSO).</p> <p>The portal has a credential vault and we can successfully access the secrets for the remote web application on the server side. We are using Apache's HTTP Components utility to post the login request to the j_spring_security_check and are successfully authenticating. The response to this post sends back a 302 redirect to the application home page and sets a cookie with a session id.</p> <p>Now we have to somehow send this authenticated session back to the browser and this is where we are having trouble. Simply redirecting the browser to the home page doesn't work - it redirects us to the login page. Forwarding all of the response headers back to the browser exactly as received on the server-side doesn't work either - still returned to the login page.</p> <p>So, how do we authenticate server-side and still be able to load the target page client-side?</p> <p>I am relatively new to this so I apologize if this is a silly question. Any help or advice regarding an alternative approach is appreciated.</p> <p>Notes:</p> <hr> <p>HttpComponent Client code:</p> <pre><code>DefaultHttpClient httpclient = new DefaultHttpClient(); try { // try to get the home page HttpGet httpget = new HttpGet("http://&lt;host&gt;/&lt;root&gt;/home.action"); HttpResponse httpClientResponse = httpclient.execute(httpget); HttpEntity entity = httpClientResponse.getEntity(); // check status and close entity stream System.out.println("Login form get: " + httpClientResponse.getStatusLine()); EntityUtils.consume(entity); // check cookies System.out.println("Initial set of cookies:"); List&lt;Cookie&gt; cookies = httpclient.getCookieStore().getCookies(); printCookies(cookies); /*** Login ***/ HttpPost httppost = new HttpPost("http://&lt;host&gt;/&lt;root&gt;/j_spring_security_check"); // Prepare post parameters List &lt;NameValuePair&gt; nvps = new ArrayList &lt;NameValuePair&gt;(); nvps.add(new BasicNameValuePair("j_username", getUserFromVault())); nvps.add(new BasicNameValuePair("j_password", getPasswordFromVault())); httppost.setEntity(new UrlEncodedFormEntity(nvps, HTTP.UTF_8)); httpClientResponse = httpclient.execute(httppost); // copy response headers and determine redirect location Header[] allHeaders = httpClientResponse.getAllHeaders(); System.out.println("Headers: "); String location = ""; for (Header header : allHeaders) { System.out.println(header); if("location".equalsIgnoreCase(header.getName())) location = header.getValue(); response.addHeader(header.getName(), header.getValue()); } // check response body entity = httpClientResponse.getEntity(); System.out.println("Response content: " + httpClientResponse.getStatusLine()); System.out.println(EntityUtils.toString(entity)); // always empty EntityUtils.consume(entity); // check cookies System.out.println("Post logon cookies:"); cookies = httpclient.getCookieStore().getCookies(); printCookies(cookies); // populate redirect information in response System.out.println("Redirecting to: " + locationHeaderValue); response.setStatus(httpClientResponse.getStatusLine().getStatusCode()); // 302 // test if server-side get works for home page at this point (it does) httpget = new HttpGet(location); httpClientResponse = httpclient.execute(httpget); entity = httpClientResponse.getEntity(); // print response body (all home content is loaded) System.out.println("home get: " + httpClientResponse.getStatusLine()); System.out.println("Response content: " + httpClientResponse.getStatusLine()); System.out.println(EntityUtils.toString(entity)); EntityUtils.consume(entity); } finally { httpclient.getConnectionManager().shutdown(); } </code></pre> <hr> <p>Headers returned from the successful login on the server side:</p> <pre><code>HTTP/1.1 302 Found Date: Wed, 23 Feb 2011 22:09:03 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: JSESSIONID=6F98B0B9A65BA6AFA0472714A4C816E5; Path=&lt;root&gt; Location: http://&lt;host&gt;/&lt;root&gt;/home.action Content-Type: text/plain; charset=UTF-8 Content-Length: 0 Via: 1.1 PPWebFilter.&lt;host&gt;:80 (IronPort-WSA/7.0.0-825) Connection: keep-alive </code></pre> <hr> <p>Headers from the client side request and response:<br> Request:</p> <pre><code>GET /&lt;root&gt;/home.action HTTP/1.1 Host: &lt;host&gt; Connection: keep-alive Referer: http://localhost:10039/SCMViewer/TestLoginServlet?launchScm=Launch+SCM+servlet Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=FC8E823AB1A1545BE8518DB4D097E665 </code></pre> <p>Response (redirect to login):</p> <pre><code>HTTP/1.1 302 Found Date: Wed, 23 Feb 2011 22:09:03 GMT Server: Apache/2.2.3 (CentOS) Location: http://&lt;host&gt;/&lt;root&gt;/security/login.action Content-Type: text/plain; charset=UTF-8 Content-Length: 0 Via: 1.1 PPWebFilter.&lt;host&gt;:80 (IronPort-WSA/7.0.0-825) Connection: keep-alive </code></pre> <hr> <p>As a test, we wrote a bit of a hack that seems to work, but is too insecure to be viable:</p> <ul> <li>Embedded a form on the jsp which will post the login credentials directly to the remote site's j_spring_security_check. </li> <li>Wrote a servlet method to retrieve the credentials from the vault. </li> <li>Filled the credentials on the client side into hidden form fields and submitted the form via javascript.</li> </ul>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload