apache - How do I connect to a remote URL which requires Spring Security forms authentication (Java)? -

-

i've searched , searched can't seem find answer seems straightforward authentication scenario.

we have existing java web application uses form-based authorization provided spring. attempting access application via our portal site without challenging user enter credentials (sso).

the portal has credential vault , can access secrets remote web application on server side. using apache's http components utility post login request j_spring_security_check , authenticating. response post sends 302 redirect application home page , sets cookie session id.

now have somehow send authenticated session browser , having trouble. redirecting browser home page doesn't work - redirects login page. forwarding of response headers browser received on server-side doesn't work either - still returned login page.

so, how authenticate server-side , still able load target page client-side?

i relatively new apologize if silly question. or advice regarding alternative approach appreciated.

notes:

httpcomponent client code:

defaulthttpclient httpclient = new defaulthttpclient();     try {         // try home page         httpget httpget = new httpget("http://<host>/<root>/home.action");         httpresponse httpclientresponse = httpclient.execute(httpget);         httpentity entity = httpclientresponse.getentity();          // check status , close entity stream         system.out.println("login form get: " + httpclientresponse.getstatusline());         entityutils.consume(entity);          // check cookies         system.out.println("initial set of cookies:");         list<cookie> cookies = httpclient.getcookiestore().getcookies();         printcookies(cookies);          /***  login ***/         httppost httppost = new httppost("http://<host>/<root>/j_spring_security_check");          // prepare post parameters         list <namevaluepair> nvps = new arraylist <namevaluepair>();         nvps.add(new basicnamevaluepair("j_username", getuserfromvault()));         nvps.add(new basicnamevaluepair("j_password", getpasswordfromvault()));         httppost.setentity(new urlencodedformentity(nvps, http.utf_8));          httpclientresponse = httpclient.execute(httppost);          // copy response headers , determine redirect location         header[] allheaders = httpclientresponse.getallheaders();         system.out.println("headers: ");         string location = "";         (header header : allheaders) {             system.out.println(header);             if("location".equalsignorecase(header.getname())) location = header.getvalue();             response.addheader(header.getname(), header.getvalue());         }          // check response body         entity = httpclientresponse.getentity();         system.out.println("response content: " + httpclientresponse.getstatusline());         system.out.println(entityutils.tostring(entity)); // empty         entityutils.consume(entity);          // check cookies         system.out.println("post logon cookies:");         cookies = httpclient.getcookiestore().getcookies();         printcookies(cookies);          // populate redirect information in response         system.out.println("redirecting to: " + locationheadervalue);         response.setstatus(httpclientresponse.getstatusline().getstatuscode()); // 302          // test if server-side works home page @ point (it does)         httpget = new httpget(location);         httpclientresponse = httpclient.execute(httpget);         entity = httpclientresponse.getentity();          // print response body (all home content loaded)         system.out.println("home get: " + httpclientresponse.getstatusline());         system.out.println("response content: " + httpclientresponse.getstatusline());         system.out.println(entityutils.tostring(entity));         entityutils.consume(entity);      } {         httpclient.getconnectionmanager().shutdown();     }

headers returned successful login on server side:

http/1.1 302 found date: wed, 23 feb 2011 22:09:03 gmt server: apache/2.2.3 (centos) set-cookie: jsessionid=6f98b0b9a65ba6afa0472714a4c816e5; path=<root> location: http://<host>/<root>/home.action content-type: text/plain; charset=utf-8 content-length: 0 via: 1.1 ppwebfilter.<host>:80 (ironport-wsa/7.0.0-825) connection: keep-alive

headers client side request , response:
request:

get /<root>/home.action http/1.1   host: <host>   connection: keep-alive   referer: http://localhost:10039/scmviewer/testloginservlet?launchscm=launch+scm+servlet   accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5   user-agent: mozilla/5.0 (windows; u; windows nt 5.1; en-us) applewebkit/534.13 (khtml, gecko) chrome/9.0.597.98 safari/534.13   accept-encoding: gzip,deflate,sdch   accept-language: en-us,en;q=0.8   accept-charset: iso-8859-1,utf-8;q=0.7,*;q=0.3   cookie: jsessionid=fc8e823ab1a1545be8518db4d097e665

response (redirect login):

http/1.1 302 found date: wed, 23 feb 2011 22:09:03 gmt server: apache/2.2.3 (centos) location: http://<host>/<root>/security/login.action content-type: text/plain; charset=utf-8 content-length: 0 via: 1.1 ppwebfilter.<host>:80 (ironport-wsa/7.0.0-825) connection: keep-alive

as test, wrote bit of hack seems work, insecure viable:

  • embedded form on jsp post login credentials directly remote site's j_spring_security_check.
  • wrote servlet method retrieve credentials vault.
  • filled credentials on client side hidden form fields , submitted form via javascript.

it bit hard understand application trying do, best guess 'portal' sits between user's browser , application, , trying use stored credentials application authenticate on behalf of users.

there 2 things need watch / deal with.

the responses application contain setcookie headers of sort. cookies need handled carefully. depending on security model using:

  • they saved in portal , used future requests application.
  • they relayed user's browser. portal need pass cookies through in future requests application. (this approach needs handled deal possible issues session token leakage.)

also, aware springsecurity changes session cookie when login succeeds. if don't capture new session cookie , use them in follow on requests application, requests won't authenticated.

the application's login mechanism trying redirect (the portal) "default" place after logging in, , inappropriate. there 2 simple fixes this:

  • have portal detect final redirect , treat indication you've logged in. have portal repeat request page requesting application using new cookie (see above).

  • iirc, there's parameter can add j_spring_security_check request tells application return on successful login. can't recall details ...

i thought forwarding setcookie response header ra portal's response browser needed transfer cookie/session id user's new browser window. not correct?

that cause browser set ra's cookie portal context. won't work unless ra , portal in cookie's "scope" (for want of better word).

question is, how display on/through portal? have copy content on , map relative links accordingly? and, state, continue proxy requests app through portal, passing cookie each time? there way avoid copying/modifying markup?

you do need massage markup. massaging required not entirely clear. think you'll need map relative links when user's browser sees them point portal. then, arrange portal relays requests ra appropriate cookies.

one tool can use deal relative links html <base> element. in fact, potentially easier deal absolute links ... if map via portal.

but beware there sorts of things can cause grief in process. example, you've got beware of "same source" restriction, , javascript embedded urls ra.


Comments

Post a Comment

Popular posts from this blog

linux - Mailx and Gmail nss config dir -

-
i trying send mail linux command line using mailx command. can send local domain no problem want set mail send gmail account receive mail sent gmail account. after configuring mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore } i error: resolving host smtp.gmail.com . . . done. connecting 74.125.25.109 . . . connected. missing "nss-config-dir" variable. "/home/username/dead.letter" 11/354 . . . message not sent. after looking "nss-config-dir" here , located certn.db , keyn.db files , added mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore set nss-config-dir=/home/user/.mozilla/firefox/location.default } now when try send mail using command: echo "sent gmail account" | mailx -v -a
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more