Get your CodeRanch badge!*
The moose likes Servlets and the fly likes Login to different web-application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Login to different web-application" Watch "Login to different web-application" New topic
Author

Login to different web-application

Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
Scenario:
There exists two web-applications A and B deployed in diffrent machines.
A and B has diffrent authentication mechanisms.
Requirement:
Once an user is logged-in to A , it needs a link in a JSP (in A) to navigate straight to a protected page in B (the user needs to post the hard-coded userId/password which is valid for B). B is using JAAS mechanism.

Can anyone please some code snippet of how to post hard coded userId/password in A to access B ?

Thanks
Kawa
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

This sounds a bit too specific. Is this homework?
I just ask since imbedding the username and password in a link on site A doesn't sound like a very secure way to authenticate against B. Personally I believe you should never include a user's password on a page where it may be snooped, cached or otherwise gathered or seen.

Is what you have described hard requirements, or is this the current solution to requirements which you haven't shared yet?

Dave
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
David
I need a way of accessing a protected JSP in B from A without going via B's login page but I know B's userid/password.
FYI: Both the application are in the intranet and extreme security is not the immediate requirement. Once I establish the link I'll investigate beeter ways of achieving proper security.

I'd appreciate some solutions.

Thanks
Kawa
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

If they are in an intranet and you control the browsers, one way is to have A make a HTTP connection to B and log in, get the session cookie and pass that to the client specifying B's domain.

Another is to log in to to B from A as above, but get B to pass a single use token. You pass this token to the client, they pass it to B and B agrees to authenticate them.

There are several ways to do it assuming you control A and B and they are allowed to trust each other.
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
David
Can you please give me some code snippets of what I need to have in A and in B ?

Thanks
Kawa
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Depends how you authenticate in B. Search the Ranch for code snippets on Http Connectrions and tailor to log in to B. You can write this in a stand-alone app before writing it to work with A.

Get B to log in and send a token to A. Any sufficiently long string value will work. Strore this on B with the time it was sent and the person it is supposed to authenticate. The time is to prevent tokens lasting forever. They should probably live a minute or two.

Sequence looks like this:
1) client shows their intention to access B.
2) A does what it needs to get the token and writes it in the response to the client.
3) The client clicks the link and sends the request and token to B
4) B gets the token, tests its age then logs in the client.

Sorry about a lack of actual code, but it's a bit hard without actually writing everything. I can give you this:
rahul V kumar
Ranch Hand

Joined: May 20, 2003
Posts: 82
Approach 1)

Why dont you use javascript to do a post to App B with the user id and password when you click on the link

Approach 2)

How about making a round trip to both the applications during the sign-on.

1) User enters user_id and password in app A
2) On submit you would authenticate the user in app A & then redirect to App B and authenticate him there. On successful authentication in App B the user is redirected to App A's jsp page.
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
Hi Ravi
Can you give a code snippet of how to post to app B using javascript ?
Thanks
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
Let me rephrase the question:
A and B are two difrent J2EE applications deployed in two diffrent machines(FYI: A is on weblogic and B is on apache).
A and B have diffrent login mechanisms. Once I am logged into A I need link in a JSP to take me to a protected JSP in B (I know the userid/password to log into B, but I don't want to type them in B's login page, instead want to hard code it when am sending a request to access B).
I cannot change any code in B as it is developed by a third party.
The security aspect is not a issue as both A and B will be on the company intranet.

Any help will be welcome (My thanks to David and Rahul who responded earlier)

Thanks
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

So it doesn't matter if the username and password for B get shown to the client?

Have you tried encoding the username and password in the URL for the link to B? I believe a version of IE6 disables this, but you may just be able to write the link like this:
" target="_blank">http://dave:daverules@www.b-host.com/secure.html[/CODE]
Simple, but try it, it might work.
[ November 03, 2004: Message edited by: David O'Meara ]
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
David
It didn't work. 'Page cannot be displayed' shown !
What I used:
In a JSP in A:
<a href = http://username assword@devbox.internal:8888/frontend/reports/index.jsp>See Reports</a>

Note: The page I want to access is:
http://devbox.internal:8888/frontend/reports/index.jsp

Thanks
Kawa
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
To add to the above:

I got
Invalid syntax error - Microsoft Internet Explorer
as the page title too
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Yep, looks like IE is blocking it. Check this site:
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
In particular, it has registry edits to disable this behaviour, but read the article so you know what the implications are.

Dave
rahul V kumar
Ranch Hand

Joined: May 20, 2003
Posts: 82
Have a form with two hidden fields. Those hidden fields are nothing but username and password the user entered.

Now when the user hits the link for Application B call a javascript function. The javascript could be as simple as this.

<script language="javascript">
function submitHiddenForm() {
document.hidden_form_name.submit();
}
</script>
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
David
Does the
http://username assword@<url>/protected.jsp
mechanism works if it trying to bypass form-based authetication ?

FYI:I am still getting the Invalid Syntax error mentioned before

Thanks
Kawa
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

no, it bypases basic authentication. Try the hidden form mentioned above.
Gerome Kawa
Ranch Hand

Joined: Dec 05, 2002
Posts: 61
Hi David
http://username assword@<hosturl>/protected.jsp

is not working even on Mozilla when trying to bypass the basic JAAS authentication of application B !

Says page cannot be displayed !

Any ideas why ?

Thanks
Kawa
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login to different web-application
 
Similar Threads
i want to block a user after three successive wrong password entry
login servlet = login successful doesn't show
Help!help!Help!
unable to pass value of resultset to servlet to jsp
Saving data after application exit