aspose file tools*
The moose likes Servlets and the fly likes HTTP Cookie question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "HTTP Cookie question" Watch "HTTP Cookie question" New topic
Author

HTTP Cookie question

George Stoianov
Ranch Hand

Joined: Jan 15, 2006
Posts: 94
Hi guys,

I am trying to share authentication for one web server to get access to files on another (server 2). I do not have access to the first server (server 1) to which I want people to login and after that they can browse certain files on the second server.

I thought of using cookies and I can get them with the getter cookies method for the request, looping through the cookie array, which gets returned, though returns only cookies for server number 2 and I need those from one as well. Is there a way to do this at all?

Thanks,
George
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12835
    
    5
The whole idea with cookies is to restrict their scope to a single server, or even better, a single application within a server. See the RFC 2109 for cookies rules.
You will have to provide some other mechanism to share authentication. Try a google search for "single sign-on"
Bill
dema rogatkin
Ranch Hand

Joined: Oct 09, 2002
Posts: 294
If your servers are inside the same domain, then you can just specify domain scope for a cookie. Otherwize you will need to use signin token in your links.


Tough in space?, <a href="http://tjws.sf.net" target="_blank" rel="nofollow">Get J2EE servlet container under 150Kbytes here</a><br />Love your iPod and want it anywhere?<a href="http://mediachest.sf.net" target="_blank" rel="nofollow">Check it here.</a><br /><a href="http://7bee.j2ee.us/book/Generics%20in%20JDK%201.5.html" target="_blank" rel="nofollow">Curious about generic in Java?</a><br /><a href="http://7bee.j2ee.us/bee/index-bee.html" target="_blank" rel="nofollow">Hate ant? Use bee.</a><br /><a href="http://7bee.j2ee.us/addressbook/" target="_blank" rel="nofollow">Need contacts anywhere?</a><br /><a href="http://searchdir.sourceforge.net/" target="_blank" rel="nofollow">How to promote your business with a search engine</a>
George Stoianov
Ranch Hand

Joined: Jan 15, 2006
Posts: 94
I read (some of it ) the RFC 2109 for HTTP state persistence and answered my own question no it is not possible. I checked whether JavaScript would have a policy to allow the retrieval of cookies from different servers... no luck there it is well secured..from me at least.

The situation is such that only cookies send from the same server and the same application are returned by the browser so my original ideas is not possible.

I am interested in the tokens idea even though I don't like it very muchg because it means that anyone that has the file I provide will have access. Can you elaborate on that, maybe I am not getting this??

My problem is the servers are not in the same domain and I have no control over the first server so anything I do to make the browser send a cookie is a nasty hack and I am not even going there as this has to work seamlessly and with no side effects...

Thanks for your help,
george
George Stoianov
Ranch Hand

Joined: Jan 15, 2006
Posts: 94
The thing I forgot to mention/whine about on the fact that JavaScript's history object does not support looking up if something is in the history and for how long...

That would have given me another option.
thanks,
george
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12835
    
    5
You say you have no control over the first server - what exactly does that first server do? If you literally can't affect a thing that server does than you really are in a jam.

If you are able to generate a signon token, that token could be good for a single use only so access would be restricted to the correct user.

Bill
George Stoianov
Ranch Hand

Joined: Jan 15, 2006
Posts: 94
You say you have no control over the first server - what exactly does that first server do? If you literally can't affect a thing that server does than you really are in a jam.


Yes I cannot affect it, it serves a web application for which authenticated users would be primary candidates for information on the other server (server 2). Unfortunately I do not have control over domains the server etc. so I am stuck.

Do you have a pointer as to how I can make that work with a token?? What are these tokens, how do they work??
Thanks for your help,
George
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: HTTP Cookie question