File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Add Authorization header to forward Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Add Authorization header to forward" Watch "Add Authorization header to forward" New topic
Author

Add Authorization header to forward

Jan Andersson
Greenhorn

Joined: Sep 06, 2007
Posts: 7
Hi,

I'm trying to forward the user to another server with the http basic authorization header set.
Something like:


1. User clicks on link
<a href="http://myserver?action=gotoSecure" target="_blank">GO</a>

2. This request is handled by the action "gotoSecure" which
- adds header "Authorization" e.g "Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
- forwards/redirects to server "http://secureServer/page.html" with the Authorization header in the request.

3. User gets response from http://secureServer with no need to enter username/password in browser popup (on this or subsequent requests).

Found the question posed on a few different web sites but no answer... Is this possible?

Thanks, any input appreciated!

Jan
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41480
    
  51
You can't use a forward, because the target address is on a different server.

And if you use a redirect, then the browser will add the authentication header upon redirection (or rather, it won't, since it doesn't know the credentials of the second server). So any auth header set by the first server is irrelevant because the browser won't send it to the second server.

Sounds like a single sign-on (SSO) solution is called for.


Ping & DNS - my free Android networking tools app
Jan Andersson
Greenhorn

Joined: Sep 06, 2007
Posts: 7
Hi thanks, yes a SSO solution would be the right way to go. Unfortunately not an option in the short run.

How about if my action handler on first server, creates a new connection and request to the 2nd server och gets the response and sends it back to the client? Like a proxy more or less...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41480
    
  51
Proxying the requests is a possibility, but I would consider that only as a last resort. That's a lot of development effort and runtime overhead that really shouldn't be necessary.

How about rolling your own simple scheme: have server #1 send the authentication info to server #2, and get back from it some kind of secure token (maybe including the IP address from where to expect the browser request). Then that token is sent as part of the redirect URL to server #2. Thus server #2 knows who it is that's handing over the token, and can act accordingly. The token should include a timestamp of when it times out, just in case it gets bookmarked.
kelby zorgdrager
Greenhorn

Joined: Feb 05, 2008
Posts: 12
can you use the c:import functionality found in the JSTL?

<c:import
url="blah blah blah" />

it works a lot like the curl capabilities in php and unix cmd line..


<a href="http://www.J2EETraining.com" target="_blank" rel="nofollow">J2EE Training / Java EE Training ... Learn Java EE </a>
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60975
    
  65

<c:import> will not address this issue.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41480
    
  51
c:import could be useful in implementing a proxy approach, but it doesn't have provisions for passing authentication information. It can't be hard to take its source code and add that, though. But that would still be a hack, and probably a brittle one at that.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

It is not a feature that I am a fan of, but you should be able to redirect to a URL and include the basic authentication credentials in the form

http://user:pass@www.site.com
[ February 06, 2008: Message edited by: David O'Meara ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Add Authorization header to forward