• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Add Authorization header to forward

 
Jan Andersson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I'm trying to forward the user to another server with the http basic authorization header set.
Something like:


1. User clicks on link
<a href="http://myserver?action=gotoSecure" target="_blank">GO</a>

2. This request is handled by the action "gotoSecure" which
- adds header "Authorization" e.g "Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
- forwards/redirects to server "http://secureServer/page.html" with the Authorization header in the request.

3. User gets response from http://secureServer with no need to enter username/password in browser popup (on this or subsequent requests).

Found the question posed on a few different web sites but no answer... Is this possible?

Thanks, any input appreciated!

Jan
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't use a forward, because the target address is on a different server.

And if you use a redirect, then the browser will add the authentication header upon redirection (or rather, it won't, since it doesn't know the credentials of the second server). So any auth header set by the first server is irrelevant because the browser won't send it to the second server.

Sounds like a single sign-on (SSO) solution is called for.
 
Jan Andersson
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi thanks, yes a SSO solution would be the right way to go. Unfortunately not an option in the short run.

How about if my action handler on first server, creates a new connection and request to the 2nd server och gets the response and sends it back to the client? Like a proxy more or less...
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Proxying the requests is a possibility, but I would consider that only as a last resort. That's a lot of development effort and runtime overhead that really shouldn't be necessary.

How about rolling your own simple scheme: have server #1 send the authentication info to server #2, and get back from it some kind of secure token (maybe including the IP address from where to expect the browser request). Then that token is sent as part of the redirect URL to server #2. Thus server #2 knows who it is that's handing over the token, and can act accordingly. The token should include a timestamp of when it times out, just in case it gets bookmarked.
 
kelby zorgdrager
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
can you use the c:import functionality found in the JSTL?

<c:import
url="blah blah blah" />

it works a lot like the curl capabilities in php and unix cmd line..
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64833
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<c:import> will not address this issue.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
c:import could be useful in implementing a proxy approach, but it doesn't have provisions for passing authentication information. It can't be hard to take its source code and add that, though. But that would still be a hack, and probably a brittle one at that.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is not a feature that I am a fan of, but you should be able to redirect to a URL and include the basic authentication credentials in the form

http://user:pass@www.site.com
[ February 06, 2008: Message edited by: David O'Meara ]
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic