I'm trying to forward the user to another server with the http basic authorization header set. Something like:
1. User clicks on link <a href="http://myserver?action=gotoSecure" target="_blank">GO</a>
2. This request is handled by the action "gotoSecure" which - adds header "Authorization" e.g "Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" - forwards/redirects to server "http://secureServer/page.html" with the Authorization header in the request.
3. User gets response from http://secureServer with no need to enter username/password in browser popup (on this or subsequent requests).
Found the question posed on a few different web sites but no answer... Is this possible?
You can't use a forward, because the target address is on a different server.
And if you use a redirect, then the browser will add the authentication header upon redirection (or rather, it won't, since it doesn't know the credentials of the second server). So any auth header set by the first server is irrelevant because the browser won't send it to the second server.
Sounds like a single sign-on (SSO) solution is called for.
Joined: Sep 06, 2007
Hi thanks, yes a SSO solution would be the right way to go. Unfortunately not an option in the short run.
How about if my action handler on first server, creates a new connection and request to the 2nd server och gets the response and sends it back to the client? Like a proxy more or less...
Joined: Mar 22, 2005
Proxying the requests is a possibility, but I would consider that only as a last resort. That's a lot of development effort and runtime overhead that really shouldn't be necessary.
How about rolling your own simple scheme: have server #1 send the authentication info to server #2, and get back from it some kind of secure token (maybe including the IP address from where to expect the browser request). Then that token is sent as part of the redirect URL to server #2. Thus server #2 knows who it is that's handing over the token, and can act accordingly. The token should include a timestamp of when it times out, just in case it gets bookmarked.
c:import could be useful in implementing a proxy approach, but it doesn't have provisions for passing authentication information. It can't be hard to take its source code and add that, though. But that would still be a hack, and probably a brittle one at that.