File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Add Authorization header to forward Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Add Authorization header to forward" Watch "Add Authorization header to forward" New topic

Add Authorization header to forward

Jan Andersson

Joined: Sep 06, 2007
Posts: 7

I'm trying to forward the user to another server with the http basic authorization header set.
Something like:

1. User clicks on link
<a href="http://myserver?action=gotoSecure" target="_blank">GO</a>

2. This request is handled by the action "gotoSecure" which
- adds header "Authorization" e.g "Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
- forwards/redirects to server "http://secureServer/page.html" with the Authorization header in the request.

3. User gets response from http://secureServer with no need to enter username/password in browser popup (on this or subsequent requests).

Found the question posed on a few different web sites but no answer... Is this possible?

Thanks, any input appreciated!

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41101
You can't use a forward, because the target address is on a different server.

And if you use a redirect, then the browser will add the authentication header upon redirection (or rather, it won't, since it doesn't know the credentials of the second server). So any auth header set by the first server is irrelevant because the browser won't send it to the second server.

Sounds like a single sign-on (SSO) solution is called for.

Ping & DNS - my free Android networking tools app
Jan Andersson

Joined: Sep 06, 2007
Posts: 7
Hi thanks, yes a SSO solution would be the right way to go. Unfortunately not an option in the short run.

How about if my action handler on first server, creates a new connection and request to the 2nd server och gets the response and sends it back to the client? Like a proxy more or less...
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41101
Proxying the requests is a possibility, but I would consider that only as a last resort. That's a lot of development effort and runtime overhead that really shouldn't be necessary.

How about rolling your own simple scheme: have server #1 send the authentication info to server #2, and get back from it some kind of secure token (maybe including the IP address from where to expect the browser request). Then that token is sent as part of the redirect URL to server #2. Thus server #2 knows who it is that's handing over the token, and can act accordingly. The token should include a timestamp of when it times out, just in case it gets bookmarked.
kelby zorgdrager

Joined: Feb 05, 2008
Posts: 12
can you use the c:import functionality found in the JSTL?

url="blah blah blah" />

it works a lot like the curl capabilities in php and unix cmd line..

<a href="" target="_blank" rel="nofollow">J2EE Training / Java EE Training ... Learn Java EE </a>
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 60780

<c:import> will not address this issue.

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41101
c:import could be useful in implementing a proxy approach, but it doesn't have provisions for passing authentication information. It can't be hard to take its source code and add that, though. But that would still be a hack, and probably a brittle one at that.
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

It is not a feature that I am a fan of, but you should be able to redirect to a URL and include the basic authentication credentials in the form
[ February 06, 2008: Message edited by: David O'Meara ]
It is sorta covered in the JavaRanch Style Guide.
subject: Add Authorization header to forward
Similar Threads
BASIC authentication doubt.
How to determine if HTTP authentication is required
jsp:forward page="/
href link not working
form action default request type