Reputation: 14877
Authentication Via Servlet
I have a situation as below:
I have 2 web applications running on Tomcat. Initially User gets logged in to the Application 1 and then. There is a link to the Application 2. On Clicking the link User should be redirected to second application.
Both applications using LDAP authentication.
Now, the problem here is second application has its own Authentication system.
So, We are planning to implicitly authenticate the user which is logged in the first system.
I have written a servlet, which gets executed when I click on link for App2 in the App1.
I am trying to use below code which should call Servlet "ldap-login" on app2 with given parameters.Parameter names are correct.
String targetURL = "http://localhost:8080/app2/ldap-login";
HttpClient client = new HttpClient();
PostMethod doPost = new PostMethod(targetURL);
//doPost.getParams().setBooleanParameter(HttpMethodParams.USE_EXPECT_CONTINUE, true);
doPost.addParameter("login_netid", "alice");
doPost.addParameter("login_password", "alice");
try {
int status = client.executeMethod(doPost);
if (status == HttpStatus.SC_OK) {
// redirect
response.sendRedirect("http://localhost:8080/app2/myPage");
} else {
System.out.println("Service failed, Response Code= " +
HttpStatus.getStatusText(status));
System.out.println("Response Body --> " + doPost.getResponseBodyAsString());
}
} catch (Exception ex) {
System.out.println("ERROR: " +
ex.getClass().getName() + " "+ ex.getMessage());
ex.printStackTrace();
} finally {
doPost.releaseConnection();
}
But I am getting Response "Moved temporarily".
Can anyone suggest me any alternate ?
Upvotes: 4
Views: 1146
Answers (2)
Reputation: 1180
As per the API doc, the sendRedirect call does a temporary redirect. As @BalusC mentioned, you need to handle response code SC_MOVED_TEMPORARILY or SC_FOUND.
The reason it's doing a redirect after login (or might be after any POST request) could be to avoid the Double Submit Problem. Here is another article on that one.
Upvotes: 0
Reputation: 1108722
A 302 Moved Temporarily response is just a redirect. It's exactly the kind of response which you would get when you do response.sendRedirect(). You can also very good get a redirect as a response to a successful login. I suggest to verify on the second application if it isn't indeed redirecting when the login is successful. You should then check if the response code is 302 instead of 200. Or, alternatively, you need to tell HttpClient to follow any redirects automatically.
Even more, if the login actually failed, what kind of response would you get from the second application? Would it throw an exception and thus return a response code of 500? Or would it just conditionally set some error message in the request scope and redisplay the JSP by a forward and thus keep a response code of 200? How would you then distinguish a 200 on a failed login from a 200 on a successful login?
Unrelated to the concrete problem, your approach will likely not work if the second application does not share the same session as the first application. A login is usually stored in the session, but you're not maintaining the session anywhere. Anyway, that's subject for a new question :)
Upvotes: 1
Related Questions
- Implementing HTTP Basic Authentication in a servlet
- How to authenticate users using servlet
- Form authentication with Tomcat
- tomcat 6 HTTP authentication
- Java servlet and authentication
- How to use servlet and jsp with authentication?
- Accessing authenticated servlet
- Servlet security authentication
- java ee - authenticate users using servlets
- servlet authentication and further reference to the credentials