tags:

views:

317

answers:

3
+1  Q: 

Opening a password-protected website from servlet

Hi All,

The scenario is intended user will access the servlet (e.g http://someip/myservlet) which in turn authenticates a password protected website (e.g. mysite.com - which is hosted on IIS server with Use Windows authentication enabled) implicitly and then opens that mysite.com – so that:

  1. target users will not get prompt for username & password as he will go through the servlet(hosted on some server like tomcat)
  2. any other user accessing link text will not be able to access without knowing credentials

The requirement is (it has to open that website not fetch the content as mysite.com has dynamic functionality in it)

Is it possible in Java (HttpURLConnection) ??

any help is appreciated.

Thanks.

+1  A: 

To be sure I understood your need, here is a summary : you want a given user A to connect on your first server Server1.domain1.com, that would connect (from inside the java server) on a second server server2.domain2.com (currently under IIS). Then server1 would forward user to server2 web page, the challenge being avoiding any authentication popup.

The root problem is to transmit, from the server1 to the client browser, then from client browser to server2, the authentication ticket that server1 got from server2.

It is not specifically a java problem but more a global WEB problem. Indeed the only information received by server2 to identify client user is in the http flow, in short words the IP adress, the URL, and cookies.

Cookies is a dead end if server1 and server2 are not the same domain (see RFC 2109 : http://www.ietf.org/rfc/rfc2109.txt), as browser would send cookies to a server of a given domain only if the cookie was returned from a server (the same or another) of the SAME domain.

So the answer is a two step process :

  • first, server1 should get a sessionID from server2, probably through submitting a http request with appropriate credentials (basic-auth ? form fields ? or worst, "Windows like domain auth" ?). For this step, I suggest using apache httpclient library.
  • Second, server1 should forward client user to an appropriate URL of server2, that would include the sessionID as an argument. It requires that server2 offers such a possibility to get in.

At first sight I see no other simple solution.

zim2001  2009-06-25 09:59:04
akjain  2009-06-25 10:58:53
I would guess that such a behavior requires a completely different approach; instead of forwarding client to server2, server1 "proxyes" server2 pages. But the huge difference with classical proxies, that works at the http protocol level, is that here the proxy works at the "html" level. Generally it requires html rewriting, a tricky and awful and incomplete approach (I experienced that a couple of years ago with the "gateway" component of Sun Portal Server).
zim2001  2009-06-25 11:08:55
+1  A: 

It seems the functionality you like to implement is covered by HTTP reverse proxies. This kind of proxy will "mirror" some site site1.domain1.com at another location like site2.domain2.com

Most common use-cases are that site1 is not pubic and the reverse proxy will act as a gateway, load balancer, SSL gateway or similar.

For implementation in Java: I also recommend the Apache HTTP client library. And it's possible to use NTLM authentication with this client lib.

mkoeller  2009-06-25 11:39:42
A: 

The built in HTTPURLConnection might be not enough if you really want to implement this kind of request forwarding. Try the Apache HTTPClient which has ample of customization options. You could also look for TCP forward solutions or this post.

kd304  2009-06-25 11:44:15
TCP port forwarding only works, as long as the forwarded content is independent of the TCP connetion context. With HTTP this breaks at some places: The Host-Header will be wrong, so that the origin server may reject the request. Links in HTML content must be relative to keep working. HTTPS does not work.Apart from this, its surprising how easy a TCP port forwarder can mimic a reverse proxy for simple web applications.
mkoeller  2009-06-25 11:54:28

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java