Acegi throws AuthenticationCredentialsNotFoundException when opening URl with BrowserLauncher 2

Question

Hi all,

We have a JSF web application that uses Acegi security. We also have a standalone Java Swing application. One function of the Swing app is to load the user's home page in a browser window.

To do this we're currently using Commons HttpClient to authenticate the user with the web app:

String url = "http://someUrl/j_acegi_security_check";
HttpClient client = new HttpClient();
System.setProperty(trustStoreType, "Windows-ROOT");
PostMethod  method = new PostMethod(url);
method.addParameter("j_username", "USERNAME");
method.addParameter("j_password", "PASSWORD");
int statusCode = client.executeMethod(method);
if (statusCode == HttpStatus.SC_MOVED_TEMPORARILY ) {
    Header locationHeader= method.getResponseHeader("Location");
    String redirectUrl = locationHeader.getValue();
    BrowserLauncher launcher = new BrowserLauncher();
    launcher.openURLinBrowser(redirectUrl);
}

This returns a HTTP 302 redirect response, from which we take the redirect url and open it using BrowserLauncher 2. The url contains the new session ID, something like:

http://someUrl/HomePage.jsf;jsessionid=C4FB2F643CE48AC2DE4A8A4C354033D4

The problem we're seeing is that Acegi processes the redirect but throws an AuthenticationCredentialsNotFoundException. It seems that for some reason the authenticated credentials cannot be found in the security context.

Does anyone have an idea as to why this is happening? If anyone needs more info then I'll be happy to oblige.

Many thanks,

Richard

Answer 1

I have never done Acegi/SpringSecurity, but the symptoms are clear enough: some important information is missing in the request. You at least need to investigate all the response headers if there isn't something new which needs to be passed back in the header of the subsequent request. Maybe another cookie entry which represents the Acegi credentials.

But another caveat is that you in fact cannot open just the URL in a local browser instance, because there's no way to pass the necessary request headers along it. You'll need to have your Swing application act as a builtin webbrowser. E.g. get HTML response in an InputStream and render/display it somehow in a Swing frame. I would check if there isn't already an existing API for that, because it would involve much more work than you'd initially think .. (understatement).

Answer 2

In this case you can do Basic Authentication and set this header in every request instead of sending the jsessionid:

AUTHORIZATION:Basic VVNFUk5BTUU6UEFTU1dPUkQ=

The token VVNFUk5BTUU6UEFTU1dPUkQ= is the username and the password encoded base64.
Example:

scott:tiger 

is:

c2NvdHQ6dGlnZXI=

One more thing: use SSL.