views:

69

answers:

2

Hi,

I have a situation where ideally I want to be able to log-in to a secure area using a Java application.

I would like to make an HTTP request and check the response to see if I need to do some kind of authenication before I can actually get the response expected, instead of effectively some login page. The complication is that the server that responds will not always be the same - the user of the Java app specifies the URL - and the server may be using some kind of single sign on authentication or the web container's.

I don't know the field names for the username and password fields or the action of the form, is there a simple way to obtain this kind of information from the URL?

I see the URLConnection object has methods getPermission() which has a method getActions() but are not suitable, anything that might be?

I guess example things I am looking to determine:

  • Does the response require authentication?
  • If so; what type / which servlet? e.g. j_security_check, josso single sign on, ...
  • And then some way of authenticating the client
  • And finally managing the state of the authenticated user for other requests

Do I need to know the attributes of the login form before attemping to login? And then, is the onoly way of verifying permission to the requested resource to manually manage the cookies?

Thanks in advance.

A: 

It sounds as if you are trying to create an SSO process in the client. I don't fully understand your design here, but when I see clients that are effectively allowing the user through to the server they usually just provide a checkbox "requires authentication" if the user clicks yes then he/she would fill out username/password fields. You will need to know before hand what the server is expecting so you can code in the required fields. I don't believe there is any Universal method of authenticating to an unknown service. If there were we probably would have solved SSO a long time ago. There are a huge number of authentication methods, many of which are custom. So, how could something determine what fields and such a server requires in order to authenticate?

I think if you are asking your users to provide an URL then you by definition require them to know something about how to authenticate to the server. Assumptions could be made, say, if the URL were svn:// or ldap:// or the like...

If you are providing the user with some enumerated set of services to choose from, say in a drop down, then you have the control to try and abstract the interface and hide the authentication details from them.

harschware
A: 

What I did in the end was sent a request to a page, checked for a login form (a form which has two visible fields, one of which is of type password) and obtained the form field names from that.

Posted the values back (along with hidden values and JSession cookies) and saved the cookies returned by the server. This works! And then as long as I send, with every request, those cookies, I can access sercured pages.

Thanks.

Also - why is my reputation score around 100 less than when I last logged in, despite not getting down voted on anything??

Ed