Hi,
as you mentioned in your answer I first tried to find out wether WebSphere
is sending the cookie JSessionID in
step 4) or 6).
After requesting the Login-Page from a browser and requesting
javascript:alert(document.cookie)
before authentication I found out WebSphere 5.1 is sending SessionID-Cookie
in step 4).
The cookie is shown in the alert window.
Then I changed the implementation of method getSecureSessionIdCookie(...)
like this
###
private Cookie getSecureSessionIdCookie(WebRequest theRequest,
Configuration theConfiguration)
{
HttpURLConnection connection;
String resource = null;
Cookie cookie = null;
try
{
// Create a helper that will connect to a restricted resource.
WebConfiguration webConfig = (WebConfiguration)
theConfiguration;
resource = webConfig.getRedirectorURL(theRequest);
HttpClientConnectionHelper helper =
new HttpClientConnectionHelper(resource);
WebRequest request =
new WebRequestImpl((WebConfiguration) theConfiguration);
// Make the connection using a default web request.
connection = helper.connect(request, theConfiguration);
checkPreAuthResponse(connection);
cookie = getCookie(connection, getSessionCookieName());
if (cookie == null) {
String loginURL = getLoginURL(connection);
HttpClientConnectionHelper helper2 =
new HttpClientConnectionHelper(loginURL);
connection = helper2.connect(request, theConfiguration);
cookie = getCookie(connection, getSessionCookieName());
} // end if
}
catch (Throwable e)
{
throw new ChainedRuntimeException(
"Failed to connect to the secured redirector: " + resource,
e);
}
return cookie;
}
public String getLoginURL(HttpURLConnection connection) {
String locationHeaderKey = "Location";
String loginURL = null;
// TODO
return
"http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/jsp/LoginForm.jsp";;
}
###
The cookie is found and gets stored for the next request.
Now I get the exception "Failed to get test results at
[http:/.../ServletRedirectorSecure]".
I will try to find the reason on friday. Its already too late.
Kids are waiting ...
Thanks,
Toni
---------------------------------------------------------------
Anton Grimm
MAN Nutzfahrzeuge AG
IDP - Software Produktionsumgebungen
Dachauerstr.667
D - 80995 M�nchen
Fon: +49-89-1580-1054
Fax: +49-89-1580-4550
mailto: [EMAIL PROTECTED]
Internet: http://www.man-trucks.com
---------------------------------------------------------------
|---------+------------------------------->
| | Kazuhito SUGURI |
| | <[EMAIL PROTECTED]|
| | .ntt.co.jp> |
| | |
| | 06/08/2004 05:14 PM |
| | Bitte antworten an |
| | "Cactus Users List" |
| | |
|---------+------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| An: [EMAIL PROTECTED], [EMAIL PROTECTED]
|
| Kopie:
|
| Thema: Re: Antwort: Re: Security (using FormAuthentication) not working
against WebSphere 5.1 |
>------------------------------------------------------------------------------------------------------------------------------|
Hi,
In article
<[EMAIL PROTECTED]>,
Tue, 8 Jun 2004 14:42:53 +0200,
[EMAIL PROTECTED] wrote:
Anton_Grimm> Do you think it is the right place to change the
implementation of the
Anton_Grimm> method
Anton_Grimm> getSecureSessionIdCookie()
Anton_Grimm> in FormAuthentication to include step3) and step4) if no
cookie is found in
Anton_Grimm> step 2) ?
Yes, I think so.
But, we have no data yet.
I'm wondering if WAS is sending Set-Cookie JSESSIONID header
only for successfully authenticated user, i.e. at step (6).
# if the session tracking can be started at step(4), why cannot at
step(6)...
Please let us know when you find a new fact.
Regards,
----
Kazuhito SUGURI
mailto:[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message and any attachments are confidential and may be privileged or otherwise
protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete
this message and any attachment
from your system. If you are not the intended recipient, you must not copy this
message or attachment or disclose the
contents to any other person.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
