It's a great feeling talking to somebody in the know. Thank you!
From: Oleg Kalnichevski <[EMAIL PROTECTED]>
Reply-To: "HttpClient User Discussion"
<[email protected]>
To: HttpClient User Discussion <[email protected]>
Subject: Re: can I NOT have the cookie please
Date: Tue, 08 Aug 2006 12:08:02 +0200
On Tue, 2006-08-08 at 17:41 +0800, leung cc wrote:
> This is actually a problem that arised after I went about solving my
applet
> + commons-httpclient -> https + client cert problem taking advice from
Oleg
> and others here. Well, I customized Oleg's AuthSSLProtocolSocketFactory
and
> succeeded in making a connection to the servlet in my applet. But it
> appearedthat httpclient was sending a cookie of unknown origin to the
> servlet and that caused the servlet to not recognize the session which
the
> applet was supposed to be part of.
Unless evil green men took over your servlet engine there should be no
cookies of unknown origin.
Ok, I take it that you're saying the cookie came from my server (be it the
apache httpd or tomcat). And after your enligtening, I now think the
following part of my trace log indicated that the server was saying to the
client (httpclient in my applet) "store a cookie your side with this
content..." And it seems the servlet didn't see my request to be associated
with the existing session which the webpage containing the applet had
already established with the server - i.e. either it didn't see the
"jsessionid=..." parameter or was ignoring it. I actually printed out
"request.getRequestedSessionId()" in my servlet and it was "null".
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Date: Wed, 09 Aug 2006
01:22:08 GMT[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Server: Apache/2.0.40 (Red
Hat Linux)[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Set-Cookie:
JSESSIONID=2E3BE88203EE876C80EF4CD15CDBDD94; Path=/whatever;
Secure[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Content-Length:
17[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Connection: close[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "Content-Type:
text/plain;charset=Big5-HKSCS[\r][\n]"
2006/08/09 09:11:18:210 CST [DEBUG] header - << "X-Pad: avoid browser
bug[\r][\n]"
> So I changed to method to Get (was using
> Post) and tried to advise the servlet of the correction session by
adding
> "JSESSIONID=..." to the URL. I thought setting the cookie policy would
have
> stopped httpclient from sending any cookies but I was wrong and so I
added
> the setRequestHeader() call too (right, was shooting in the dark) but
that
> didn't seem to improve it.
>
> GetMethod rqst = new GetMethod( "ccs" + Constants.APP_HOME_URL_PFX +
> "/GiveLotOrCPCInfoAlt.jsp?JSESSIONID=" + this.httpSessId +
> "&qkt=" + qryKeyType +
> "&qk=" + URLEncoder.encode( psLotNum ) +
> "&ak=" + URLEncoder.encode( acsKey ) );
>
> rqst.getParams().setCookiePolicy( CookiePolicy.IGNORE_COOKIES );
Try setting the cookie policy on the host or the client level and see if
that makes a difference.
I set the IGNORE_COOKIES policy on the HttpClient and it made no
difference. Didn't try it on the host level because I think it the client
level is more encompassing than that - Ok, and I admit I'm too lazy to
modify the URL to be relative.
http://jakarta.apache.org/commons/httpclient/preference-api.html
> rqst.setRequestHeader( "Set-Cookie",
> "JSESSIONID=" + this.httpSessId +
> "; Path=/whatever; Secure" ); // HC
>
This is wrong. At the very list the header name should be "Cookie".
Besides you'll be much better off if you left cookie management to one
of the HttpClient's cookie specs.
OK, I will change "Set-Cookie" to "Cookie" to see if that makes any
difference and then get rid of it altogether if it doesn't.
Ah huh, news flash, it did work - the servlet recognized my request to be
associated with that particular session, so now I can get forget about
sticking "jsessionid=" in the URL? I will let you know how I fair down that
path.
> Now, my questions are:
>
> 1. My servlet side is arranged with apache in the forefront and tomcat
at
> the back, so maybe tomcat isn't seeing the jsessionid info and I should
> tell Apache rather than tomcat what the session I want? If this isn't
> clear, let me say this: in my case apache is our webserver which is
> listening for both http and https requests and tomcat only runs the jsp
> programs - although tomcat can serve as a webserver, we are NOT using
that
> functionality of its.
>
Per default Apache HTTP server should not mess around with session
cookies. If your browser can maintain sessions when accessing the web
app hosted in Tomcat, so could HttpClient.
I was turning to the GET method and messing with adding "jsessionid=..." on
the URL since I thought there was no hope I could get it to work with a
cookie (with the one maintained by the browser or one of my own). Looks
like I am wrong now.
> 3. Httpclient is sending a cookie that contained the desired session id
to
> the server, where did it get the idea of the session id from? The
webpage
> where my applet is contained has a different session id, which I tried
> totell the servlet with the "jsessionid=..." parameter to the URL.
Just stick the session cookie obtained from the browser into HttpState
prior to executing requests which you would like to be associated with
that session. If you fail to do so, the servlet engine will initiate a
new session for those request.
If I fail with sending a "Cookie" header, I will go down that path.
> And I wonder if any authors/contributors of httpclient can be bothered
to
> look into the possibility of smoothly deploying httpclient in an applet
-
> you know, where the user (ok, us programmers) don't have to worry about
> session, certs and things like that. I can't see Oleg being interested
> because he told me he'd avoid applets, too bad. :(
>
The problem you are having has nothing to do with applets. Just fix your
session management code and you'll be fine
I was wishing I could use httpclient in applets much like Sun's URL +
HttpURLConnection - i.e. I don't have to do anything to get the client
certificate sent in, the session requested right and things like that.
Right, I'm wishing for too much perhaps and there doesn't seem to be enough
interest in getting httpclient to work especially well in applets even when
you have https, client certificate and things like that in the picture.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
