On Thu, Jan 8, 2009 at 3:03 PM, Tim Williams <[email protected]> wrote: > On Thu, Jan 8, 2009 at 2:28 PM, Tim Williams <[email protected]> wrote: >> On Thu, Jan 8, 2009 at 2:09 PM, Oleg Kalnichevski <[email protected]> wrote: >>> Tim Williams wrote: >>>> >>>> I'm using the MultiThreadedConnectionManager with HttpClient and 2-way >>>> ssl similar to the example[1] and having problems. The very first >>>> request goes through and returns HTTP 200 Ok. All subsequent requests >>>> return HTTP 401. This happens when I run this inside a webapp >>>> deployed in either glassfish or tomcat. However, if I take the same >>>> code and run from within a simple driver "main" program, all calls to >>>> that same server succeed with no problems. Oddly enough, this only >>>> happens when communicating with one particular Weblogic service - >>>> other servers allow multiple calls with the same fetcher code just >>>> fine. Anyone have an idea what would make the first request go >>>> through go through properly but not subsequent ones? >>>> >>> >>> There is no way of telling without more details. Please post a wire log of >>> the HTTP session to this list >>> >>> http://hc.apache.org/httpclient-3.x/logging.html >>> >>> Oleg >> >> Unfortunately, I'm unable to post logging data. I have narrowed it >> down to a "cookie" problem of some sort. I've found that if I >> manually take the "Set-Cookie" header from the initial request, store >> it, then manually populate it on subsequent requests, all is well. I >> had that idea from this site[1] but I'm not sure whether the >> configuration on the server-side (Weblogic) is just wrong or my >> HttpClient configuration is wrong by not sending back both cookies on >> subsequent requests. >> Thanks, >> --tim > > I've run the wire logging and it does appear that two Set-Cookies are > coming in, one with JSESSIONID= and the other with > _WL_AUTH_JSESSIONID=. On subsequent requests, only the first, > JSESSIONID, is on the outbound request. Any ideas?
The _WL_AUTH_JSESSIONID is a 'secure' cookie and it is the one not being sent. Weblogic uses both a regular cookie and secure cookie to apparently allow you to seamlessly transition across http and https sessions[1] which seems valid. I've tried sending as a SINGLE_COOKIE_HEADER as well with no success. I'm using v3.0.1 and RFC2109 btw. Any ideas for what to look at? Thanks, --tim [1] - http://e-docs.bea.com/wls/docs81/security/thin_client.html#1039551 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
