Re: Server returned HTTP response code: 408 for URL: https...j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, (Can you set your name in your email client? It's irritating to write to an email address that doesn't indicate a name. You also don't include your name in your posts.) removeps-gro...@yahoo.com wrote: URL url = new URL(https://localhost:6143/mywebservice/action/j_security_check;); HttpURLConnection connection = (HttpURLConnection) url.openConnection(); connection.setRequestMethod(POST); As Chuck pointed out (without saying it explicitly), Tomcat does not allow drive-by logins. If you need this feature, you will have to either hack Tomcat or use a separate tool. Securityfilter (http://securityfilter.sourceforge.net) is a replacement for container-based authentication and authorization and allows you to do drive-by logins if you wish (that is, POST directly to j_security_check with a username and password). In any case, you'll have to do JSESSIONID management yourself on the client, either by reading the JSESSIONID cookie, or sniffing the jsessionid request parameter returned in redirect URLs provided by the server. I recommend the cookie option. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklRg+cACgkQ9CaO5/Lv0PAL7gCeP+Ju7YO/f4bydl93c05OWPtU JOoAnRcadfJf74VaVS5Nk7Dy57c3UcfS =oKSE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Server returned HTTP response code: 408 for URL: https...j_security_check
From: removeps-gro...@yahoo.com [mailto:removeps-gro...@yahoo.com] Subject: Server returned HTTP response code: 408 for URL: https...j_security_check Server returned HTTP response code: 408 for URL: https://localhost:6143/mywebservice/action/j_security_check You're not allowed to reference j_security_check directly. The URL must refer to a protected resource (as declared in your web.xml), at which point Tomcat will internally call up the j_security_check. if the authentication succeeds, the original request will then be reattempted automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Server returned HTTP response code: 408 for URL: https...j_security_check
But how does this work through code? My initial request is to http://localhost/mywebservice/file.do; (and all this is through Java code similar to below). Tomcat redirects the request to the login page specified in web.xml http://localhost/mywebservice/login.html;. Then either Tomcat returns this page to the user, or invokes a servlet that constructs the page and returns is to the user. Then it seems Tomcat remembers the original request. Now the user sees a login page with the j_username and j_password form fields. In code, they get the output stream and it instructs them to login, though my page does not have the form fields in it. So in code the client constructs a login request. The request input stream is set to j_username=usernamej_password=password. But to what URL should the above response be posted? I would imagine that it should be to http://localhost/mywebservice/j_security_check; because the login page is typically like this form action=j_security_check ../form. A browser does not know about Tomcat protocols, so it would I imagine send the request to j_security_check. Then I imagine that Tomcat intercepts the request and validates the login, and then forwards to the original page (which must have remembered). So it makes sense to me that through code one may make requests to j_security_check. Just this would not not a recommended practice to users typing something into the address bar. So any ideas on how to make https requests through code? --- On Sun, 12/14/08, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check To: Tomcat Users List users@tomcat.apache.org Date: Sunday, December 14, 2008, 7:20 PM From: removeps-gro...@yahoo.com [mailto:removeps-gro...@yahoo.com] Subject: Server returned HTTP response code: 408 for URL: https...j_security_check Server returned HTTP response code: 408 for URL: https://localhost:6143/mywebservice/action/j_security_check You're not allowed to reference j_security_check directly. The URL must refer to a protected resource (as declared in your web.xml), at which point Tomcat will internally call up the j_security_check. if the authentication succeeds, the original request will then be reattempted automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Server returned HTTP response code: 408 for URL: https...j_security_check
From: removeps-gro...@yahoo.com [mailto:removeps-gro...@yahoo.com] Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check The request input stream is set to j_username=usernamej_password=password. Good so far. But to what URL should the above response be posted? It should be a POST request to /[webapp]/j_security_check, and include the JSESSIONID cookie set by the server when the login page was returned. form action=j_security_check ../form. Again, note that the method should be POST (which your code does seem to be doing). A browser does not know about Tomcat protocols, so it would I imagine send the request to j_security_check. Correct, but that's accepted by Tomcat only when a login form has just been returned to the client. There's no indication in your code that the j_security_check is being sent as a response to a login form, nor is the required JSESSIONID cookie being returned. So any ideas on how to make https requests through code? This isn't tied to HTTPS, just form login. The SSL negotiation is completely separate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Server returned HTTP response code: 408 for URL: https...j_security_check
It should be a POST request to /[webapp]/j_security_check, and include the JSESSIONID cookie set by the server when the login page was returned. Thanks, this seems to be the issue. There is a call to org.apache.catalina.connector.Request.setRequestedSessionId(String id) from parseSessionCookiesId? How does the client get the JSESSIONID? When the server generates the login page does it have to call response.addCookie? From where should the servlet get the session id? How does the client read the cookie? Thanks. --- On Sun, 12/14/08, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check To: Tomcat Users List users@tomcat.apache.org Date: Sunday, December 14, 2008, 9:02 PM From: removeps-gro...@yahoo.com [mailto:removeps-gro...@yahoo.com] Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check The request input stream is set to j_username=usernamej_password=password. Good so far. But to what URL should the above response be posted? It should be a POST request to /[webapp]/j_security_check, and include the JSESSIONID cookie set by the server when the login page was returned. form action=j_security_check ../form. Again, note that the method should be POST (which your code does seem to be doing). A browser does not know about Tomcat protocols, so it would I imagine send the request to j_security_check. Correct, but that's accepted by Tomcat only when a login form has just been returned to the client. There's no indication in your code that the j_security_check is being sent as a response to a login form, nor is the required JSESSIONID cookie being returned. So any ideas on how to make https requests through code? This isn't tied to HTTPS, just form login. The SSL negotiation is completely separate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Server returned HTTP response code: 408 for URL: https...j_security_check
Nevermind, I see that JSESSIONID is added to the response automatically from Tomcat. The code System.out.println(connection.getHeaderField(Set-Cookie)); prints JSESSIONID=56136B3CE4CC657DD36C226E264A97AD; Path=/mywebservice; Secure So now I think I just have to include that cookie in every request. Will write back if it does not work. --- On Sun, 12/14/08, removeps-gro...@yahoo.com removeps-gro...@yahoo.com wrote: From: removeps-gro...@yahoo.com removeps-gro...@yahoo.com Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check To: Tomcat Users List users@tomcat.apache.org Date: Sunday, December 14, 2008, 9:18 PM It should be a POST request to /[webapp]/j_security_check, and include the JSESSIONID cookie set by the server when the login page was returned. Thanks, this seems to be the issue. There is a call to org.apache.catalina.connector.Request.setRequestedSessionId(String id) from parseSessionCookiesId? How does the client get the JSESSIONID? When the server generates the login page does it have to call response.addCookie? From where should the servlet get the session id? How does the client read the cookie? Thanks. --- On Sun, 12/14/08, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check To: Tomcat Users List users@tomcat.apache.org Date: Sunday, December 14, 2008, 9:02 PM From: removeps-gro...@yahoo.com [mailto:removeps-gro...@yahoo.com] Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check The request input stream is set to j_username=usernamej_password=password. Good so far. But to what URL should the above response be posted? It should be a POST request to /[webapp]/j_security_check, and include the JSESSIONID cookie set by the server when the login page was returned. form action=j_security_check ../form. Again, note that the method should be POST (which your code does seem to be doing). A browser does not know about Tomcat protocols, so it would I imagine send the request to j_security_check. Correct, but that's accepted by Tomcat only when a login form has just been returned to the client. There's no indication in your code that the j_security_check is being sent as a response to a login form, nor is the required JSESSIONID cookie being returned. So any ideas on how to make https requests through code? This isn't tied to HTTPS, just form login. The SSL negotiation is completely separate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Server returned HTTP response code: 408 for URL: https...j_security_check
From: removeps-gro...@yahoo.com [mailto:removeps-gro...@yahoo.com] Subject: RE: Server returned HTTP response code: 408 for URL: https...j_security_check How does the client get the JSESSIONID? It's normally sent as a cookie; if the client has disabled cookies, the login page servlet or JSP should call Response.encodeURL() to get it added to the URL as a parameter. When the server generates the login page does it have to call response.addCookie? I think Tomcat does that automatically, but I'm not positive. Look at the doc for the cookies attribute of the Context parameter: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html From where should the servlet get the session id? It doesn't have to, Tomcat handles it automatically for form login. The servlet or JSP can use the HTTPSession.getId() to retrieve it if desired. How does the client read the cookie? By parsing the response headers or parameters. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org