Agreed - it would appear that GLUE also does not support redirects. We have a work around for the cookie problem but it is the redirects that are killing us at the moment. I think our workaround for now will be to have a different/modified SSO filter for our soap servlet which does not use redirects but does the authentication itself (as for the moment it is in the same ear as the auth servlet anyways).
Thanks,
Martin
> -----Original Message-----
> From: Will Spies/Towers Perrin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 03, 2002 6:57 AM
> To: [EMAIL PROTECTED]
> Subject: Re: HTTP redirects and SOAP
>
>
>
>
> I've had this same nightmare. Here is what I've learned:
>
> MS SOAP Toolkit does not support cookies or redirects ( they view the
> former as unnecessary and the latter as a security issue )
> Apache SOAP Toolkit supports cookies but does not support redirects
> Systinet SOAP Toolkit supports redirects but not cookies.
>
> I don't get it. They should all support cookies and redirects
> if you ask
> me. This is the basis for any SSO product and some proxy servers.
>
> _______________________
> Will Spies
> Towers Perrin
> Phone: (215)246-7145
> e-mail: [EMAIL PROTECTED]
>
>
>
>
>
>
>
>
> To:
> [EMAIL PROTECTED]
>
> "Brian BBA41 cc:
> (bcc: Will Spies/Towers Perrin)
>
> Bannister" Subject: Re:
> HTTP redirects and SOAP
>
> <bbannister@qanta
>
>
> s.com.au>
>
>
>
>
>
> 04/02/02 07:35 PM
>
>
> Please respond to
>
>
> soap-user
>
>
>
>
>
>
>
>
>
>
>
>
>
> Why don't you set up the servlet to be container protected
> and allow the
> container to do the basic authentication? We do this with weblogic and
> apache SOAP and it works well. An unauthenticated user gets a 401
> unauthorized and can reply with the basic authentication header. An
> unauthenticated user that sends the basic authentication
> header on first
> request gets straight through.
>
>
>
>
> Martin Hubley
>
> <[EMAIL PROTECTED] To:
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>
> om> cc:
>
> Subject: HTTP
> redirects and
> SOAP
> 03/04/2002 06:43
>
> Please respond to
>
> soap-user
>
>
>
>
>
>
>
>
>
> Hi,
>
> My basic question is does Apache SOAP (or any other SOAP
> implementation)
> support http redirect headers in a response for a client??
> The gory details
> follow...
>
> We have a setup where I am using the GLUE SOAP servlet as
> part of a J2EE
> ear running in JBoss 2.4.4 (with Tomcat 4.0.1), where the
> servlet (and our
> other servlets) is protected by a custom filter implemented for
> single-sign-on purposes. This filter redirects all requests
> without our
> auth cookie to an auth servlet, which requests basic auth
> from the client,
> and which when successful sets a cookie and redirects back to
> the original
> url. When in an Apache SOAP test client and I make a call to
> the original
> URL, i.e. http://localhost:8000/soap/urn:service.wsdl, I get
> a SOAP fault
> back containing the HTTP 302 response from the server (as well as a
> SOAPException with an unsupported content type as the HTTP
> 302 response is
> text/html). (This call works fine in the test client if I deploy the
> servlet and SOAP implementation without our filters that do the
> authentication redirects)
>
> The actual response coming back from our SingleSignOnFilter
> is a standard
> redirect with the URL we want to redirect to for authentication:
>
> HTTP/1.1 302 Moved Temporarily
> Content-Type: text/html
> Date: Tue, 02 Apr 2002 19:14:33 GMT
> Location:
> http://localhost:8080/auth/AuthServlet?ds.sso.return-url=http%
> 3A%2F%2Flocalhost%3A8080%2Fsoap%2Furn%3Aservice
>
>
> Server: Apache Tomcat/4.0.1 (HTTP/1.1 Connector)
> Connection: close
>
> followed by a standard Apache error page containing the 302 info.
>
> Are there any easy ways to do such redirects using Apache
> SOAP or any other
> SOAP implementation? Am I missing something obvious here, i.e. perhaps
> there is a way to do redirects in a SOAP message instead of with HTTP
> headers? Any help appreciated,
>
> Thanks,
>
> Martin
>
>
>
>
>
>
> Qantas
>
>
>
>
>
