Hi Gina
If you get into the possession of the cookie it should work to send a request with another HTTP client. In your test, could you paste the HTTP headers? In Tomcat, you could configure the RequestDumperValve: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Request_Dumper_Valve Haven't found the link for Tomcat 7 but I think it's still there. HTH ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [[email protected]] Sent: 06 June 2012 04:11 To: [email protected]; Oliver Wulff Subject: Handling Cookies in Fediz WS-Federation web sso Hi Oliver, I applied Fediz WS-Federation web sso to a Java sample web application called Airline(All web services are REST). Everything went well so far. My colleague try to make a web service to call to Airline REST web service from his .NET client. He programmatically logged on Airline(get SAML token and passed authentication) and obtained a cookie. Then he try to inject this cookie to his succinct REST calls(I am not sure if this is a common practice in securing REST web service), but he got 401 unauthorized exception. First call: https://wkensv0305.global.sdl.corp:8443/Airline/code/Welcome.jsp Second call: https://wkensv0305.global.sdl.corp:8443/Airline /code/SDLecheckin.jsp?request=flightstatus<https://wkensv0305.global.sdl.corp:8443/Airline/code/SDLecheckin.jsp?request=flightstatus> When .NET client make second call, it is being treated as unauthenticated but it still keep same session(917E67F5E54E8CAAD62B9D9367E4E340) since it has cookie. I have attached Tomcat log for your reference. Authentication is determined by the following code. So, it means either Principle is not cached from first call or second call retrieves Principal in different way from the the cache. Principal principal = request.getUserPrincipal(); Does Fediz treat both browser and client(.NET) differently in terms of caching Principal in the context? Injecting cookie worked when we cache user info in the session. We have don't his in the past. Thanks. Gina
