All geek questions in one place

Servlet Authentication

I have the following situation:

I have 2 web applications running on Tomcat. Initially, the user is registered in application 1 and then. There is a link to the application 2. By clicking the link, the User should be redirected to the second application.

Both applications use LDAP authentication.

Now the problem is that the second application has its own authentication system.

So, we plan to implicitly authenticate the user who is registered in the first system.

I wrote a servlet that starts when I click the link for App2 in App1.

I am trying to use below code which should call the "ldap-login" servlet on app2 with the given parameters. The names of the parammers are correct.

String targetURL = "http://localhost:8080/app2/ldap-login"; HttpClient client = new HttpClient(); PostMethod doPost = new PostMethod(targetURL); //doPost.getParams().setBooleanParameter(HttpMethodParams.USE_EXPECT_CONTINUE, true); doPost.addParameter("login_netid", "alice"); doPost.addParameter("login_password", "alice"); try { int status = client.executeMethod(doPost); if (status == HttpStatus.SC_OK) { // redirect response.sendRedirect("http://localhost:8080/app2/myPage"); } else { System.out.println("Service failed, Response Code= " + HttpStatus.getStatusText(status)); System.out.println("Response Body --> " + doPost.getResponseBodyAsString()); } } catch (Exception ex) { System.out.println("ERROR: " + ex.getClass().getName() + " "+ ex.getMessage()); ex.printStackTrace(); } finally { doPost.releaseConnection(); }

But I get the answer "Moved temporarily."

Can someone suggest me an alternative?

+4
source share
2 answers

A 302 Moved Temporarily the response is just a redirection. This is exactly the answer you will get when you do response.sendRedirect() . You can also very well get a redirect as a response to a successful login. I suggest checking out the second application if it really is not being redirected upon successful login. Then you should check if the response code matches 302 instead of 200. Or, alternatively, you need to tell HttpClient to automatically do any redirects.

Moreover, if the login really failed, what answer would you get from the second application? Would you throw an exception and thus return a 500 response code? Or would it just conditionally set some kind of error message in the request area and re-display the JSP by redirecting and thus save a 200 response code? How could you distinguish 200 from an unsuccessful login from 200 upon successful login?

Unrelated to a specific problem, your approach is likely to fail if the second application does not use the same session as the first application. Usually the login is stored in the session, but you do not support the session anywhere. Anyway, this question is for a new question :)

+1
source

According to the doc API , a call to sendRedirect performs a temporary redirect. As mentioned in @BalusC, you need to process the response code SC_MOVED_TEMPORARILY or SC_FOUND .

The reason it makes a redirect after login (or maybe after any POST request) may be to avoid the double sending problem . Here is another article about it.

0
source

Source: https://habr.com/ru/post/1383934/

More articles:


All Articles