java - Form-based Authentication using HttpClient - j_security_check -


i'm trying authenticate myself website uses form-based authentication (e.g., facebook.com) using apache httpclient java library.
using website's program main example: http://www.elitejavacoder.com/2013/10/http-client-form-based-authentication.html, able - there few things i'm not understanding program. here code: 

package com.elitejavacoder.http.client;  import java.util.arraylist; import java.util.list;  import org.apache.http.httpentity; import org.apache.http.httphost; import org.apache.http.httpresponse; import org.apache.http.namevaluepair; import org.apache.http.client.entity.urlencodedformentity; import org.apache.http.client.methods.httpget; import org.apache.http.client.methods.httppost; import org.apache.http.client.params.clientpnames; import org.apache.http.impl.client.defaulthttpclient; import org.apache.http.message.basicnamevaluepair; import org.apache.http.util.entityutils;  public class httpclientformauthentication {     public static void main(string[] agrs) {         string host = "yourhostname.com";         int port = 8080;         string protocol = "http";          defaulthttpclient client = new defaulthttpclient();          try {             httphost httphost = new httphost(host, port, protocol);             client.getparams().setparameter(clientpnames.default_host, httphost);              httpget securedresource = new httpget("/secured/index.jsp");                         httpresponse httpresponse = client.execute(securedresource);             httpentity responseentity = httpresponse.getentity();             string strresponse = entityutils.tostring(responseentity);             int statuscode = httpresponse.getstatusline().getstatuscode();             entityutils.consume(responseentity);              system.out.println("http status code unauthenticated request: " + statuscode);// statue code should 200             system.out.println("response unauthenticated request: \n" + strresponse); // should login page             system.out.println("================================================================\n");              httppost authpost = new httppost("/j_security_check");             list<namevaluepair> namevaluepairs = new arraylist<namevaluepair>();             namevaluepairs.add(new basicnamevaluepair("j_username", "yourusername"));             namevaluepairs.add(new basicnamevaluepair("j_password", "yourpassword"));             authpost.setentity(new urlencodedformentity(namevaluepairs));              httpresponse = client.execute(authpost);             responseentity = httpresponse.getentity();             strresponse = entityutils.tostring(responseentity);             statuscode = httpresponse.getstatusline().getstatuscode();             entityutils.consume(responseentity);              system.out.println("http status code authenticattion request: " + statuscode);// status code should 302             system.out.println("response authenticattion request: \n" + strresponse); // should blank string             system.out.println("================================================================\n");              httpresponse = client.execute(securedresource);             responseentity = httpresponse.getentity();             strresponse = entityutils.tostring(responseentity);             statuscode = httpresponse.getstatusline().getstatuscode();             entityutils.consume(responseentity);              system.out.println("http status code authenticated request: " + statuscode);// status code should 200             system.out.println("response authenticated request: \n" + strresponse);// should actual page             system.out.println("================================================================\n");         }         catch (exception ex) {             ex.printstacktrace();         }     } }

i have following questions (the line numbers i'm going refer in context of link provided above, since stackoverflow doesn't allow include line numbers):

  • what "/j_security_check" (line 41)? , how did author knew had use "j_security_check" instead of name of secured resource?

  • how come string "strresponse = entityutils.tostring(responseentity);" (line 49), 2 lines after "httpresponse = client.execute(authpost);" (line 47), different string "strresponse = entityutils.tostring(responseentity);" (line 59), 2 lines after "httpresponse = client.execute(securedresource);" (line 57)?
    basically, changes happen "client" between lines 47 , 57?

thank you

the /j_security_check form action container knows request authentication , container handles that. /j_security_check web page address submitting authentication forms specific enterprise java application servers.

j_username , j_password names of request parameters submit both username , password. these 3 should named in such way (i.e. j_security_check, j_username , j_password) container handles request authentication request , can retrieve required information (i.e. username , password) submitted request.

the author knew he/she needed used /j_security_check because he/she assuming authenticating against j2ee app server. not great assumption. notice port set 8080? port typically used java servers tomcat don't collide port 80 on http server.

strresponse @ line 47 contains content of login request (which nothing), , strresponse @ line 57 contains content of secured page. breakdown:

the following happen if doing in web browser.

  • you type in address of secured page , hit enter.
  • since you're not authenticated, server respond login form page.
  • you type in username , password , click submit.
  • you secure page. server return 302 redirect code address requested, along authentication cookie, browser store. browser re-accesses page, browser sends cookie well, instead of giving login form, page trying access.

line 31 initial page access without authentication. lines 38-39 displaying login form, lines 41-45 equivalent of typing username , password form.
line 47 hitting submit button.
line 49 showing server sent in response. notice in line 54 comment "should blank string". when submit username , password, concerned in response http status. comment in line prints out status code says "status code should 302". 302 http status tells browser redirect. response headers contain address browser redirect to. response headers contain authentication cookie. nice if printed out too, understanding how works. code manually doing redirect on line 57, assuming redirected secured page tried access on line 31, rather retrieving address http response headers.

the biggest change client line 57 client has authentication cookie, similar browser operation. defaulthttpclient handles under hood.

the authentication cookie comes server in form of set-cookie http header. tells client store cookie. then, when making request, client sends cookie http header, along cookie data.

the client receives cookie on response contains login form, stores. when client sends filled-in form, cookie included in request, , every request server thereafter. once you've authenticated, server stores information , associates cookie. then, when subsequent requests come client, server sees cookie , remembers authenticated. client same things browser manage cookie data transfer server.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more