jkini
asked on
Redirect and relative URL
Here is my problem scenario:
In my servlet I am able to successfully bypass
authentication using Base64Encoding when accessing a
password protected page.
This page can be successfully displayed as well in the
browser, if I just stream the URL content from my
servlet to the client.However if this page had
relative links in its source, these
relative links do not work at all.
To overcome this, I tried using
response.sendRedirect()
from within my Servlet after setting
response.setHeader("Author
encodedString);
(I have also tried
response.setHeader("WWW-Au
encodedString)
Either way with redirect, now I cannot bypass
authentication, because the browser keeps asking me
for credentials.
Basically I am looking to bypass authentication and
have the password protected page work correctly even
if it has relative links. Is this possible?
Let me clarify my scenario, hopefully this will make
it more clear
a) Client requests a password protected page from my
servlet.
b) servlet asks for username and password *once*.
c) Now my servlet has the user credentials in Base64
format.
d) I use these credentials to access the protected URL
from the servlet. I get the contents fine to display
on the client. However if this URL content has
*relative* URL links it does not work since the
relative link is relative to the URL page and not the
ServletContext, which has made the request.
e) So I tried using response.sendRedirect which only
takes a String (which would be my password protected
URL string). So I tried using
response.setHeader("Author
encodedString);
(I have also tried
response.setHeader("WWW-Au
encodedString)
to set the credentials and it still does not work.
I must mention that the password protected page is not
serviced by a servlet.
In fact these pages could be are cgi scripts. I want
to ask the credentials just once and use these
credentials from then on when visiting any password
protected page *even* with relative links.
Any ideas?
In my servlet I am able to successfully bypass
authentication using Base64Encoding when accessing a
password protected page.
This page can be successfully displayed as well in the
browser, if I just stream the URL content from my
servlet to the client.However if this page had
relative links in its source, these
relative links do not work at all.
To overcome this, I tried using
response.sendRedirect()
from within my Servlet after setting
response.setHeader("Author
encodedString);
(I have also tried
response.setHeader("WWW-Au
encodedString)
Either way with redirect, now I cannot bypass
authentication, because the browser keeps asking me
for credentials.
Basically I am looking to bypass authentication and
have the password protected page work correctly even
if it has relative links. Is this possible?
Let me clarify my scenario, hopefully this will make
it more clear
a) Client requests a password protected page from my
servlet.
b) servlet asks for username and password *once*.
c) Now my servlet has the user credentials in Base64
format.
d) I use these credentials to access the protected URL
from the servlet. I get the contents fine to display
on the client. However if this URL content has
*relative* URL links it does not work since the
relative link is relative to the URL page and not the
ServletContext, which has made the request.
e) So I tried using response.sendRedirect which only
takes a String (which would be my password protected
URL string). So I tried using
response.setHeader("Author
encodedString);
(I have also tried
response.setHeader("WWW-Au
encodedString)
to set the credentials and it still does not work.
I must mention that the password protected page is not
serviced by a servlet.
In fact these pages could be are cgi scripts. I want
to ask the credentials just once and use these
credentials from then on when visiting any password
protected page *even* with relative links.
Any ideas?
Mick Barry
i think you're going to need to parse html and modify the link before returning it to client.
ASKER
But this is not possible since I would not even know where or which is the relative
entity (URL or gif) and which is not. Since the page could be any password protected page of the intranet whose content I have no control over or predefined knowledge of.
I am looking for some thing I can either set in the HttpServletResponse or
HttpServletRequest which I can then use to bypass authentication and achieve
what the sendRedirect would do.
entity (URL or gif) and which is not. Since the page could be any password protected page of the intranet whose content I have no control over or predefined knowledge of.
I am looking for some thing I can either set in the HttpServletResponse or
HttpServletRequest which I can then use to bypass authentication and achieve
what the sendRedirect would do.
The request is being sent by the browser so you have no control.
That is why you have to modify all the links in the page to make all requests go thru your servlet so that headers can be modified.
That is why you have to modify all the links in the page to make all requests go thru your servlet so that headers can be modified.
you could t5ry doing a forward instead of a redirect and see how that goes.
ASKER
Is there a way I can ask my browser my credentials s that is does not ask me? Generally when I visit
a password protected page the browser would ask me for credentials once. Then the second time
I revisit the page it does not ask me for credentials, since I guess it would
have cached it. So there should be some way to tell the browser just that, is it not?
If there is no other way then can you give me some code that will generically modify the relative URLs
of the page programmatically, as I am reading the content and sending to the client?
a password protected page the browser would ask me for credentials once. Then the second time
I revisit the page it does not ask me for credentials, since I guess it would
have cached it. So there should be some way to tell the browser just that, is it not?
If there is no other way then can you give me some code that will generically modify the relative URLs
of the page programmatically, as I am reading the content and sending to the client?
ASKER
I tried a forward. But the requestDispatcher needs a location within the current ServletContext. The location that I am trying to access is not within the current ServletContext. It is just a cgi .pl script
that is not even serviced by a Servlet. So forward is not getting me anywhere :(
that is not even serviced by a Servlet. So forward is not getting me anywhere :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I appreciate the comments made above, however the above proposal does not seem to be a feasible solution to my problem, since I still see no way of how I can determine which are the link I need to change to bypass authentication and which are the links which are simply relative resources. Recreating the entire HTML content, just does not seem like an appropriate
solution.
If anyone can send me some **code** that is a feasible solution that I can **use**
then I can award the points to that person. If not I will just have to request to delete my question.
solution.
If anyone can send me some **code** that is a feasible solution that I can **use**
then I can award the points to that person. If not I will just have to request to delete my question.
There is no other solution that I am aware of for the reasons I have mentioned above.
Just because you do not like the required solution does not make it invalid.
Just because you do not like the required solution does not make it invalid.
ASKER
Probably. But if the solution is not feasible for the reasons I mentioned it is not worth
the 100 points that I assigned to the question, since I have received no code. I expect a workable
code if this happens to be a solution to assign points. So far I have requested code 3 times
and none has been provided.
the 100 points that I assigned to the question, since I have received no code. I expect a workable
code if this happens to be a solution to assign points. So far I have requested code 3 times
and none has been provided.