benchpresser
asked on
cannot get set-cookie when connecting with java urlconnection on a ssl page for login
hi.
i want to login to a ssl page with an java application with username and password.
the page is https://secure...
the remote is asp.net application.
i tried urlconnection and httpurlconnection in my app. it fails logging.
when i login firefox+firebux i get the following:
but when i connect with my java app and get all response headers and cookies, i see all of them above except the set-cookie. why is the set-cookie not seen? because i do not have the set-cookie, i can not continue.
when i manually set the .ASPXAUTH to my request, i see the desired response. but of couse the .ASPXAUTH has a time interval and becomes invalid after some time.
when the .ASPXAUTH is set, then we have another set-cookie which starts: user-roles=...
how can i solve it?
- i also tried some httpsurlconnection, but did not enter into the detailed topic of keystore, certificates, x509, jsse.jar. do i have to use keytool and register the certificate to java environment?
- i tried setInstanceFollowRedirects to false which stated on some forums, should i try to manipulate some other flags?
- should i use cookie managers, handlers and set some request properties using the cookie stuff?
- on some forums it is said that java's url connection is very poor and works barely. it fails when using cookies in order to perform session-login acitivities. using apache http client is suggested. should i try that?
i want to login to a ssl page with an java application with username and password.
the page is https://secure...
the remote is asp.net application.
i tried urlconnection and httpurlconnection in my app. it fails logging.
when i login firefox+firebux i get the following:
Cache-Control private
Content-Length 143
Content-Type text/html; charset=utf-8
Date Fri, 10 Feb 2012 01:18:22 GMT
Location /data/community/index.aspx
Server Microsoft-IIS/6.0
Set-Cookie .ASPXAUTH=74D1555D330EFB9F8C59ACA42F A11AA83A04 913CB9BC27 B6966936CA FFB75EE912 2ECC4D7E55 DC4FC8DABD 947A074250 627B0E5124 5337FAE38D 357149DFC5 436FCECE7D EE158739BB 2F4753B65D BC8A; path=/
X-AspNet-Version 1.1.4322
X-Powered-By ASP.NET
but when i connect with my java app and get all response headers and cookies, i see all of them above except the set-cookie. why is the set-cookie not seen? because i do not have the set-cookie, i can not continue.
when i manually set the .ASPXAUTH to my request, i see the desired response. but of couse the .ASPXAUTH has a time interval and becomes invalid after some time.
when the .ASPXAUTH is set, then we have another set-cookie which starts: user-roles=...
how can i solve it?
- i also tried some httpsurlconnection, but did not enter into the detailed topic of keystore, certificates, x509, jsse.jar. do i have to use keytool and register the certificate to java environment?
- i tried setInstanceFollowRedirects
- should i use cookie managers, handlers and set some request properties using the cookie stuff?
- on some forums it is said that java's url connection is very poor and works barely. it fails when using cookies in order to perform session-login acitivities. using apache http client is suggested. should i try that?
> but when i connect with my java app and get all response headers and cookies, i see all of them above except the set-cookie.
Are you setting the cookie? You need to set it in the request you are sending
For more information: http://www.hccp.org/java-net-cookie-how-to.html
> using apache http client is suggested. should i try that?
Yes, it's better than the standard java libraries. If you hit a wall then do use it, but try the standard Java classes first.
Are you setting the cookie? You need to set it in the request you are sending
String myCookie = ".ASPXAUTH=74D1555D330EFB9F8C59ACA42FA11AA83A04913CB9BC27B6966936CAFFB75EE9122ECC4D7E55DC4FC8DABD947A074250627B0E51245337FAE38D357149DFC5436FCECE7DEE158739BB2F4753B65DBC8A; path=/";
urlConnection.setRequestProperty("Cookie", myCookie);
For more information: http://www.hccp.org/java-net-cookie-how-to.html
> using apache http client is suggested. should i try that?
Yes, it's better than the standard java libraries. If you hit a wall then do use it, but try the standard Java classes first.
ASKER
set-cookie is created dynamically on the remote side.
the steps are following:
request: (initial login screen, before sending userid and password)
and response:
then i set user and password:
POST login.aspx?...
response:
GET dataprices.aspx
Request
Response:
the steps are following:
request: (initial login screen, before sending userid and password)
Accept text/html,application/xhtml+xml,appl ication/xm l;q=0.9,*/ *;q=0.8
Accept-Encoding gzip, deflate
Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
Cache-Control max-age=0
Connection keep-alive
Host secure......com
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
and response:
Cache-Control private
Content-Length 12917
Content-Type text/html; charset=utf-8
Date Fri, 10 Feb 2012 09:04:39 GMT
Server Microsoft-IIS/6.0
X-AspNet-Version 1.1.4322
X-Powered-By ASP.NET
then i set user and password:
POST login.aspx?...
Accept text/html,application/xhtml+xml,appl ication/xm l;q=0.9,*/ *;q=0.8
Accept-Encoding gzip, deflate
Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
Connection keep-alive
Host secure.......com
Referer https://secure.......com/Data/Community/Login.aspx?ReturnUrl=%2fData%2fcommunity%2fDataprices_daily_metals.aspx
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
response:
Cache-Control private
Content-Length 161
Content-Type text/html; charset=utf-8
Date Fri, 10 Feb 2012 09:06:50 GMT
Location /Data/community/Dataprices_daily_met als.aspx
Server Microsoft-IIS/6.0
Set-Cookie .ASPXAUTH=B4B1FE6EAD909BF33C7A7472FD DFFB80E467 8C81B1BEA7 BF8AC9ED21 5AF0A5869F AB0B9E1200 B338921751 A01753F67A 4BFD49D88B ABCD417E83 816183056C 25EC2DA0FD A1D4F3A153 E7EC00D640 B772; path=/
X-AspNet-Version 1.1.4322
X-Powered-By ASP.NET
GET dataprices.aspx
Request
Accept text/html,application/xhtml+xml,appl ication/xm l;q=0.9,*/ *;q=0.8
Accept-Encoding gzip, deflate
Accept-Language tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3
Connection keep-alive
Cookie .ASPXAUTH=B4B1FE6EAD909BF33C7A7472FD DFFB80E467 8C81B1BEA7 BF8AC9ED21 5AF0A5869F AB0B9E1200 B338921751 A01753F67A 4BFD49D88B ABCD417E83 816183056C 25EC2DA0FD A1D4F3A153 E7EC00D640 B772
Host secure.......com
Referer https://secure......com/Data/Community/Login.aspx?ReturnUrl=%2fData%2fcommunity%2fDataprices_daily_metals.aspx
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
Response:
Cache-Control private
Content-Length 83262
Content-Type text/html; charset=utf-8
Date Fri, 10 Feb 2012 09:06:50 GMT
Server Microsoft-IIS/6.0
Set-Cookie user-roles=E5AD3596A1761795D6472DC1E 8065CD011C 4F316C729E E2AFBFBF5E 95C00064AC 17BB3A0003 A551D25358 86A4777F99 0422A8BFD2 DEDA43541E F663F2E97C 4A7D0252EF C095D8E2F0 3609239E22 A4EA9F85C3 886BBCA1CF 6; expires=Fri, 10-Feb-2012 09:07:50 GMT; path=/
X-AspNet-Version 1.1.4322
X-Powered-By ASP.NET
Well the only way to do it is to keep track of the cookies exchanged between the request/response and send them each time you request something. You said that it works if you set the .ASPXAUTH so it's just a matter of keeping track of what you send to the server. This is how the browsers work, they send the cookies each time with the request, essentially what you're trying to do is to emulate the behaviour of tghe browser.
ASKER
there is some misunderstood.
if i would get the initial .APSXAUTH with my java app everythingq would work fine. But i can only get that using firebug. As I understood, the first ASPXAUTH will be send from the webserver. Then i use it for the next request. But i can not get the initial from my java app.
if i would get the initial .APSXAUTH with my java app everythingq would work fine. But i can only get that using firebug. As I understood, the first ASPXAUTH will be send from the webserver. Then i use it for the next request. But i can not get the initial from my java app.
You are right, the initial .APSXAUTH will be sent from the web server upon successful login. Then your application should use the value of the APSXAUTH on every subsequent request to identity itself as the one that logged in initially. So the flow is
a) Your application sends the credentials (username/password) to the server
b) The server responds with the APSXAUTH cookie (if the login is successful)
c) You read the APSXAUTH value
d) You initiate a new request and include the APSXAUTH value as a cookie
e) On every subsequent request you must include the APSXAUTH value (until it expires).
a) Your application sends the credentials (username/password) to the server
b) The server responds with the APSXAUTH cookie (if the login is successful)
c) You read the APSXAUTH value
d) You initiate a new request and include the APSXAUTH value as a cookie
e) On every subsequent request you must include the APSXAUTH value (until it expires).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
See description here:
http://hc.apache.org/httpclient-3.x/sslguide.html