I am having to integrate with a badly designed RPC API with Kerberos authentication.
To make matters worse it sets a session cookie and doesn't allow multiple requests asynchronously from the same client using the same cookie, so... I need to make sure each request has a cleared session cookie.
I'm using a custom HttpClient with a PoolingHttpConnectionManager and Resttemplate which doesn't allow me to clear the session cookie for me before it reuses a connection.
I need this cookie to be cleared before another request uses the same connection. How do I do this?
Turns out the server attaches a session ID but couldn't care less if it isn't there in subsequent requests. HttpClient allows you to disable cookie management and that seems to work.
Related
I have come across many examples of implementing a simple http server in Java. This one fits my needs: http://www.rgagnon.com/javadetails/java-have-a-simple-http-server.html
However, I can't find an example of how to generate, return, and maintain a session id from such a simple http server.
Is that even possible? Is there a way to modify the sample code referred above to incorporate this functionality?
Thanks.
HTTP does not have session support on it self once it is a stateless application protocol. So you need implement it by your self.
For example, on servlet containers like Tomcat there is a cookie called JSESSIONID that is generated and stored on the browser. The client sends back the cookie to the server on each request. Once each client has a different cookie the server can identify the client session.
When cookies are not allowed the parameter JSESSIONID is added to the URL for each request. This technique is called URL Rewriting.
There is a question, not specific for Java HTTP servers, that has implementation details for this problem.
HTTP Session Tracking
I want to alert user when session is about to expire. I don't want to use Ajax or JavaScript.
So how can I get a response object in sessionDestroyed() method in HttpSessionListener implementation class so that I can send an alert() to current HTML page of user using response object. Is there any way to do that?.
P.S: I want to avoid using Ajax or JavaScript calls.
HTTP is stateless by nature. This is why sessions were created, but the container has no way of "pushing" info to the browser unless an open channel is there. This is why ajax/javascript have been used to bridge that gap.
In order to "push" anything to the browser you're going to need ajax.
No, you cannot get the request from an HttpSessionListener. The reason is simple: session expiry events are independent of request events.
Additionally, since you want to alert when the session is about to expire, the sessionDestroyed() event is not good: it is called after the session has expired (actually destroyed, which may be even after it is expired).
Since you specified no AJAX, you could take a look at WebSocket:
WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. The WebSocket Protocol is an independent TCP-based protocol. Its only relationship to HTTP is that its handshake is interpreted by HTTP servers as an Upgrade request. The WebSocket protocol makes possible more interaction between a browser and a web site, facilitating live content and the creation of real-time games. This is made possible by providing a standardized way for the server to send content to the browser without being solicited by the client, and allowing for messages to be passed back and forth while keeping the connection open. In this way a two-way (bi-directional) ongoing conversation can take place between a browser and the server. A similar effect has been achieved in non-standardized ways using stop-gap technologies such as Comet.
But for your problem, I'd stick with the traditional jQuery heartBeat client side, asking the server if the Session is not valid and then redirecting to the session-expired page.
Sessions expire when there are no requests during the entire timeout period, and therefore no responses either. Your question therefore doesn't actually make sense.
I am newbie to both Spring and Shiro. I have some questions on Session Management.
I saw a question which gives quite a good introduction to Session Management.
But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?
Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
How does the session logout communicated to the client? And how does the client understand that it has to login again?
Thanks!
The session ID is stored as a browser cookie.
The session ID cookie is
removed from the browser when the user logs out (and the session is invalidated on
the server). Requests made after the cookie is dropped will appear
to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.
I am trying to login and retrieve status information from a HTTPS URL via Java programming. I login through /login.cgi, providing the username and password with a POST request to that script.
The script then verifies the credentials and creates a specific cookie (with session information, user name, etc.) and then immediately calls a Location response header to /home.cgi. Which, I'm guessing, the /home.cgi script verifies the cookie information before continuing to load. Otherwise, it just reverts back to the /login.cgi page.
All of this works fine within a browser because of the way browser's handle cookies/sessions correctly. However, within Java, this is very tricky because I can not get the appropriate cookie to send as a request to subsequent pages. I can not get the correct cookie because I am unable to get the HTTP response back (which holds the correct "Set-cookie" value) in between /login.cgi creating the specific cookie and it calling Location /home.cgi.
Is there something I'm missing or is there a better way that Java can handle cookies similar to a browser? (is there a cookie store, etc?)
Thanks for the help,
Steve
Cookie management is by default not enabled in the java.net HTTP API. If you don't need any specific handling or cross-application cookie persistence (the cookies will be deleted when your application terminates), you can simple enable it with
CookieHandler.setDefault(new CookieManager());
How are you making the HTTP connections and managing cookies?
I would recommend just using commons-httpclient rather than managing this yourself. It will automatically manage cookies for you.
When I am using HTTP protocol, there is no issue with sessions. But when I am using HTTPS protocol, I am facing problem in JSP. When it is moving from one tab to another tab, session is automatically getting expired. How can I resolve this issue?
Basically, there's no difference in JSESSIONID management whether TLS/SSL is enabled or not.
Most app-servers use cookie and/or URL-rewriting for JSESSION management.
The major different I know is that, when you use “secure cookie,” JSESSIONID can be managed using both cookie and URL in HTTPS, but only with URL in HTTP.
So, if the transition is across HTTPS and HTTP, the problem as you say might be happen.