I have an applet loaded by browser.
This applet makes web service calls to server.
If I sign the applet and download it via https by the server, if then I make a web service call, would it be possible to reuse the existing ssl session or will the https would have to be reestablished?
I think that the https (i.e. ssl handshake) would have to be reestablished since the initial connection was made by browser. Is this the case?
If yes, then is there a way to avoid reauthentication when the user starts using the applet? I.e. reuse the previous ssl connection, or is it impossible? BTW the web service stack is axis2.
Thanks
https and authentification are different things. Of course they are working together when you authentificate with user/password over https.
https can be used for authentification when client authentification is enabled. So the client must send a valid (signed) certificate to the server. But i supose you have a user/password over https authentifation method.
Once the browser has logged in, normally the server creates and holds a session and the browser receives a session cookie. That cookie will be send on consecutive requests after login (still encrypted by https).
If you pass the session cookie to the applet the applet can reuse the session.
Update
Impossible to explain you this in detail. You should search and read for Java Applet communication.
You can call methods of the applet from
javascript and access the web
page/browser state from the applet (Applet.getAppletContext()).
You may call the applet with a
parameter that contains the session
id.
The session cookie name may be JSESSIONID when the web server is a servlet container.
If your web server is a servlet container then you can pass the session id in diferent ways: as cookie in the request header or coded into the URL (URL rewriting).
Related
I want to create a Swing application client that connects to an EJB project which will have a login method to a secured client session.
When the client is run, you will provide a username and password, and thus login. However, if you type the incorrect password, you can be given n tries to provide the credentials.
I have configured Glassfish 4 to work with jdbc realm. Jave EE7 has a method to request user with the username and password, but I wanted have more control over the incorrect password and login.
Can someone please tell me how to do this ?
I tried using programmatic login but it does not seems to work.
You did not provide enough information. The answer depends on which HTTP client do you use and which authentication type is supported by the server.
If the server supports form based authentication after the login it will redirect to the requested page. Check that your HTTP client can follow HTTP redirects. Also, you need to understand where the session token is kept. If it is kept in cookies you need to store it in client and send manually with each request to the server.
I am currently trying Java Jersey 2.23.2 for my restful service
When both of the web client and tomcat web service runs on the same device, The session was handled perfectly.
However, when the an external client (another website) that runs on a different machine, there will always be new session introduced after an API call instead of sticking to just one session.
Is there anyway I could let the external client to call the webservice just like the local client does?
I can assume that your remote client does not care about JSESSIONID cookie. When session created, server sends HTTP header Set-Cookie with it.
Client must take it and then send it back with each subsequent requests.
All browsers do it automatically.
But as long as your client is another service it needs to care about it.
I have come across many examples of implementing a simple http server in Java. This one fits my needs: http://www.rgagnon.com/javadetails/java-have-a-simple-http-server.html
However, I can't find an example of how to generate, return, and maintain a session id from such a simple http server.
Is that even possible? Is there a way to modify the sample code referred above to incorporate this functionality?
Thanks.
HTTP does not have session support on it self once it is a stateless application protocol. So you need implement it by your self.
For example, on servlet containers like Tomcat there is a cookie called JSESSIONID that is generated and stored on the browser. The client sends back the cookie to the server on each request. Once each client has a different cookie the server can identify the client session.
When cookies are not allowed the parameter JSESSIONID is added to the URL for each request. This technique is called URL Rewriting.
There is a question, not specific for Java HTTP servers, that has implementation details for this problem.
HTTP Session Tracking
I'm developing an environment with 2 webapps deployed in Tomcat 7. One authenticate users using form, openid, remember me cookie or x509 cert. This one works as expected and use the Remember me cookie to authenticate properly when generated.
The problem resides in the second one (the client):
When the login request comes back to the client from the first one, I don't see any cookie. I'm pretty sure they are in the same domain (localhost) and the cookie path is "/" but the browser (firefox) is not sending the cookie to the client.
If I want to use the generated remember me cookie to authenticate in the client, do I need to include all remember me cookie stuff from Spring's security?
Is the remember me cookie a good approach? Do I need something like siteminder or other better approaches?
Thanks in advance. Answers will be voted
Check the cookie information when it is sent back from the server (use Firebug to monitor the network traffic if you're using Firefox).
Check the domain and path, and also whether the cookie is flagged as secure. If the remember-me cookie is issued over a secure connection it will be marked as secure and the browser won't send it over HTTP.
If this is the case, you have to explicitly override it (though you're better to use HTTPS throughout). There's a use-secure-cookie attribute in the remember-me namespace element which you can set.
i have a standalone application from which using the httpclient i'm communicating with the another web application for user authentication and set the user details in session in the web application and after returning to the standalone application i have some logic to run and afterwards i'm forwarding to the web application success page (here in the success page i am unable to retrieve the session where m getting the session object value null.. ) .
So how do i preserve the session ?
Sessions are only available at the web application and the client browser!
So you need to ask the admins or find a public API how to get it, because you can't reach it from a remote machine directly.
The clients just save the id of the session within a cookie, don't store data locally, everything what you need is on the web application's scope.