hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <ROLWE...@de.ibm.com>
Subject Re: NTLM authorization header
Date Tue, 29 Mar 2005 08:28:53 GMT
Hello Richard,

> When an user's browser hits the servlet, the servlet will use HttpClient 
to:
> 
> 1) logon on to another web application via NTLM authentication
> 
> 2) request the first content page of that application 
> 
> 3) put the response from that application into the servlet's 
> response outputstream, which will redirect the browser to that 
> application directly onwards.
> 
> I have a problem here. Since the httpclient has been authenticated 
> by that application, how can the servlet passes the "authorization 
> headers" and "response headers" down to the browser so the 
> application will not authenticate the browser user again.

It can't. The authentication that took place is for the session
between the servlet and the application. It is not possible to
substitute a different client, or to hand the session over to a
standard web browser.
You could turn your servlet into a reverse proxy and make the client
send all followup requests to the servlet again, which forwards them
to the application. But then you would have to parse all pages sent
by the application, find the links in those pages, and replace them
with links to your servlet. It is no fun at all to do that.

cheers,
  Roland
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message