hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Williams" <william...@gmail.com>
Subject Re: Secure cookie not being set [was: Two-Way SSL Problem]
Date Mon, 12 Jan 2009 14:33:10 GMT
On Mon, Jan 12, 2009 at 9:05 AM, Tim Williams <williamstw@gmail.com> wrote:
> On Mon, Jan 12, 2009 at 8:52 AM, Oleg Kalnichevski <olegk@apache.org> wrote:
>> On Mon, 2009-01-12 at 08:28 -0500, Tim Williams wrote:
>>> On Thu, Jan 8, 2009 at 3:03 PM, Tim Williams <williamstw@gmail.com> wrote:
>>> > On Thu, Jan 8, 2009 at 2:28 PM, Tim Williams <williamstw@gmail.com>
wrote:
>>> >> On Thu, Jan 8, 2009 at 2:09 PM, Oleg Kalnichevski <olegk@apache.org>
wrote:
>>> >>> Tim Williams wrote:
>>> >>>>
>>> >>>> I'm using the MultiThreadedConnectionManager with HttpClient
and 2-way
>>> >>>> ssl similar to the example[1] and having problems.  The very
first
>>> >>>> request goes through and returns HTTP 200 Ok.  All subsequent
requests
>>> >>>> return HTTP 401.  This happens when I run this inside a webapp
>>> >>>> deployed in either glassfish or tomcat.  However, if I take
the same
>>> >>>> code and run from within a simple driver "main" program, all
calls to
>>> >>>> that same server succeed with no problems.  Oddly enough, this
only
>>> >>>> happens when communicating with one particular Weblogic service
-
>>> >>>> other servers allow multiple calls with the same fetcher code
just
>>> >>>> fine.  Anyone have an idea what would make the first request
go
>>> >>>> through go through properly but not subsequent ones?
>>> >>>>
>>> >>>
>>> >>> There is no way of telling without more details. Please post a wire
log of
>>> >>> the HTTP session to this list
>>> >>>
>>> >>> http://hc.apache.org/httpclient-3.x/logging.html
>>> >>>
>>> >>> Oleg
>>> >>
>>> >> Unfortunately, I'm unable to post logging data.  I have narrowed it
>>> >> down to a "cookie" problem of some sort.  I've found that if I
>>> >> manually take the "Set-Cookie" header from the initial request, store
>>> >> it, then manually populate it on subsequent requests, all is well. 
I
>>> >> had that idea from this site[1] but I'm not sure whether the
>>> >> configuration on the server-side (Weblogic) is just wrong or my
>>> >> HttpClient configuration is wrong by not sending back both cookies on
>>> >> subsequent requests.
>>> >> Thanks,
>>> >> --tim
>>> >
>>> > I've run the wire logging and it does appear that two Set-Cookies are
>>> > coming in, one with JSESSIONID= and the other with
>>> > _WL_AUTH_JSESSIONID=.  On subsequent requests, only the first,
>>> > JSESSIONID, is on the outbound request.  Any ideas?
>>>
>>> The _WL_AUTH_JSESSIONID is a 'secure' cookie and it is the one not
>>> being sent. Weblogic uses both a regular cookie and secure cookie to
>>> apparently allow you to seamlessly transition across http and https
>>> sessions[1] which seems valid. I've tried sending as a
>>> SINGLE_COOKIE_HEADER as well with no success.  I'm using v3.0.1 and
>>> RFC2109 btw.  Any ideas for what to look at?
>>> Thanks,
>>> --tim
>>>
>>
>> You are not using a custom SSL socket factory, are you? If so, make sure
>> it implements SecureProtocolSocketFactory interface.
>>
>> Oleg
>
> No, I'm not.  I also just tried explicitly registering the
> SSLProtocolSocketFactory in my code - though I reckon its unnecessary
> - but that doesn't help.  I also found this thread[1] which looks
> similar.  I don't like the suggested hack though (manually removing
> the secure flag from the cookie).  Any other ideas?

Actually, explicitly registering the SSLProtocolSocketFactory for
"https" *does* help.  This is odd because it looks like exactly what
the lazyRegisterProtocol method is already doing.

--tim

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message