hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kra...@darkfluid.com
Subject Re: Determine if authentication is needed on a site
Date Mon, 09 Aug 2010 17:49:04 GMT
  Hi,

thanks for the reply. So, since the client does not know if he should 
authenticate itself to the server and because the server is under my 
control, I transmit a custom header which shows the client that auth is 
required. Same goes for an invalid username/password if the auth fails. 
Is there another (possibly better) way to accomplish that? Is there some 
kind of best practice?

Regarding the automated redirection: I read it should be enabled by 
default in HTTPComponents and I didn't configure it at all, but 
nonetheless I get a 302 returned, not the page it should redirect me to. 
Maybe it's because I reuse the httpost instance of the first request and 
just alter the URI to the login location which is provided by the action 
of the login form?

best regards
Werner




On 09.08.2010 14:09, Oleg Kalnichevski wrote:
> On Sun, 2010-08-08 at 10:30 +0200, Werner wrote:
>> Hello HTTPComponent Users,
>>
>> I'm writing a small test-client to test the android authentication
>> against a Tomcat 7 Server. It uses Form-based POST authentication and
>> everything works, but two questions arose:
>>
>> 1. How can I see (from the client side), that I need to authenticate
>> myself to a page? The server internally redirects me to the login page
>> and returns a "200 OK". So the only way to find out is to analyze the
>> page content?
>>
> Yes, that is the case
>
>> 2. Do you really have to make three calls in order to get a resource
>> which needs authentication? Right now I am doing the following:
>>       a) Request the resource http://localhost:8080/sample/protected/
>>            login page is returned with a sessionId
>>       b) Provide user credentials, call the authenticate url
>> http://localhost:8080/sample/protected/j_security_check
>>            a "302 Moved Temporarily" is returned with the location header
>> "http://localhost:8080/sample/protected/"
>>       a) Request the resource again http://localhost:8080/sample/protected/
>>           finally get the desired page (but with another sessionId!)
>>
> Usually one should get redirected to the protected resource after
> successful authentication. So, there is no need for the third step. It
> does take 3 request / response exchanges in total.
>
> Hope this helps
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message