hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Horst Weigelt <horst_weig...@gmx.de>
Subject Re: How to set session ID in http client 4.3
Date Mon, 11 Nov 2013 23:13:54 GMT
Finally I got it working.
Firebug helped to find the redirections. Thank you.

So after the POST of uname/pwd I sent two more GETS.
Probably this can be optimized ....

... and no session Id required. But I will have a look at the Wireshark 
trace later on.





Am 07.11.2013 00:21, schrieb kim young ill:
> sorry, you need to be more specific about your case, login over http(s)
> should normally transparent from transport-layer (except when you use
> private certificate).
> the http request contains headers & payload, in the login request the
> payload should contains uname/pwd (if it's a POST, it could be in json
> format or form-encoded) & some more fields dependent on the site. the
> headers could be important if the server want to know which type of client
> you are & what do you  support. some servers will requires cookies (set
> when you first load the page).
> the sessionid you mentioned is only relevant for establishing the
> ssl-connection (before the http request is sent), so you should ignore it.
> by guess is that the server wants to know too much from you, so use firebug
> , get the headers & payload, copy it to build the request to try again
>
>
>
>
> On Wed, Nov 6, 2013 at 8:09 PM, Horst Weigelt<horst_weigelt@gmx.de>  wrote:
>
>> if you have a look at the RFC where the TLS is specified and the 'Client
>> Hello' therein you can see that a random number -> session ID is required.
>> http://tools.ietf.org/html/rfc5246#section-7.4.1.2
>>
>> In the Wireshark trace I see the correct session ID of length 32 in the
>> browser trace and of length 0 in the Java trace.
>> Therefore the Java implementation is wrong. But coming back to my
>> question. How can I set the session ID in the HTTP client? In my opinion it
>> should be done automatically. It might be an issue in the HTTP client
>> development.
>> Why do you think a keystore is required?
>> At first I tried to debug with Firebug without success - that's why I
>> traced with Wireshark (much more low level than Firebug).
>>
>> kind regards
>> Horst
>>
>>
>> Am 05.11.2013 23:02, schrieb kim young ill:
>>
>>   not sure if i understand you correctly but what's the sessionid you
>>> mention
>>> ? do you want to authenticate yourself with server with your private
>>> certificate (ssl/tls layer) or with username/password (http-layer) ? with
>>> the first case you need to customize your keystore, for the 2nd case you
>>> just need to open firebug or chrome-dev tool or sth similar to see what's
>>> going on.
>>>
>>>
>>>
>>>
>>> On Tue, Nov 5, 2013 at 6:44 PM, Horst Weigelt<horst_weigelt@gmx.de>
>>> wrote:
>>>
>>>   Thank you Kim,
>>>> yes I did not mention how I came up with the idea of a missing session
>>>> ID.
>>>>
>>>> I traced the network communication with Wireshark and compared the
>>>> successful browser trace with the Java trace.
>>>>
>>>> The first difference in the traces is that the client does not send a
>>>> session ID in the Java case. In the browser case the session ID is sent
>>>> by
>>>> the client and responded by the server. I am not 100 % sure but the
>>>> session
>>>> ID might be required for the data encryption.
>>>>
>>>> The protocol is explained here
>>>> http://en.wikipedia.org/wiki/Transport_Layer_Security#
>>>> Basic_TLS_handshake
>>>> where the random number is the session ID
>>>>
>>>> and here
>>>> http://commons.wikimedia.org/wiki/File:SSL_handshake_with_
>>>> two_way_authentication_with_certificates.svg
>>>>
>>>> kind regards
>>>> Horst
>>>>
>>>>
>>>> Am 04.11.2013 23:25, schrieb kim young ill:
>>>>
>>>>    200 is a http-response code, only means the request comes & handled
by
>>>>
>>>>> server correcly, no error/exception, doesnt mean  the username/password
>>>>> is
>>>>> correct.
>>>>>
>>>>> try to use the browser to see how the login-request looks like in both
>>>>> cases or simply log the server-response.
>>>>>
>>>>> hth
>>>>>
>>>>>
>>>>> On Sat, Nov 2, 2013 at 2:39 PM, Horst Weigelt<horst_weigelt@gmx.de>
>>>>> wrote:
>>>>>
>>>>>    |I want to logon to a https URL using Apache HTTP Client 4.3
>>>>>
>>>>>> The login fails. However I receive HTTP status 200 when posting the
>>>>>> request.
>>>>>>
>>>>>> One issue for the login failure might be that there is no session
ID
>>>>>> send
>>>>>> in the|
>>>>>> |TLSv1 handshake protocol (Length: 0)
>>>>>>
>>>>>> That raises 2 questions:
>>>>>> 1) Is a session ID required for the login. If yes how can I set the
>>>>>> session ID.
>>>>>> 2) Is there something else missing in the Java code below (except
for
>>>>>> the
>>>>>> correct URL + login/password ;-) )
>>>>>>
>>>>>> This question is also posted (more or less identically) in
>>>>>> http://stackoverflow.com/questions/19737218/session-id-
>>>>>> missing-in-https-post-using-apache-httpclient-4-3
>>>>>>
>>>>>>
>>>>>>
>>>>>> HttpClientContext  context=  HttpClientContext.create();
>>>>>>
>>>>>>        /* to follow redirections */      RedirectStrategy
>>>>>>    redirectStrategy=
>>>>>>     new  LaxRedirectStrategy();
>>>>>>
>>>>>>        RequestConfig  globalConfig=  RequestConfig.custom()
>>>>>>                .setCookieSpec(CookieSpecs.BEST_MATCH)
>>>>>>                .build();
>>>>>>        RequestConfig  localConfig=  RequestConfig.copy(globalConfig)
>>>>>>                .setCookieSpec(CookieSpecs.BROWSER_COMPATIBILITY)
>>>>>>                .build();
>>>>>>
>>>>>>        try  {
>>>>>>
>>>>>>            SSLContext  sslcontext=  SSLContexts.custom()
>>>>>>                    .build();
>>>>>>
>>>>>>            SSLConnectionSocketFactory  sslsf=  new
>>>>>>     SSLConnectionSocketFactory(sslcontext,
>>>>>>                    SSLConnectionSocketFactory.
>>>>>> BROWSER_COMPATIBLE_HOSTNAME_
>>>>>> VERIFIER);
>>>>>>
>>>>>>            /* setup client for https and redirections */
>>>>>>            httpclient=  HttpClients.custom()
>>>>>>                    .setRedirectStrategy(redirectStrategy)
>>>>>>                    .setSSLSocketFactory(sslsf)
>>>>>>                    .build();
>>>>>>
>>>>>>
>>>>>>            HttpPost  httpost=  new  HttpPost("https://myURL");
>>>>>>            httpost.setConfig(localConfig);
>>>>>>
>>>>>>            /* set login and password */
>>>>>>            httpost.setEntity(new  UrlEncodedFormEntity(login_
>>>>>> and_passwd,
>>>>>>     Consts.UTF_8));
>>>>>>
>>>>>>            CloseableHttpResponse  httpresponse=
>>>>>>    httpclient.execute(httpost);
>>>>>>
>>>>>>            }
>>>>>>        }  finally  {
>>>>>>            httpclient.close();
>>>>>>        }
>>>>>>        return  httpclient;
>>>>>>
>>>>>>
>>>>>> Thanks for any help
>>>>>> Horst
>>>>>>
>>>>>>
>>>>>> |
>>>>>>
>>>>>>
>>>>>>
>>>>>>   ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail:httpclient-users-unsubscribe@hc.apache.org
>>>> For additional commands, e-mail:httpclient-users-help@hc.apache.org
>>>>
>>>>
>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail:httpclient-users-help@hc.apache.org
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message