hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kim young ill <khi...@googlemail.com>
Subject Re: How to set session ID in http client 4.3
Date Wed, 06 Nov 2013 23:21:48 GMT
sorry, you need to be more specific about your case, login over http(s)
should normally transparent from transport-layer (except when you use
private certificate).
the http request contains headers & payload, in the login request the
payload should contains uname/pwd (if it's a POST, it could be in json
format or form-encoded) & some more fields dependent on the site. the
headers could be important if the server want to know which type of client
you are & what do you  support. some servers will requires cookies (set
when you first load the page).
the sessionid you mentioned is only relevant for establishing the
ssl-connection (before the http request is sent), so you should ignore it.
by guess is that the server wants to know too much from you, so use firebug
, get the headers & payload, copy it to build the request to try again




On Wed, Nov 6, 2013 at 8:09 PM, Horst Weigelt <horst_weigelt@gmx.de> wrote:

> if you have a look at the RFC where the TLS is specified and the 'Client
> Hello' therein you can see that a random number -> session ID is required.
> http://tools.ietf.org/html/rfc5246#section-7.4.1.2
>
> In the Wireshark trace I see the correct session ID of length 32 in the
> browser trace and of length 0 in the Java trace.
> Therefore the Java implementation is wrong. But coming back to my
> question. How can I set the session ID in the HTTP client? In my opinion it
> should be done automatically. It might be an issue in the HTTP client
> development.
> Why do you think a keystore is required?
> At first I tried to debug with Firebug without success - that's why I
> traced with Wireshark (much more low level than Firebug).
>
> kind regards
> Horst
>
>
> Am 05.11.2013 23:02, schrieb kim young ill:
>
>  not sure if i understand you correctly but what's the sessionid you
>> mention
>> ? do you want to authenticate yourself with server with your private
>> certificate (ssl/tls layer) or with username/password (http-layer) ? with
>> the first case you need to customize your keystore, for the 2nd case you
>> just need to open firebug or chrome-dev tool or sth similar to see what's
>> going on.
>>
>>
>>
>>
>> On Tue, Nov 5, 2013 at 6:44 PM, Horst Weigelt <horst_weigelt@gmx.de>
>> wrote:
>>
>>  Thank you Kim,
>>> yes I did not mention how I came up with the idea of a missing session
>>> ID.
>>>
>>> I traced the network communication with Wireshark and compared the
>>> successful browser trace with the Java trace.
>>>
>>> The first difference in the traces is that the client does not send a
>>> session ID in the Java case. In the browser case the session ID is sent
>>> by
>>> the client and responded by the server. I am not 100 % sure but the
>>> session
>>> ID might be required for the data encryption.
>>>
>>> The protocol is explained here
>>> http://en.wikipedia.org/wiki/Transport_Layer_Security#
>>> Basic_TLS_handshake
>>> where the random number is the session ID
>>>
>>> and here
>>> http://commons.wikimedia.org/wiki/File:SSL_handshake_with_
>>> two_way_authentication_with_certificates.svg
>>>
>>> kind regards
>>> Horst
>>>
>>>
>>> Am 04.11.2013 23:25, schrieb kim young ill:
>>>
>>>   200 is a http-response code, only means the request comes & handled by
>>>
>>>> server correcly, no error/exception, doesnt mean  the username/password
>>>> is
>>>> correct.
>>>>
>>>> try to use the browser to see how the login-request looks like in both
>>>> cases or simply log the server-response.
>>>>
>>>> hth
>>>>
>>>>
>>>> On Sat, Nov 2, 2013 at 2:39 PM, Horst Weigelt <horst_weigelt@gmx.de>
>>>> wrote:
>>>>
>>>>   |I want to logon to a https URL using Apache HTTP Client 4.3
>>>>
>>>>> The login fails. However I receive HTTP status 200 when posting the
>>>>> request.
>>>>>
>>>>> One issue for the login failure might be that there is no session ID
>>>>> send
>>>>> in the|
>>>>> |TLSv1 handshake protocol (Length: 0)
>>>>>
>>>>> That raises 2 questions:
>>>>> 1) Is a session ID required for the login. If yes how can I set the
>>>>> session ID.
>>>>> 2) Is there something else missing in the Java code below (except for
>>>>> the
>>>>> correct URL + login/password ;-) )
>>>>>
>>>>> This question is also posted (more or less identically) in
>>>>> http://stackoverflow.com/questions/19737218/session-id-
>>>>> missing-in-https-post-using-apache-httpclient-4-3
>>>>>
>>>>>
>>>>>
>>>>> HttpClientContext  context=  HttpClientContext.create();
>>>>>
>>>>>       /* to follow redirections */      RedirectStrategy
>>>>>   redirectStrategy=
>>>>>    new  LaxRedirectStrategy();
>>>>>
>>>>>       RequestConfig  globalConfig=  RequestConfig.custom()
>>>>>               .setCookieSpec(CookieSpecs.BEST_MATCH)
>>>>>               .build();
>>>>>       RequestConfig  localConfig=  RequestConfig.copy(globalConfig)
>>>>>               .setCookieSpec(CookieSpecs.BROWSER_COMPATIBILITY)
>>>>>               .build();
>>>>>
>>>>>       try  {
>>>>>
>>>>>           SSLContext  sslcontext=  SSLContexts.custom()
>>>>>                   .build();
>>>>>
>>>>>           SSLConnectionSocketFactory  sslsf=  new
>>>>>    SSLConnectionSocketFactory(sslcontext,
>>>>>                   SSLConnectionSocketFactory.
>>>>> BROWSER_COMPATIBLE_HOSTNAME_
>>>>> VERIFIER);
>>>>>
>>>>>           /* setup client for https and redirections */
>>>>>           httpclient=  HttpClients.custom()
>>>>>                   .setRedirectStrategy(redirectStrategy)
>>>>>                   .setSSLSocketFactory(sslsf)
>>>>>                   .build();
>>>>>
>>>>>
>>>>>           HttpPost  httpost=  new  HttpPost("https://myURL");
>>>>>           httpost.setConfig(localConfig);
>>>>>
>>>>>           /* set login and password */
>>>>>           httpost.setEntity(new  UrlEncodedFormEntity(login_
>>>>> and_passwd,
>>>>>    Consts.UTF_8));
>>>>>
>>>>>           CloseableHttpResponse  httpresponse=
>>>>>   httpclient.execute(httpost);
>>>>>
>>>>>           }
>>>>>       }  finally  {
>>>>>           httpclient.close();
>>>>>       }
>>>>>       return  httpclient;
>>>>>
>>>>>
>>>>> Thanks for any help
>>>>> Horst
>>>>>
>>>>>
>>>>> |
>>>>>
>>>>>
>>>>>
>>>>>  ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>>
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message