jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton_Gr...@mn.man.de
Subject Antwort: Re: Antwort: Re: Security (using FormAuthentication) not working against WebSphere 5.1
Date Wed, 09 Jun 2004 16:10:59 GMT


as you mentioned in your answer I first tried to find out wether WebSphere
is sending the cookie JSessionID in
step 4) or 6).

After requesting the Login-Page from a browser and requesting


before authentication I found out WebSphere 5.1 is sending SessionID-Cookie
in step 4).
The cookie is shown in the alert window.

Then I changed the implementation of method getSecureSessionIdCookie(...)
like this


    private Cookie getSecureSessionIdCookie(WebRequest theRequest,
        Configuration theConfiguration)
        HttpURLConnection connection;
        String resource = null;

        Cookie cookie = null;

            // Create a helper that will connect to a restricted resource.
            WebConfiguration webConfig = (WebConfiguration)
            resource = webConfig.getRedirectorURL(theRequest);

            HttpClientConnectionHelper helper =
                new HttpClientConnectionHelper(resource);

            WebRequest request =
                new WebRequestImpl((WebConfiguration) theConfiguration);

            // Make the connection using a default web request.
            connection = helper.connect(request, theConfiguration);


            cookie = getCookie(connection, getSessionCookieName());
            if (cookie == null) {
              String loginURL = getLoginURL(connection);

              HttpClientConnectionHelper helper2 =
                new HttpClientConnectionHelper(loginURL);

              connection = helper2.connect(request, theConfiguration);
              cookie = getCookie(connection, getSessionCookieName());
            } // end if
        catch (Throwable e)
            throw new ChainedRuntimeException(
                "Failed to connect to the secured redirector: " + resource,

        return cookie;

   public String getLoginURL(HttpURLConnection connection) {

      String locationHeaderKey = "Location";
      String loginURL = null;

      // TODO


The cookie is found and gets stored for the next request.

Now I get the exception "Failed to get test results at

I will try to find the reason on friday. Its already too late.
Kids are waiting ...



Anton Grimm
MAN Nutzfahrzeuge AG
IDP - Software Produktionsumgebungen
D - 80995 M√ľnchen

Fon:       +49-89-1580-1054
Fax:       +49-89-1580-4550
mailto:    Anton_Grimm@mn.man.de
Internet: http://www.man-trucks.com

|         |           Kazuhito SUGURI     |
|         |           <suguri.kazuhito@lab|
|         |           .ntt.co.jp>         |
|         |                               |
|         |           06/08/2004 05:14 PM |
|         |           Bitte antworten an  |
|         |           "Cactus Users List" |
|         |                               |
  |       An:       cactus-user@jakarta.apache.org, Anton_Grimm@mn.man.de                
  |       Kopie:                                                                         
  |       Thema:    Re: Antwort: Re: Security (using FormAuthentication) not working against
WebSphere 5.1                       |


In article
Tue, 8 Jun 2004 14:42:53 +0200,
Anton_Grimm@mn.man.de wrote:
Anton_Grimm> Do you think it is the right place to change the
implementation of the
Anton_Grimm> method
Anton_Grimm>       getSecureSessionIdCookie()
Anton_Grimm> in FormAuthentication to include step3) and step4) if no
cookie is found in
Anton_Grimm> step 2) ?

Yes, I think so.

But, we have no data yet.
I'm wondering if WAS is sending Set-Cookie JSESSIONID header
only for successfully authenticated user, i.e. at step (6).
# if the session tracking can be started at step(4), why cannot at

Please let us know when you find a new fact.

Kazuhito SUGURI

To unsubscribe, e-mail: cactus-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: cactus-user-help@jakarta.apache.org

This message and any attachments are confidential and may be privileged or otherwise protected
from disclosure. 
If you are not the intended recipient, please telephone or email the sender and delete this
message and any attachment 
from your system. If you are not the intended recipient, you must not copy this message or
attachment or disclose the 
contents to any other person.

View raw message