tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Nesting servlets with different credentials
Date Sat, 09 Jan 2010 21:04:36 GMT
Hash: SHA1


On 1/6/2010 4:09 PM, Greg Allen wrote:
> I have two servlets, http://localhost:8080/s1 and
> http://localhost:8080/s2.  Both servlets
> require BASIC authentication.
> My application will call s1, and then s1 will turn around and call s2. 
> However, the credentials
> supplied to s2 need to be different than those supplied to s1.
> Inside of s1,  I set up an instance of HttpClient and set the new
> credentials on it.  Here's
> the code that does it:
>        HostConfiguration config = new HostConfiguration();
>        HttpClient client = new HttpClient();
>        config.setHost(m_sHost, m_iPort, m_sProtocol);
>        client.setHostConfiguration(config);
>        Credentials credentials = new
> UsernamePasswordCredentials(m_sUser, m_sPassword);
>        client.getState().setCredentials(AuthScope.ANY, credentials);
>        client.getParams().setAuthenticationPreemptive(true);
> I then call client.executeMethod with the appropriate arguments to call
> into s2.
> The problem is that the call to s2 does not use the new credentials - it
> seems to be using the
> credentials that were used to access s1.  In fact, I've removed the
> setting of the credentials
> on the client, and the call to s2 still succeeds (although as the wrong
> user).

Your above code seems to look okay to me. Will it run outside of Tomcat
- -- just a standalone Java program run directly from the command-line?

I'm not sure how the credentials from the original request would be
mixed-up with the completely unrelated HTTP connection that you are
making using HttpClient.

Is it possible that your observations are inaccurate? Perhaps the
authentication you are seeing is due to a separate primary request and
not this HttpClient-based request.

> I have verified this behavior by turning on logging in my JDBCRealm. I
> can see that authentication
> occurs for the call to s1, but there is no other authentication call
> made.  I expected to see a second
> authentication for s2, but there was nothing. It appears as though there
> is some sort of caching going on here that I need to handle/disable.
> Can anyone shed any light on what is going on, and how to fix it?

Tomcat is not interfering with your HttpClient connection. I would try
to get it working with a simple Java class first, and then move it back
into the servlet environment once it's working properly.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message