Problem HTTPSURLConnection for Siteminder authentictaion

[color=blue]Hi All,



I need help in debugging my issue with ca Siteminder login.fcc connection with javax.net.ssl.HTTPSURLConnection java client.



I am creating HTTPSURLConnection client and POST ing my request with valid USER, PASSWORD and target parameter to https://<myDomain>.com/siteminderagent/forms/login.fcc, actually I am expecting to get redirected to success (target) page or sucessful SMSESSION as a header response.



But instead siteminder is redirecting my request to unsuccessful/ invalid credentials page.



Following is my code snippet, Please see anybody an give me vital inputs to resolve this. Any help would be appreciated a lot.



Same program I wrote using Apache commons HTTPClient library, that worked fine, however we don't want to use Apache commons for this implementation.


package com.test; import java.io.BufferedReader; import java.io.DataOutputStream; import java.io.InputStream; import java.io.InputStreamReader; import java.net.URL; import java.net.URLEncoder; import java.util.Map; import java.util.Set; import javax.net.ssl.HttpsURLConnection; public class HTTPSURLTest { public static void main(String args[]){ try{ String content = "USER=" + URLEncoder.encode ("cal") + "&PASSWORD=" + URLEncoder.encode ("tester")+"&target=https://<mydomain>.com/en_US/OCS/protected/mobile_pre_account_transaction.jsp"; URL u = new URL("https://<mydomain>.com/siteminderagent/forms/login.fcc"); // Just to give proper certificate value System.setProperty("javax.net.ssl.trustStore", "jssecacerts"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); HttpsURLConnection http = (HttpsURLConnection)u.openConnection(); http.setRequestMethod("POST"); http.setDoInput (true); http.setDoOutput (true); http.setRequestProperty("Content-Type", "application/x-www-form-urlencoded"); // tried toogling this parameter http.setInstanceFollowRedirects(true); DataOutputStream out = new DataOutputStream(http.getOutputStream()); // Writing post data to the contents out.writeBytes(content); out.flush(); out.close(); InputStream ins = http.getInputStream(); InputStreamReader isr = new InputStreamReader(ins); BufferedReader in = new BufferedReader(isr); String inputLine; while ((inputLine = in.readLine()) != null) { System.out.println(inputLine); } // I am expecting SMSESSION value in cookie or any header field Map getHeaders = http.getHeaderFields(); Set<String> headerSet = getHeaders.keySet(); for (String header : headerSet) { System.out.println(header + ":" + getHeaders.get(header)); } in.close(); }catch(Exception e){ e.printStackTrace(); } } }



Please help me in resolving this issue, as I got stuck in resolving this.[/color]

Probably better off using Apache's HTTPClient
SiteMinder Agent requires HTTP 1.1 protocol which means the request header must have host: <hostname>
I think the default URLConnection doesn't send that header and cookie handling is nightmare

Not sure if this is still useful, nonetheless, here is a solution that does http post identification to siteminder and that works on our Intranet.

There are 2 specificities to our network mentioned in the code:
- The last redirection URL in my case is something like http://bugger.url?GOTO=http://good.url. This is because bugger.url displays a warning message (you have accessed a network controlled by blahblah)
- The last cookie send back (client to server) has a value like c_ein=username. I don't understand the reason behind this. I discovered it by chance trying to login to Siteminder with a web browser and a cookie that did not have this value. the web page showed an error that helped me solve this.

/* * To change this template, choose Tools | Templates * and open the template in the editor. * * Some code in here was found here: * http://download.oracle.com/javase/1.4.2/docs/guide/deployment/deployment-guide/upgrade-guide/article-17.html */ package com.company.util.connect; import java.io.BufferedReader; import java.io.DataOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.net.HttpURLConnection; import java.net.URL; import java.net.URLConnection; import java.net.URLEncoder; import java.util.Enumeration; import java.util.Hashtable; import java.util.List; import java.util.Map; import java.util.regex.Pattern; /** * * @author Géry */ public class TestConnectClean { // CAD functional account private final String username = "username"; private final String password = "password"; // URL start line which indicates Siteminder log in required. private final String siteMinderLogin = "https://my.path.to.login/login.fcc"; // Maximum number of times server is allowed to redirect (response 302) private final int max302 = 10; public static final String URL = "URL"; // key for a hash table public static final String TOKEN_KEY = "SMSESSION"; //key found in cookie for session token public static final String FORMCRED = "FORMCRED"; // key found in cookie for pre-login authorisation public static final String TOKEN = "TOKEN"; // key for a hashtable public static final String SET_COOKIE = "Set-Cookie"; // key for server to set up a cookie public static final String DOMAIN = "domain"; // key for cookie for session token public static void main(String[] args) { // self instanciate TestConnectClean me = new TestConnectClean(); // URL sought String index= "http://my.path.to.content/index.html"; // return HTML content String rawHTML = me.getRawHTML(index); System.out.println(rawHTML); } public String getRawHTML(String link) { HttpURLConnection con = null; HttpURLConnection conPostSM = null; InputStream stream = null; StringBuffer sb = new StringBuffer(); String page = null; String loginDetails = null; try { // Create a connection and follow redirections (302) URL url = new URL(link); con = (HttpURLConnection) url.openConnection(); con = openConnectionCheckRedirects(con); // check if response is coming from Siteminder for log in if(isBehindSiteMinder(con.getURL().toString())) { // get credentials USER= PASSWORD= target= loginDetails = buildLoginDetails(con); //System.err.println("siteminder login required"); conPostSM = connectToSiteMinder(con.getURL().openConnection(), loginDetails); stream = conPostSM.getInputStream(); } else { stream = con.getInputStream(); } // read the content and save it as string to return raw HTML String inputLine = ""; BufferedReader brin = new BufferedReader(new InputStreamReader(stream)); while ((inputLine = brin.readLine()) != null) { sb.append(inputLine); } System.err.println("Check connection before returning page: "+con.getURL()); page = sb.toString(); } catch(Exception e) { e.printStackTrace(); } finally { try{stream.close();} catch(IOException ioe){} try{con.disconnect();} catch(Exception ioe){} try{conPostSM.disconnect();} catch(Exception ioe){} } return page; } private HttpURLConnection connectToSiteMinder(URLConnection c, String loginDetails) { HttpURLConnection http = null; boolean authenticated = false; String cookieTextSessionID = ""; URL targetPostLogin = null; //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()) ; boolean redir; int redirects = 0; DataOutputStream out = null; Hashtable<String, String> h = new Hashtable<String, String>(); // First send a POST method with credential to obtain a FORMCRED token // from siteminder try { if (c instanceof HttpURLConnection) { ((HttpURLConnection) c).setInstanceFollowRedirects(false); } // set up some headers //c.setRequestProperty("Content-Type", "application/x-www-form-urlencoded"); //c.setRequestProperty("Cache-control", "no-store"); //c.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"); //c.setRequestProperty("Content-Length", loginDetails.length()+""); c.setDoInput(true); c.setDoOutput(true); out = new DataOutputStream( c.getOutputStream() ); //System.err.println("[WRITE CONTENT] content: "+loginDetails); //int queryLength = content.length(); out.writeBytes(loginDetails); out.flush(); // get header key values to find authorisation token FORMCRED Map<String, List<String>> map = c.getHeaderFields(); for (Map.Entry<String, List<String>> entry : map.entrySet()) { String key = entry.getKey(); //System.err.println("put KEY::: "+key); List<String> l = entry.getValue(); for(String val: l) { // Look for cookie set by the server if (key!= null && !authenticated) cookieTextSessionID = (key.equalsIgnoreCase(this.SET_COOKIE)) ? val : cookieTextSessionID ; //System.err.println("put VAL::: "+val); if((cookieTextSessionID.indexOf(this.FORMCRED) >=0) && (!authenticated)) { // if the cookid has a FORMCRED key capture it and save it for the next connection Pattern pat = Pattern.compile(";"); String[] nuggets = pat.split(cookieTextSessionID); cookieTextSessionID = ""; for(String choc : nuggets) { if(choc.startsWith(this.FORMCRED)) { cookieTextSessionID = cookieTextSessionID+choc+";"; authenticated = true; } if(choc.startsWith(this.DOMAIN)) { cookieTextSessionID = cookieTextSessionID+choc+";"; } } // remove trailing ; if(cookieTextSessionID.endsWith(";")) { cookieTextSessionID = cookieTextSessionID.substring(0, cookieTextSessionID.length()-1); } //System.err.println("AUTHENTICATION TOKEN ARRIVED. YEAH."); // build the URL to follow again for authentication URL base = ((HttpURLConnection)c).getURL(); String loc = ((HttpURLConnection)c).getHeaderField("Location"); //URL target = null; if (base != null) { if(loc == null) { loc=""; } targetPostLogin = new URL(base, loc); } //System.err.println("CONTENT TYPE "+c.getContentType()); } } } boolean cookieSet = false; if(authenticated) { do { if (c instanceof HttpURLConnection) { ((HttpURLConnection) c).setInstanceFollowRedirects(false); if(!cookieSet)((HttpURLConnection) c).disconnect(); } // open the new connection c = targetPostLogin.openConnection(); h.put(this.URL , c.getURL().toString()); // set up the cookie in the response to obtain final credentials c.setRequestProperty("Cookie", cookieTextSessionID); // house keeping duties cookieSet = true; cookieTextSessionID = ""; // Call the server again with the FORMCRED token back (to confirm we are happy to log in) map = c.getHeaderFields(); // scan through header to find the authentication token for (Map.Entry<String, List<String>> entry : map.entrySet()) { String key = entry.getKey(); //System.err.println("WARNING SCREEN::: "+key); // ignore any header that is not a cookie if(key == null) continue; if(!key.equalsIgnoreCase(this.SET_COOKIE)) continue; List<String> l = entry.getValue(); for(String val: l) { // capture cookie and expect and SMSESSION token //System.err.println("WARNING SCREEN VAL::: "+val); if (key!= null) { Pattern pat = Pattern.compile(";"); String[] cookieValues = pat.split(val); for(String cVal : cookieValues) { if(cVal.indexOf(this.TOKEN_KEY)>=0) { cookieTextSessionID = (cookieTextSessionID.length()>0) ? cookieTextSessionID+";"+cVal : cVal; } } } } // System.err.println("Saving cookie: "+cookieTextSessionID); // save cookie for later if(cookieTextSessionID.length()>0) { h.put(this.TOKEN, cookieTextSessionID); } } // We want to open the input stream before getting headers // because getHeaderField() et al swallow IOExceptions. // in = c.getInputStream(); redir = false; if (c instanceof HttpURLConnection) { http = (HttpURLConnection) c; int stat = http.getResponseCode(); if (stat >= 300 && stat <= 307 && stat != 306 && stat != HttpURLConnection.HTTP_NOT_MODIFIED) { URL base = http.getURL(); String loc = http.getHeaderField("Location"); URL target = null; if (base != null) { if(loc == null) { loc=""; } target = new URL(base, loc); } http.disconnect(); // Redirection should be allowed only for HTTP and HTTPS // and should be limited to 5 redirections at most. if (target == null || !(target.getProtocol().equals("http") || target.getProtocol().equals("https")) || redirects >= this.max302) { throw new SecurityException("illegal URL redirect"); } redir = true; c = target.openConnection(); redirects++; } } } while (redir); //return http; } // if there is no token session give up if(!h.containsKey(this.URL)) return null; // Extract the URL to hit behind the GOTO line // (with Siteminder on my network this part is mished mashed in javascript) // This is a hack because the network has a policy to present a warning page // the user has to click on a button to be redirected // this bit is commented out because probably not necessary outside of my network //String finalURL =""; //Pattern patGoto = Pattern.compile("GOTO="); //String[] gotos = patGoto.split(h.get(this.URL)); //if(gotos.length>=2) finalURL = gotos[1]; URL myUrl = new URL(finalURL.toString()); //System.err.println("GLOBAL REDIRECT: "+finalURL); //System.err.println("GLOBAL HOST: "+myUrl.getProtocol()); // craft a strange cookie value for Siteminder, it is a really bizarre thing // This bit is mysterious to me, "Siteminder" needs this but, it is obviously // something specific to my network since the name "c_ein" refers to an employee number // this.username is of course the username you're trying to identify with. String cookieTail = ";c_ein="+this.username; http = (HttpURLConnection) myUrl.openConnection(); //con = (HttpURLConnection) new URL(finalURL).openConnection(); //HttpURLConnection conPage = (HttpURLConnection) new URL(hTok.get(TestConnect.url)).openConnection(); http.setRequestProperty("Host", myUrl.getHost()); http.setRequestProperty("Cookie", h.get(TestConnect.token)+cookieTail); http.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 1.2.30703)"); http.setRequestProperty("Referer", finalURL); http.setRequestProperty("Connection", "Keep-Alive"); http.setRequestProperty("Accept-Encoding", "gzip, deflate"); http.setRequestProperty("UA-CPU", "X86"); http.setRequestProperty("Accept-Language", "en-gb"); http.setRequestProperty("Accept", "*/*"); //http.setRequestProperty("EIN", username); http.setDoInput(true); http.setUseCaches(false); //con.connect(); //System.err.println("response message: "+con.getResponseMessage()); return http; } catch(IOException ioe) { ioe.printStackTrace(); } finally { try{out.flush(); out.close();} catch(Exception e){} } return null; } private boolean isBehindSiteMinder (String link) { // simply check the URL if(link.startsWith(siteMinderLogin)) { return true; } return false; } private HttpURLConnection openConnectionCheckRedirects(URLConnection c) throws IOException { boolean redir; int redirects = 0; InputStream in = null; HttpURLConnection http = null; do { if (c instanceof HttpURLConnection) { //System.err.println("found instance of HTTP connection"); ((HttpURLConnection) c).setInstanceFollowRedirects(false); } // We want to open the input stream before getting headers // because getHeaderField() et al swallow IOExceptions. //c.g //in = c.getInputStream(); redir = false; if (c instanceof HttpURLConnection) { http = (HttpURLConnection) c; int stat = http.getResponseCode(); //System.err.println("openConnectionCheckRedirects: "+stat); if (stat >= 300 && stat <= 307 && stat != 306 && stat != HttpURLConnection.HTTP_NOT_MODIFIED) { URL base = http.getURL(); String loc = http.getHeaderField("Location"); URL target = null; if (loc != null) { target = new URL(base, loc); } http.disconnect(); // Redirection should be allowed only for HTTP and HTTPS // and should be limited to 5 redirections at most. if (target == null || !(target.getProtocol().equals("http") || target.getProtocol().equals("https")) || redirects >= max302) { throw new SecurityException("illegal URL redirect"); } redir = true; c = target.openConnection(); redirects++; } } } while (redir); return http; } private String buildLoginDetails(HttpURLConnection con) { InputStream targetStream = null; BufferedReader targetBr = null; StringBuffer sb = new StringBuffer(); String target = null; String loginDetails = null; try { // read content and call hidden input method to grab imporant elements targetStream = con.getInputStream(); targetBr = new BufferedReader(new InputStreamReader(targetStream)); String inputLine; while ((inputLine = targetBr.readLine()) != null) { sb.append(inputLine); } Hashtable h = addHiddenInput(sb.toString()); // build the credential string and return it Enumeration eh = h.keys(); while(eh.hasMoreElements()) { String key = eh.nextElement().toString(); String val = h.get(key).toString(); System.err.println("[TestConnect] ADDING HIDDEN INPUT: "+key+": "+val); target = (key.equalsIgnoreCase("target")) ? val : target; //conLog.setRequestProperty(key, val); } loginDetails = "USER=" + URLEncoder.encode(this.username) + "&PASSWORD=" + URLEncoder.encode(this.password) +"&target="+target; } catch(IOException ioe) { ioe.printStackTrace(); } finally { try{targetStream.close();} catch(Exception e){} } return loginDetails; } private Hashtable<String, String> addHiddenInput(String response) { Hashtable<String, String> h = new Hashtable(); int indexStr = 0; String hiddenString = "input type=\"hidden\""; while (true) { indexStr = response.indexOf(hiddenString,indexStr) + hiddenString.length(); if (indexStr > hiddenString.length()) { int start = response.indexOf("value=\"",indexStr) + 7; int end = response.indexOf("\"",start); String value = response.substring(start,end); start = response.indexOf("name=\"",indexStr) + 6; end = response.indexOf("\"",start); String name = response.substring(start,end); indexStr = end; h.put(name,value); } else { break; } } return h; } }

sorry the line that reads:

http.setRequestProperty("Cookie", h.get(TestConnect.url)+cookieTail);

Should read:

http.setRequestProperty("Cookie", h.get(this.TOKEN)+cookieTail);