Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

My HttpServletRequest and I don't get along. I need a new one.  RSS feed

 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So I'm developing a SSO login module for our portal. What I have so far is an open source SSO provider that performs an authentication and returns a success.

The servlets that handle this are in a separate Tomcat from the portal. That means that in order to log into the portal I need to take that successful authentication and redirect it into the portal, with the attributes that identify the user. As I understand it, I can't take the request, add an attribute to it and then redirect it, so what I need is a new request with the needed attribute and send that to the portal.

Information on how to do this seems a bit sparse, and maybe my Google-fu isn't so good because I can't seem to find the info I need to do this.

Am I missing something?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65824
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Correct, request attributes don't "survive" a redirect, even if it's into the same web app. You are limited to passing information using what HTTP provides. In other words, in the query string, the request body, or headers.
 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, so if I really want to use Attributes, I would need to create a new HttpServletRequest object and put that Attribute in it. Would that be simpler, or would it be simpler to add a Header to the existing request and redirect it?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65824
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't create new request instances, the container does. There is no way to use scoped variables (what you are calling "attributes") to communicate with another web app.
 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It may be that we're thinking of separate things. By 'Attributes' I'm talking about the list of attributes accessible in HttpServletRequest objects. For example, here's a line of code from another SSO project:



(The stuff I'm passing to the getAttribute method just retrieves the name of the attribute from the Liferay configurations. In this case it would be "shibattr-eppn.")

That line of code extracts an Attribute from the HttpServletRequest (req) object returned from a Shibboleth IdP and uses it to map a String representing the user's E-mail address in a Liferay portal.

My intent is to do the same thing except that in this other SSO provider I Have to send the request object myself.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65824
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Guy deLyonesse wrote:It may be that we're thinking of separate things.

Nope. We're talking about the same thing.

My intent is to do the same thing except that in this other SSO provider I Have to send the request object myself.

Not going to happen. You indicated that the target is a remote web app. You are limited to HTTP during a redirect.
 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Right, but what I'm saying is that I don't necessarily want to do a redirect, but rather create a whole new request.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65824
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's what a redirect is.
 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then I'm confused. If it isn't possible to place Attributes into an HttpServletRequest object and retrieve them from a separate app, then how can the line of code I referenced above work? The Attribute shibattr-eppn is NOT set in that app.

EDIT: Putting that aside, I'm perfectly fine using headers to do the job, as I said earlier. Is this feasible?
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here's how a redirect works: you send an HTTP response with the return code of 302 and the URL you want the client to send a GET request to. That's all you have to work with. You can't persuade the client to send any extra headers with that request, and you can't influence the target of that request in any way beyond what's in the request.

You can include request parameters in the redirect URL in the usual way, but that's the only way you have of communicating information to the target of that URL.

That's all. You seem to be resisting this information, which has now been presented to you two or three times.

I can't comment on the line of code you posted because it's out of context. There's any number of ways the attribute could have got there. Perhaps you should interview the people who wrote the code base it's contained in and see how they put it there.
 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:Here's how a redirect works: you send an HTTP response with the return code of 302 and the URL you want the client to send a GET request to. That's all you have to work with. You can't persuade the client to send any extra headers with that request, and you can't influence the target of that request in any way beyond what's in the request.

You can include request parameters in the redirect URL in the usual way, but that's the only way you have of communicating information to the target of that URL.


You might consider looking into POST requests. Putting a login username into a visible request string wouldn't be too secure.

Paul Clapham wrote:
That's all. You seem to be resisting this information, which has now been presented to you two or three times.


I don't know if you meant for that remark to come across as rude, but it did. I don't think I'm doing a great job of getting my point across to Bear and maybe his explanations aren't as clear to me as they are to you, but I'm not "resisting" information.

In fact, in the last few minutes I've found a way to do EXACTLY what I was seeking to do by using HttpRequestServletWrapper. Have a look, if you're interested:

Article
 
Paul Clapham
Sheriff
Posts: 22185
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Guy deLyonesse wrote:You might consider looking into POST requests. Putting a login username into a visible request string wouldn't be too secure.


That's true, but with redirects you don't get that choice. GET is all you have.

Paul Clapham wrote:That's all. You seem to be resisting this information, which has now been presented to you two or three times.


Guy deLyonesse wrote:I don't know if you meant for that remark to come across as rude, but it did.


Well, I didn't. But if it came across that way, then I apologize for that impression.

Guy deLyonesse wrote:In fact, in the last few minutes I've found a way to do EXACTLY what I was seeking to do by using HttpRequestServletWrapper.


Yes, I know about HttpRequestServletWrapper. Does your solution involve doing that in the server which takes the request, or the server where you redirect to after the authentication is done?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65824
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, you can set headers with a wrapper. You can also set them directly if you send the request yourself with java.net classes (though it's easier with HttpClient or similar).

But that's not the same as your original question about sharing an object ("attribute"/scoped variable) across web apps.
 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:
Well, I didn't. But if it came across that way, then I apologize for that impression.


Thanks. Likewise I hope I didn't come across as snappish.

Paul Clapham wrote:
Yes, I know about HttpRequestServletWrapper. Does your solution involve doing that in the server which takes the request, or the server where you redirect to after the authentication is done?


That's the part I'm still thinking about. Ultimately this is mostly a proof of concept project that in a future revision would eliminate a lot of the complexity. It isn't absolutely necessary to have the servers separate, and I intend to merge them on the next iteration if I can.

Bear Bibeault wrote:
Yes, you can set headers with a wrapper. You can also set them directly if you send the request yourself with java.net classes (though it's easier with HttpClient or similar).
But that's not the same as your original question about sharing an object ("attribute"/scoped variable) across web apps.


No, but I did mention headers in a follow-up question. I think what threw me off is when you said "(what you are calling 'attributes')" That confused me in a big way, bro. I didn't originate the term. :P That's what they're called in the documentation I'm reading. Attributes. Just as there are Headers and Parameters in the HttpServletRequest.

At any rate, here's where this is all coming from:

Initially we were using Shibboleth as our SSO provider. That involved configuring Apache to handle the initial work and then use ajp to connect Apache to Tomcat, where the Liferay portal resides. I detailed the solution I came up with here.

Wonderful as Shibboleth is, it turns out that not all of the institutions that would need to log into our portal would use Shibboleth, but were already gearing up to use a more universal authentication, and I couldn't apply the same approach with this new one as with Shibboleth. I wanted to try and keep the same individual steps as close as possible, which is why I was initially thinking Attributes. I may even be able to use them in the future if I can get the whole thing into one servlet container, but for now headers will do, it's just one more step further removed from the Shibboleth approach.

So after looking into it I understand better now conceptually why Attributes worked with the Shibboleth solution and not with this one if the Tomcats are separated. The only thing I need to do is take the request I get back from the authentication and forward it, along with any and all headers and parameters, to the portal. I can crack open the X509 Cert in either the initial servlet or in the portal. At this point I'm not sure that it matters which, but either way there's identifying data that must get passed along and it can't be in the request string.


 
Guy deLyonesse
Ranch Hand
Posts: 200
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Problem solved using cookies.
 
DeepakN kumar
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HI,

can you please give some guidance on how to develop a SSO myself for an J2EE application? I need to deploy this SSO in a separate machine(sun OS) and my J2EE application will be running in different Sun machine. I need to develop this SSO in java/j2EE only.

thanks & regards,
Deepak.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!