0 Replies Latest reply on Jul 20, 2015 11:43 PM by fsk fsk

    Problem when programmatically do SSO

    fsk fsk Newbie

      Hello all,

       

       

      What I am trying to do is logging into my web application by java code

       

       

      I build my system base on idp.war and sale.war version 2.0.3 on JBoss eap 6.4. Then I made below changes to sales.war:

       

      - change login module to use database (mysql) rather than text file (roles.properties and users.properties)

       

      - add a servlet 'TestResourceServlet' with proper mapping in web.xml

       

       

      When I use Firefox to login, everything is fine. I use Firefox add-on HttpFox to analyze and below is the flow of request:

       

      1. Enter URL 'http://localhost:8080/sales/TestResourceServlet' into browser

       

      2. Browser redirect to 'http://localhost:8080/idp/?SAMLRequest=xxxxxxxxxxxxx' (xxxxxxxxxxxx is the long SAML request) and login screen of idp.war is shown (http state 302 is shown on HttpFox, which is correct)

       

      3. I enter username and password and submit

       

      4. Browser start a doPost request to 'http://localhost:8080/idp/j_security_check' and redirect to 'http://localhost:8080/idp/?SAMLRequest=xxxxxxxxxxxxx' (http state 302 is shown on HttpFox, which is correct)

       

      5. From HttpFox, I see browser start a doGet request to 'http://localhost:8080/idp/?SAMLRequest=xxxxxxxxxxxxx' and result in http state 403. When I check the content of response message, I find SAML response in there

       

      6. Then I see browser start a doPost request to 'http://localhost:8080/sales/?' with the SAML response as a doPost parameter. Then I am redirected to 'http://localhost:8080/sales/TestResourceServlet' successfully

       

       

      However when I try to do the same by java program (using HttpClient library 4.5), the result is not the same:

       

      1. First I start a doGet request to 'http://localhost:8080/sales/TestResourceServlet'

       

          The response I get does not have http state 302. It return http state 200. However when I check the content of response message, I find the html content of idp.war login page (the one with j_security_check). I also find 2 JSession value in cookie, 1 with path /idp and 1 with path /sales

       

      I keep both JSession value in cookie and do below steps

       

      2. I start a doPost request to 'http://localhost:8080/idp/j_security_check' with both JSession value in cookie. Then I am redirected to 'http://localhost:8080/idp/?SAMLRequest=xxxxxxxxxxxxx' with http state 302

       

      3. Then I do a doGet request to ''http://localhost:8080/idp/?SAMLRequest=xxxxxxxxxxxxx'' with both JSession value in cookie and result in http state 403. However the response message is empty and therefore no SAML response can be found

       

      Below is my code for doing step 1 above:

      BasicCookieStore cookieStore = new BasicCookieStore();

      CloseableHttpClient httpclient = HttpClients.custom().setDefaultCookieStore(cookieStore).build();

      HttpClientContext context = HttpClientContext.create();

      HttpGet httpget = new HttpGet("http://localhost:8080/mysso/TestResourceServlet");

      response = httpclient.execute(httpget);

       

      Below is my code for doing step 2 as mentioned above:

      HttpUriRequest login = RequestBuilder.post()

      .setUri(new URI("http://localhost:8080/idp/j_security_check"))

      .addParameter("j_username", "tomcat")

      .addParameter("j_password", "tomcat")

      .build();

      response2 = httpclient.execute(login);

       

      Below is my code for step 3:

      (l_TempLocation hold the value from header 'Location' from response2)

      if ((302 == response2.getStatusLine().getStatusCode()) && (null != l_TempLocation))

      {

      HttpUriRequest login2 = RequestBuilder.get()

      .setUri(new URI(l_TempLocation))

      .build();

      response3 = httpclient.execute(login2);

      }

       

      It would be great if anyone can tell me what have I missed

       

      Thanks in advance

      Alex