Finally I got it working.
Firebug helped to find the redirections. Thank you.
So after the POST of uname/pwd I sent two more GETS.
Probably this can be optimized ....
... and no session Id required. But I will have a look at the Wireshark
trace later on.
Am 07.11.2013 00:21, schrieb kim young ill:
sorry, you need to be more specific about your case, login over http(s)
should normally transparent from transport-layer (except when you use
private certificate).
the http request contains headers & payload, in the login request the
payload should contains uname/pwd (if it's a POST, it could be in json
format or form-encoded) & some more fields dependent on the site. the
headers could be important if the server want to know which type of client
you are & what do you support. some servers will requires cookies (set
when you first load the page).
the sessionid you mentioned is only relevant for establishing the
ssl-connection (before the http request is sent), so you should ignore it.
by guess is that the server wants to know too much from you, so use firebug
, get the headers & payload, copy it to build the request to try again
On Wed, Nov 6, 2013 at 8:09 PM, Horst Weigelt<[email protected]> wrote:
if you have a look at the RFC where the TLS is specified and the 'Client
Hello' therein you can see that a random number -> session ID is required.
http://tools.ietf.org/html/rfc5246#section-7.4.1.2
In the Wireshark trace I see the correct session ID of length 32 in the
browser trace and of length 0 in the Java trace.
Therefore the Java implementation is wrong. But coming back to my
question. How can I set the session ID in the HTTP client? In my opinion it
should be done automatically. It might be an issue in the HTTP client
development.
Why do you think a keystore is required?
At first I tried to debug with Firebug without success - that's why I
traced with Wireshark (much more low level than Firebug).
kind regards
Horst
Am 05.11.2013 23:02, schrieb kim young ill:
not sure if i understand you correctly but what's the sessionid you
mention
? do you want to authenticate yourself with server with your private
certificate (ssl/tls layer) or with username/password (http-layer) ? with
the first case you need to customize your keystore, for the 2nd case you
just need to open firebug or chrome-dev tool or sth similar to see what's
going on.
On Tue, Nov 5, 2013 at 6:44 PM, Horst Weigelt<[email protected]>
wrote:
Thank you Kim,
yes I did not mention how I came up with the idea of a missing session
ID.
I traced the network communication with Wireshark and compared the
successful browser trace with the Java trace.
The first difference in the traces is that the client does not send a
session ID in the Java case. In the browser case the session ID is sent
by
the client and responded by the server. I am not 100 % sure but the
session
ID might be required for the data encryption.
The protocol is explained here
http://en.wikipedia.org/wiki/Transport_Layer_Security#
Basic_TLS_handshake
where the random number is the session ID
and here
http://commons.wikimedia.org/wiki/File:SSL_handshake_with_
two_way_authentication_with_certificates.svg
kind regards
Horst
Am 04.11.2013 23:25, schrieb kim young ill:
200 is a http-response code, only means the request comes & handled by
server correcly, no error/exception, doesnt mean the username/password
is
correct.
try to use the browser to see how the login-request looks like in both
cases or simply log the server-response.
hth
On Sat, Nov 2, 2013 at 2:39 PM, Horst Weigelt<[email protected]>
wrote:
|I want to logon to a https URL using Apache HTTP Client 4.3
The login fails. However I receive HTTP status 200 when posting the
request.
One issue for the login failure might be that there is no session ID
send
in the|
|TLSv1 handshake protocol (Length: 0)
That raises 2 questions:
1) Is a session ID required for the login. If yes how can I set the
session ID.
2) Is there something else missing in the Java code below (except for
the
correct URL + login/password ;-) )
This question is also posted (more or less identically) in
http://stackoverflow.com/questions/19737218/session-id-
missing-in-https-post-using-apache-httpclient-4-3
HttpClientContext context= HttpClientContext.create();
/* to follow redirections */ RedirectStrategy
redirectStrategy=
new LaxRedirectStrategy();
RequestConfig globalConfig= RequestConfig.custom()
.setCookieSpec(CookieSpecs.BEST_MATCH)
.build();
RequestConfig localConfig= RequestConfig.copy(globalConfig)
.setCookieSpec(CookieSpecs.BROWSER_COMPATIBILITY)
.build();
try {
SSLContext sslcontext= SSLContexts.custom()
.build();
SSLConnectionSocketFactory sslsf= new
SSLConnectionSocketFactory(sslcontext,
SSLConnectionSocketFactory.
BROWSER_COMPATIBLE_HOSTNAME_
VERIFIER);
/* setup client for https and redirections */
httpclient= HttpClients.custom()
.setRedirectStrategy(redirectStrategy)
.setSSLSocketFactory(sslsf)
.build();
HttpPost httpost= new HttpPost("https://myURL";);
httpost.setConfig(localConfig);
/* set login and password */
httpost.setEntity(new UrlEncodedFormEntity(login_
and_passwd,
Consts.UTF_8));
CloseableHttpResponse httpresponse=
httpclient.execute(httpost);
}
} finally {
httpclient.close();
}
return httpclient;
Thanks for any help
Horst
|
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
