merrill77
commented
9 years ago Clarification - there are actually 3 request/responses there. The first set is confirming the user is unauthenticated before performing the authentication.
Closed merrill77 closed 9 years ago
merrill77
commented
9 years ago Clarification - there are actually 3 request/responses there. The first set is confirming the user is unauthenticated before performing the authentication.
turbomanage
commented
9 years ago Hmmm, which OS version is this from?
merrill77
commented
9 years ago Windows 7/64.
turbomanage
commented
9 years ago Oh! That might be an issue. basic-http-client was originally written for Android. I haven't tested cookie support for other OS / JVM combinations. However, java.net.CookieManager should be in Java 6 or later. But I just noticed that the cookies in the HTTP responses are set with a past expiration date as if they were being deleted. Try setting a future date.
merrill77
commented
9 years ago Are you referring to the "Expires" header? That is the expiration date of the body content. A past date basically means don't cache the content. The cookies in my example have no expiration date - so they are expected to live until the browser/tab is closed. This is common for session cookies. An expiration date for the cookie would be included in the Set-Cookie header, like this: Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
turbomanage
commented
9 years ago Right you are. In that case, I don't have an answer for you. basic-http-client just wraps java.net.UrlConnection and all cookie handling is done by the JVM implementation. Since you're already calling ensureCookieManager(), I could only suggest to see if there are any bugs filed against CookieManager for whatever JVM you're using.
merrill77
commented
9 years ago According to: http://stackoverflow.com/questions/2793150/using-java-net-urlconnection-to-fire-and-handle-http-requests and a few other references I've come across, AbstractHttpClient.ensureCookieManager() should do:
CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ALL));
instead of:
CookieHandler.setDefault(new CookieManager());
Why that is not the default behavior is not entirely clear to me. FWIW, it does solve my issue.
turbomanage
commented
9 years ago Thanks for the info. According to https://blogs.oracle.com/CoreJavaTechTips/entry/cookie_handling_in_java_se as well as the Android docs, the default policy in Java 6 was ACCEPT_ORIGINAL_SERVER. At any rate, I'm glad that overriding the default worked for you.
Reading the docs, this should be automatic, in which case I must be doing something wrong.
Basically, I'm making a call to authenticate, which returns a JSESSIONID cookie. The next request does not include the cookie header.
I tried doing AbstractHttpClient.ensureCookies() anyway...no change in behavior (as expected).
Any rookie mistakes I might be making here?
TIA! Chris
=== HTTP Request === GET http://localhost:4111/controller/security/roles Accept-Charset:UTF-8 Accept:application/json [17:27:08.832] WwsSecurityContext.getUserPrincipal(): null === HTTP Response === Receive url: http://localhost:4111/controller/security/roles Status: 200 null:HTTP/1.1 200 OK Date:Fri, 22 May 2015 21:27:08 GMT Content-Length:2 Expires:Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie:JSESSIONID=msr7fxofe5q4ujaxfjnbnj7t;Path=/controller Content-Type:application/json Server:Jetty(9.2.7.v20150116) Content: [] === HTTP Request === POST http://localhost:4111/controller/session?username=test1 Accept-Charset:UTF-8 Content-Type:application/json Accept:application/json [17:27:08.869] Session.authenticate() - authenticating user:test1 === HTTP Response === Receive url: http://localhost:4111/controller/session?username=test1 Status: 200 null:HTTP/1.1 200 OK Date:Fri, 22 May 2015 21:27:08 GMT Content-Length:4 Expires:Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie:JSESSIONID=guehhu5xfxll1250pg0mgrvij;Path=/controller Content-Type:application/json Server:Jetty(9.2.7.v20150116) Content: true === HTTP Request === GET http://localhost:4111/controller/security/roles Accept-Charset:UTF-8 Accept:application/json [17:27:08.879] WwsSecurityContext.getUserPrincipal(): null === HTTP Response === Receive url: http://localhost:4111/controller/security/roles Status: 200 null:HTTP/1.1 200 OK Date:Fri, 22 May 2015 21:27:08 GMT Content-Length:2 Expires:Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie:JSESSIONID=1k84qyixxk7e4eu4wwt357zb5;Path=/controller Content-Type:application/json Server:Jetty(9.2.7.v20150116) Content: []