You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Zhu Li Qiang <Zh...@bcsis.com> on 2005/03/24 08:39:04 UTC

NTLM authorization header

Hello, 

I am new to HttpClient, and trying to use HttpClient in a servlet to implement a single-sign-on requirement.

When an user's browser hits the servlet, the servlet will use HttpClient to:

1) logon on to another web application via NTLM authentication

2) request the first content page of that application 

3) put the response from that application into the servlet's response outputstream, which will redirect the browser to that application directly onwards.

I have a problem here. Since the httpclient has been authenticated by that application, how can the servlet passes the "authorization headers" and "response headers" down to the browser so the application will not authenticate the browser user again.

Hope somebody can enlighten me on this.

Many thanks in advance.

Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: NTLM authorization header

Posted by Roland Weber <RO...@de.ibm.com>.

Hello Richard,

> When an user's browser hits the servlet, the servlet will use HttpClient 
to:
> 
> 1) logon on to another web application via NTLM authentication
> 
> 2) request the first content page of that application 
> 
> 3) put the response from that application into the servlet's 
> response outputstream, which will redirect the browser to that 
> application directly onwards.
> 
> I have a problem here. Since the httpclient has been authenticated 
> by that application, how can the servlet passes the "authorization 
> headers" and "response headers" down to the browser so the 
> application will not authenticate the browser user again.

It can't. The authentication that took place is for the session
between the servlet and the application. It is not possible to
substitute a different client, or to hand the session over to a
standard web browser.
You could turn your servlet into a reverse proxy and make the client
send all followup requests to the servlet again, which forwards them
to the application. But then you would have to parse all pages sent
by the application, find the links in those pages, and replace them
with links to your servlet. It is no fun at all to do that.

cheers,
  Roland