Results 1 to 3 of 3
  1. #1
    marcomandy is offline Member
    Join Date
    Mar 2012
    Posts
    3
    Rep Power
    0

    Default Login to a CAS server using HTTPComponents Client

    I'm trying to login into a CAS server using the apache HTTPComponents client.
    I observed the behaviour of the server through fiddler login into the server with a web browser and tryed to reproduce this behaviour with HTTPComponents.

    The browser is redirected at the page below which url changes every time.
    Here it gets the cookie, the unique url (from the html) where it has to post and the value of the variable "it".

    Then it post to the url getted the user name, the password, the "it" variable and some other variables. The server responds with a "302 moved temporaly" which contains the link to the page i'm interested to.


    XML Code:
    GET https://cas.unibo.it/cas/login?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3&cas_aware_sessionid=766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3 HTTP/1.1
    Host: cas.unibo.it
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Referer: https://almaesami.unibo.it/almaesami/welcome.htm
        
        
    HTTP/1.1 200 OK
    Date: Sun, 25 Mar 2012 20:26:31 GMT
    Pragma: No-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache
    Cache-Control: no-store
    Set-Cookie: JSESSIONID=B7983385BA6B02BA6A568533F7C38C83.cas-joss2; Path=/cas/; Secure; HttpOnly
    Content-Type: text/html;charset=UTF-8
    Content-Language: it-IT
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Length: 6038
        
        
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
    ... 
     <body>
    ...
    <form id="fm1" method="post" 
    action="/cas/login;jsessionid=B7983385BA6B02BA6A568533F7C38C83.cas-joss2?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_securi
    ty_check%3Bjsessionid%3D766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3&amp;cas_aware_sessionid=766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3">
      <table class="tbSimpleInput"  width="600" summary="Tabella di struttura" style="margin-left:auto; margin-right:auto;text-align:left">
      <!-- table width="600" summary="Tabella di struttura" -->
    
    	<tr valign="top">
    		 <td colspan="4" style="padding-bottom: 12px;">
    			<p><SPAN class="testoNormale"> 
    				  <span id="AbstractPH"> 
    				  </span>
    				</SPAN>
    			</p>
    		</td>
    	</tr>
    	<tr>
    		<td colspan="2">
    			<div align="center">
    			  <a href="https://www.dsa.unibo.it">
    				 <img src="https://www.dsa.unibo.it/uniboldap2/image/logindsa.jpg" alt="Login di Ateneo - DSA" border="0" width="160" height="48">
    			  </a>
    			</div>
    		</td>
    	</tr>
    	<tr>
    	  <td class="formLabel"><label for="username">Username</label></td>
    	  <td class="formField">
    		<input id="username" name="username" type="text" value=""/>
    	  </td>
    	</tr>
    	<tr>
    	  <td class="formLabel"><label for="password">Password</label></td>
    	  <td class="formField">
    		<input id="password" name="password" type="password" value=""/>
    	  </td>
    	</tr>
    	<tr>
    		<td colspan="2"></td>
    	</tr>
    	<tr>
    	  <td></td>
    	  <td colspan ="2" class="buttonCells" style="text-align:left;padding-top:9pt">
    		<input type="hidden" name="lt" value="_c3B3C903C-5312-F9A2-1F7C-842C2814FE30_k153B2920-D56A-8F46-BCB3-2C97CA3AFF4F" />
    		<input type="hidden" name="_eventId" value="submit" />
    		<input type="hidden" id="userType" name="userType" value="STUDENTE"/>
    		<input type="submit" class="button" value='Accedi' name="submit" /><br/><br/></td>
    ...     
      </body>
    </html>
    ___________________________________________________________
        
    POST https://cas.unibo.it/cas/login;jsessionid=B7983385BA6B02BA6A568533F7C38C83.cas-joss2?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3&cas_aware_sessionid=766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3 HTTP/1.1
    Host: cas.unibo.it
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Referer: https://cas.unibo.it/cas/login?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3&cas_aware_sessionid=766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3
    Cookie: JSESSIONID=B7983385BA6B02BA6A568533F7C38C83.cas-joss2
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 187
        
    username=***.***@***&password=*****&lt=_c3B3C903C-5312-F9A2-1F7C-842C2814FE30_k153B2920-D56A-8F46-BCB3-2C97CA3AFF4F&_eventId=submit&userType=STUDENTE&submit=Accedi
        
        
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 25 Mar 2012 20:26:33 GMT
    Pragma: No-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache
    Cache-Control: no-store
    Set-Cookie: CASPRIVACY=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas
    Set-Cookie: CASTGC=TGT-76765-YPoosBGiZCKQhZ3KKHdPXpl9bWMEh5BvCgxPKoNdlIH4aKHNQN-lucifer-Joss2; Path=/cas; Secure
    Location: https://almaesami.unibo.it/almaesami/studenti/j_acegi_cas_security_check;jsessionid=766A9DDE236DAEF92E2968C04E07EBBB.mic-joss3?ticket=ST-43535-7PY7fq3ojZSP1pqMRW7p-lucifer-Joss2&siteLanguage=it
    Content-Language: it-IT
    Content-Length: 0
    Keep-Alive: timeout=15, max=97
    Connection: Keep-Alive
    Content-Type: text/plain

    What follows is what i succeeded to reproduce analyzed with fiddler.


    XML Code:
    GET https://cas.unibo.it/cas/login?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D50854241BA8158A576B8B1FEE0B57A1D.mic-joss2&cas_aware_sessionid=50854241BA8158A576B8B1FEE0B57A1D.mic-joss2 HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://almaesami.unibo.it/almaesami/welcome.htm
    Host: cas.unibo.it
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.1.2 (java 1.5)
    
    
    HTTP/1.1 200 OK
    Date: Mon, 26 Mar 2012 11:52:44 GMT
    Pragma: No-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache
    Cache-Control: no-store
    Set-Cookie: JSESSIONID=0ADBB997A5BFEFB2391EF3B79070E28E.cas-joss1; Path=/cas; Secure
    Content-Type: text/html;charset=UTF-8
    Content-Language: it-IT
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Length: 6038
    
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    ...
      <body>
    ...  
    <form id="fm1" method="post" action="/cas/login;jsessionid=0ADBB997A5BFEFB2391EF3B79070E28E.cas-joss1?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D50854241BA8158A576B8B1FEE0B57A1D.mic-joss2&amp;cas_aware_sessionid=50854241BA8158A576B8B1FEE0B57A1D.mic-joss2">
      <table class="tbSimpleInput"  width="600" summary="Tabella di struttura" style="margin-left:auto; margin-right:auto;text-align:left">
      <!-- table width="600" summary="Tabella di struttura" -->
    
    	<tr valign="top">
    		 <td colspan="4" style="padding-bottom: 12px;">
    			<p><SPAN class="testoNormale"> 
    				  <span id="AbstractPH"> 
    				  </span>
    				</SPAN>
    			</p>
    		</td>
    	</tr>
    	<tr>
    		<td colspan="2">
    			<div align="center">
    			  <a href="https://www.dsa.unibo.it">
    				 <img src="https://www.dsa.unibo.it/uniboldap2/image/logindsa.jpg" alt="Login di Ateneo - DSA" border="0" width="160" height="48">
    			  </a>
    			</div>
    		</td>
    	</tr>
    	<tr>
    	  <td class="formLabel"><label for="username">Username</label></td>
    	  <td class="formField">
    		<input id="username" name="username" type="text" value=""/>
    	  </td>
    	</tr>
    	<tr>
    	  <td class="formLabel"><label for="password">Password</label></td>
    	  <td class="formField">
    		<input id="password" name="password" type="password" value=""/>
    	  </td>
    	</tr>
    	<tr>
    		<td colspan="2"></td>
    	</tr>
    	<tr>
    	  <td></td>
    	  <td colspan ="2" class="buttonCells" style="text-align:left;padding-top:9pt">
    		<input type="hidden" name="lt" value="_cB0CC1EB0-B7BE-DF43-7522-801C1A7910C5_kCE55F797-1DD8-5EB0-D85F-BE9D74B7836D" />
    		<input type="hidden" name="_eventId" value="submit" />
    		<input type="hidden" id="userType" name="userType" value="STUDENTE"/>
    		<input type="submit" class="button" value='Accedi' name="submit" /><br/><br/></td>
    ...
      </body>
    </html>
    
    ____________________________________________________________________
    POST https://cas.unibo.it/cas/login;jsessionid=0ADBB997A5BFEFB2391EF3B79070E28E.cas-joss1?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D50854241BA8158A576B8B1FEE0B57A1D.mic-joss2&cas_aware_sessionid=50854241BA8158A576B8B1FEE0B57A1D.mic-joss2 HTTP/1.1
    Referer: https://cas.unibo.it/cas/login?service=https%3A%2F%2Falmaesami.unibo.it%2Falmaesami%2Fstudenti%2Fj_acegi_cas_security_check%3Bjsessionid%3D50854241BA8158A576B8B1FEE0B57A1D.mic-joss2&cas_aware_sessionid=50854241BA8158A576B8B1FEE0B57A1D.mic-joss2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Length: 187
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Host: cas.unibo.it
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.1.2 (java 1.5)
    Cookie: JSESSIONID=0ADBB997A5BFEFB2391EF3B79070E28E.cas-joss1
    
    username=***.***@***&password=*****&it=_cB0CC1EB0-B7BE-DF43-7522-801C1A7910C5_kCE55F797-1DD8-5EB0-D85F-BE9D74B7836D&_eventId=submit&userType=STUDENTE&submit=Accedi
    
    
    HTTP/1.1 200 OK
    Date: Mon, 26 Mar 2012 11:52:44 GMT
    Pragma: No-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache
    Cache-Control: no-store
    Content-Type: text/html;charset=UTF-8
    Content-Language: it-IT
    Keep-Alive: timeout=15, max=99
    Connection: Keep-Alive
    Content-Length: 5984
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
    ...

    As you can see I post to the CAS server the same request as my browser, getting the same variables, but instead of redirecting me to the new page i get the same page as before from the server!

    This is the code i wrote:

    Java Code:
    public class TestHttpClient {
    
    	public static void main(String[] args) throws Exception {
    
    		HttpGet httpget = new HttpGet("");
    		HttpPost httppost = new HttpPost("");
    		HttpResponse response;
    		HttpEntity entity;
    		URI uri;
    		HeaderIterator iter;
    		String itvalue="", location="", referer="", stringentity="";
    
    		SchemeRegistry schemeRegistry = new SchemeRegistry();
    		schemeRegistry.register(
    				new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
    		schemeRegistry.register(
    				new Scheme("https", 443, SSLSocketFactory.getSocketFactory()));
    		ThreadSafeClientConnManager connectionmanager = new ThreadSafeClientConnManager(schemeRegistry); //the default connection manager can't manage multiple connections
    		DefaultHttpClient httpclient = new DefaultHttpClient(connectionmanager);
    		
    
    		httpclient.getParams().setParameter(ClientPNames.COOKIE_POLICY, CookiePolicy.BROWSER_COMPATIBILITY); //default cookie policy creates dirty cookies
    		
    
    		HttpHost proxy = new HttpHost("127.0.0.1",8888); //this is to debug on fiddler
    		httpclient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY,proxy);
    		httpclient = (DefaultHttpClient) WebClientDevWrapper.wrapClient(httpclient);
    
    		
    		httpget.setHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    		httpget.setHeader("Accept-Language", "it-it,it;q=0.8,en-us;q=0.5,en;q=0.3");
    		httpget.setHeader("Accept-Encoding","gzip, deflate");
    		httpget.setHeader("Referer", "https://almaesami.unibo.it/almaesami/welcome.htm");
    
    
    		//GET///////////
    		uri= new URI("https://almaesami.unibo.it/almaesami/studenti/home.htm");
    		httpget.setURI(uri);
    		
    
    		httpclient.setRedirectStrategy(new RedirectStrategy() { //blocking the auto redirect to get the redirection url
    			public HttpUriRequest getRedirect(HttpRequest arg0,
    					HttpResponse arg1, HttpContext arg2)
    					throws org.apache.http.ProtocolException {
    				return null;
    			}
    			public boolean isRedirected(HttpRequest arg0, HttpResponse arg1,
    					HttpContext arg2) throws org.apache.http.ProtocolException {
    				return false;
    			}
    		});
    
    		
    		response = httpclient.execute(httpget);
    		entity = response.getEntity();
    		
    		System.out.println(response.getStatusLine().toString());
    
    		printCookies(httpclient);
    
    		iter = response.headerIterator("Location");
    		while (iter.hasNext())referer =""+iter.next();
    		referer = referer.replace("Location: ", "");
    		System.out.println("referer: "+ referer);
    		
    		httpclient.setRedirectStrategy(new DefaultRedirectStrategy()); //reset automatic redirect
    		
    		
    		
    		if (entity != null) {
    			EntityUtils.consume(entity);
    		}
    		
    		
    		//GET///////////
    		uri= new URI(referer);
    		httpget.setURI(uri);
    		response = httpclient.execute(httpget);
    		entity = response.getEntity();
    		System.out.println(response.getStatusLine().toString());
    		
    		stringentity = EntityUtils.toString(entity);
    		int startindex = stringentity.indexOf("name=\"lt\" value=\"")+17;
    		int endindex = stringentity.indexOf("\"", startindex);
    		itvalue = stringentity.substring(startindex, endindex);
    		System.out.println("it value: "+itvalue);
    		
    		startindex = stringentity.indexOf("method=\"post\" action=\"")+22;
    		endindex = stringentity.indexOf("\"", startindex);
    		location = "https://cas.unibo.it"+stringentity.substring(startindex, endindex);
    		location = location.replaceAll("&amp;", "&");
    		System.out.println("location: "+location);
    		
    		printCookies(httpclient);
    		
    		
    		if (entity != null) {
    			EntityUtils.consume(entity);
    		}
    		
    		 
    		//POST/////////
    		
    		List <NameValuePair> nvps = new ArrayList <NameValuePair>();
    		nvps.add(new BasicNameValuePair("username", "***.***@***"));
    		nvps.add(new BasicNameValuePair("password", "*****"));
    		nvps.add(new BasicNameValuePair("it", itvalue));
    		nvps.add(new BasicNameValuePair("_eventId", "submit"));
    		nvps.add(new BasicNameValuePair("userType", "STUDENTE"));
    		nvps.add(new BasicNameValuePair("submit", "Accedi"));
    		
    		httppost.setEntity(new UrlEncodedFormEntity(nvps,HTTP.UTF_8));
    		httppost.setHeader("Referer", referer);
    		httppost.setHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    		httppost.setHeader("Accept-Language", "it-it,it;q=0.8,en-us;q=0.5,en;q=0.3");
    		httppost.setHeader("Accept-Encoding","gzip, deflate");
    	
    		uri= new URI(location);
    		httppost.setURI(uri);
    		
    		response = httpclient.execute(httppost);
    		entity = response.getEntity();
    		System.out.println(response.getStatusLine().toString());
    		
    		printCookies(httpclient);
    		
    
    		httpclient.getConnectionManager().shutdown();        
    	}
    
    
    
    
    	public static void printCookies(DefaultHttpClient httpclient){
    		System.out.println("COOKIES: ");
    		List<Cookie> cookies = httpclient.getCookieStore().getCookies();
    		if (cookies.isEmpty()) {
    			System.out.println("None");
    		} else {
    			for (int i = 0; i < cookies.size(); i++) {
    				System.out.println("- " + cookies.get(i).toString());
    			}
    		}
    	}
    }
    Can anyone tell me where I've been wrong? Does CAS have some other security system I can't see? Is there something else in the request done from the browser i didn't noticed? I searched for CAS client API but can't find anything interesting. I tried with some different cookies polycie becouse the default in httpComponents left some dirty cookies and I also tried modifying the encoding of the variable i post.

  2. #2
    marcomandy is offline Member
    Join Date
    Mar 2012
    Posts
    3
    Rep Power
    0

    Default Re: Login to a CAS server using HTTPComponents Client

    Well, I'm going on my project even if nobody could help me till now. I examined more deeper the exchange of information with the CAS server and I noticed that connection my client does with the server is different from the one the web browser establishes. Is it possible that the server checks the connection information? Anybody knows how to force HTTPComponents to establish different connections?

  3. #3
    marcomandy is offline Member
    Join Date
    Mar 2012
    Posts
    3
    Rep Power
    0

    Default Re: Login to a CAS server using HTTPComponents Client

    solved! There was a wrong varible name!

Similar Threads

  1. how to detect client when login in RMI
    By tiws1831 in forum Networking
    Replies: 0
    Last Post: 05-16-2011, 12:54 PM
  2. Replies: 2
    Last Post: 09-24-2010, 11:31 AM
  3. Replies: 1
    Last Post: 10-05-2008, 03:12 PM
  4. Identify Client in Socket Client Server Application
    By masadjie in forum Networking
    Replies: 1
    Last Post: 12-20-2007, 09:18 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •