HTTP/1.1 401 Authorization Required with HttpClient 4.1.1

Asked 1/7, 2011 at 18:22 Answered 24/3, 2012 at 1:33

java jsp http-status-code-401 apache-httpclient-4.x

Updated Code:- Using SSL, still am getting the same error..

I am trying to open this uri

https://some-host/a/getmeta?id=10  (this url is passed to proxi.jsp page)

And this is my proxi.jsp page, And I am getting this error HTTP/1.1 401 Authorization Required and when I am passing my credentials too. Why is it happening so.. And that site use siteminder.

    <%@ page language="java" import="
org.apache.http.HttpEntity,
org.apache.http.HttpResponse,
org.apache.http.auth.AuthScope,
org.apache.http.auth.UsernamePasswordCredentials,
org.apache.http.client.methods.HttpPost,
org.apache.http.client.methods.HttpGet,
org.apache.http.impl.client.DefaultHttpClient,
org.apache.http.util.EntityUtils,
java.io.InputStream,
java.io.InputStreamReader,
java.io.BufferedReader,
java.security.KeyStore,
java.io.FileInputStream,
java.io.File,
org.apache.http.conn.ssl.SSLSocketFactory,
org.apache.http.conn.scheme.Scheme,
javax.net.ssl.HostnameVerifier,
org.apache.http.impl.conn.SingleClientConnManager,
javax.net.ssl.HttpsURLConnection,
org.apache.http.conn.scheme.SchemeRegistry,
javax.net.ssl.SSLContext,
java.security.cert.X509Certificate,
javax.net.ssl.X509TrustManager,
javax.net.ssl.TrustManager,
org.apache.http.conn.ClientConnectionManager,
java.security.cert.CertificateException,
org.apache.http.conn.scheme.Scheme"
contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>

    <%
    String a_Url = request.getParameter( "url" ) ;

    DefaultHttpClient httpclient = new DefaultHttpClient();
    try {
        httpclient.getCredentialsProvider().setCredentials(
                new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, "realm"),
                new UsernamePasswordCredentials("test", "pass"));


        KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
        //FileInputStream instream = new FileInputStream(new File("my.keystore"));
        InputStream instream = Thread.currentThread().getContextClassLoader().getResourceAsStream("my.keystore");
        try {
            trustStore.load(instream, "nopassword".toCharArray());
        } finally {
            try { instream.close(); } catch (Exception ignore) {}
        }
    /* 
        SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
        Scheme sch = new Scheme("https", 443, socketFactory);
        httpclient.getConnectionManager().getSchemeRegistry().register(sch);
        */



        SSLContext ctx = SSLContext.getInstance("TLS");
        X509TrustManager tm = new X509TrustManager() {

        public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
        return null;
        }
        };
        ctx.init(null, new TrustManager[]{tm}, null);
        SSLSocketFactory ssf = new SSLSocketFactory(ctx);
        ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
        ClientConnectionManager ccm = httpclient.getConnectionManager();
        SchemeRegistry sr = ccm.getSchemeRegistry();
        sr.register(new Scheme("https", ssf, 443));




        HttpGet httpget = new HttpGet(a_Url);



        System.out.println("executing request" + httpget.getRequestLine());
        HttpResponse res = httpclient.execute(httpget);

        HttpEntity entity = res.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(res.getStatusLine());
        if (entity != null) {

            System.out.println("Response content length: " + entity.getContentLength());
            InputStream input = entity.getContent();
            BufferedReader reader = new BufferedReader(new InputStreamReader(input));
            String ln = "";
            while((ln = reader.readLine()) != null) {
                out.println("During Get - " + ln);
            }
            entity.consumeContent();
        }
        EntityUtils.consume(entity);
    }

    catch (Throwable t) {
        StackTraceElement[] x = t.getStackTrace();
        for(int k=0;k<x.length;k++) {
            out.println(x[k].toString());
        }
        //out.println();
        t.printStackTrace();
    }


    finally {
        // When HttpClient instance is no longer needed,
        // shut down the connection manager to ensure
        // immediate deallocation of all system resources
        httpclient.getConnectionManager().shutdown();
    }


    %>

Stuppy answered 1/7, 2011 at 18:22 Comment(2)

Are you certain the credentials are correct? – Bicknell 1/7, 2011 at 22:43

@laz, yes they are correct..Anything wrong with the code..?? – Stuppy 1/7, 2011 at 22:47

You are accessing a secure site but I don't see any SSL handling in your HttpClient code. Can you have a look at this page and try out in a standalone client after filling in the appropriate gaps?

Bale answered 1/7, 2011 at 18:48 Comment(1)

The section SSL/TLS customization from this link: hc.apache.org/httpcomponents-client-ga/tutorial/html/… might help. – Bale 1/7, 2011 at 19:30

First of all from the code you posted it does not seem that you are configuring http client to use HTTPS.
You are missing code like the following (at least for org.apache.http.client.HttpClient):

SSLSocketFactory sf = new SSLSocketFactory(sslcontext); 
Scheme https = new Scheme("https", sf, 443);
httpclient.getConnectionManager().getSchemeRegistry().register(https);

You have to check out a tutorial for DefaultHttpClient
In any case to see what's going on, you can use a sniffing tool like wireshark.
The SSL handshake is viewable and you will be able to see the connection failure and understand why.

Emblements answered 1/7, 2011 at 21:36 Comment(4)

so how Can I use wireshark for that.. Any suggestions will be appreciated..? – Stuppy 1/7, 2011 at 21:46

What do you mean?Start wireshark (wireshark.org/download.html), start capturing, filter on the IPs of your client and servers and see the trafic.But your problem is already erroneous.You are not using SSL in your connection from the client – Emblements 1/7, 2011 at 21:51

and also that site requires siteminder authentication.. SO there is nothing related with?? – Stuppy 1/7, 2011 at 22:4

I did that way also.. But still I am getting the same error.. 401 Authorization Required . Any other suggestions?? – Stuppy 1/7, 2011 at 23:29

Unless you know for sure that "realm" is the proper value in that AuthScope constructor, I'd recommend removing it or determine what the actual value should be.

Bicknell answered 1/7, 2011 at 23:43 Comment(6)

I have one mode doubt.. If I don't want to use my username and password in that jsp page.. then Is there any other way to pass the credentials to login into that page... as passing username and passowrd in that jsp page is not the best way...right?? Anybody can open that file and see the username and password??. Let me know what can be the other option... – Stuppy 2/7, 2011 at 6:11

Without know more about exactly what you are trying to accomplish, all I can say is yet there are other ways to supply the user name and password. You are also putting quite a bit of Java code into a JSP which can quickly become difficult to maintain. – Bicknell 2/7, 2011 at 14:17

what I am trying to do is simply trying to get the contents of one page using my above jsp page and that page requires authentication.. So passing username and password in that jsp page is not a good way right..?? So Any other way.. like sessions some sort of?? because anybody can see that username and password by opening that file.. – Stuppy 2/7, 2011 at 16:25

Are the credentials per end user or are they global for the application? If they are global for the application I would recommend extracting them into a configuration file then have your application load that file and use them. The configuration file can have permissions set so that only the owner of the Java server process can read it for security measures. – Bicknell 2/7, 2011 at 16:30

they are per end user.. they are not global.. As I have to use my credentials to login for that.. that is the reason I am worried.. If anybody in my team can open that file then they can see that password :( – Stuppy 2/7, 2011 at 16:35

You will need to prompt the user for those credentials via a form and use what they supply to connect to the remote URL then. – Bicknell 2/7, 2011 at 16:44

change the following line: new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, "realm")

to the following line:

new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM)

Brunelleschi answered 24/3, 2012 at 1:33 Comment(0)

Recommended topics

Hot tags