javax.ws.rs.client.Client and Form Based Authentication

Today I implemented a javax.ws.rs.client.ClientRequestFilter for a form based authentication. The FormAuthenticator class can be used in combination with a javax.ws.rs.client.Client  to interact, for example, with a rest api secured by a login form. Such a login form in Java EE typically uses the request URI ‘/j_security_check‘ with the form input fields ‘j_username’ and ‘j_password‘. As a result of a successful login the browser stores a cookie named “JSESSIONID” which need to be send with every request.

The request filter can be added to a javax.ws.rs.Client like this:

....
// create a javax.ws.rs.client
client = ClientBuilder.newClient();
// create new formAuthenticator
FormAuthenticator formAuthFilter = new FormAuthenticator(rest_api_url, 
     userid, password);
// register the filter...
client.register(formAuthFilter);
// now you can GET, POST, ....
....

You cam find the source code of this filter class on GitHub.

If you have any ideas for improvements your comments are welcome!

4 Replies to “javax.ws.rs.client.Client and Form Based Authentication”

  1. Hello Ralph,

    I was wondering do you login for every invocation? how about log-off? do you handle that?

    Another point is that, I notice your ClientRequestFilter is not annotated with @Provider. Yet javadoc states:

    “An extension interface implemented by client request filters. Filters implementing this interface MUST be annotated with @Provider. This type of filters is supported only as part of the Client API.”

    I am also working on something similar, but I think I do need to make sure to log-off every after invocation. Any advice is much appreciated.

  2. Thanks for this hint. Yes I think the @Provider annotation should be added.

    For your question about the login/logout issue: If you have the JSESSON cookie you do not need to re-login. In my own use cases the client is used by stateless microservices so I do not store any session information.

    For a logout you application should provide a suitable ressource (…/?logout), because in form-based authentication there is no standard for logout. This is at least my understanding for form-based authentication. If you have information here lets discuss this.

  3. In my case, the above code resulting in http response code 417. expectation failed.
    The application uses weblogic server and https enabled. Hence i added the cookie _wl_authcookie_jsessionid in the filter method code for the class FormAuthenticator.

    how to resolve the 417 response code error ?

    1. Yes this sounds like a cookie problem? Maybe the endpoint expects additional cookies? You can try to test this when you manually login on the page and watching the cookies and network communication. For example a browser also sends header information about the ‘webagent’. Maybe you need to set this in your request?

Leave a Reply to Nary Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.