How to login in web site using Java

Question

I want to access some pages of web site https://myoffice.bt.com which requires user authentication using java. We have to sign in first to access pages. I have wriiten following code.

package root;

import java.io.IOException;

import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.auth.AuthScope;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.params.HttpMethodParams;


public class Url
{
 public static void main(String[] args) throws IOException
 {
  HttpClient client = new HttpClient();

  client.getParams().setParameter(
      HttpMethodParams.USER_AGENT,
      "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2"
  );

  client.getState().setCredentials(
     new AuthScope("https://myoffice.bt.com", 443,  AuthScope.ANY_REALM),
     new UsernamePasswordCredentials("username", "password")  ); 

  PostMethod get = new PostMethod("https://myoffice.bt.com/youraccount/default.aspx");
  get.setDoAuthentication( true );
  System.out.println(get.getFollowRedirects());
  //get.setFollowRedirects(true);


  try {
    // execute the GET
     int status = client.executeMethod( get );

     // print the status and response
     System.out.println(status + "\n" + get.getResponseBodyAsString());

     } finally {
     // release any connection resources used by the method
      get.releaseConnection();
     } 


 }

}

But it gives following errors.

> Jun 22, 2010 12:14:40 PM org.apache.commons.httpclient.HttpMethodDirector isRedirectNeeded
INFO: Redirect requested but followRedirects is disabled
302

If I uncomment get.setFollowingRedirects line, It gives another error.

Exception in thread "main" java.lang.IllegalArgumentException: Entity enclosing requests cannot be redirected without user intervention
 at org.apache.commons.httpclient.methods.EntityEnclosingMethod.setFollowRedirects(Unknown Source)
 at root.Url.main(Url.java:30)

Can any one help me here? Can we do form based authentication using HttpClient?

Thanks.

Answer 1

First - please don't name your PostMethod variable get.

Second, try this:

PostMethod post = new PostMethod("yourUrl")
{
    @Override
    public boolean getFollowRedirects()
    {
        return true;
    }
};

If you ever happen to be on the "other side" and want to prevent your users from suffering, use the response code 303 (See Other) when redirecting a POST request to a GET, instead of the common 302 and 301 (per RFC). Regular browsers tend to be nice, break the rules and NOT ask us to confirm these redirects, but a lot of mobile browsers still do.

Regarding your question about form based authentication - you just need to figure out the parameter names to use (by looking at the source of the website where you "normally" log in, for example), and then populate them with the appropriate values:

post.addParameter("username", username);
post.addParameter("password", password);

---

I played around with the login form at myoffice.bt.com, there's a few things going on in JavaScript.

The form is submitted to https://myoffice.bt.com/siteminderagent/forms/login.fcc

The form elements that are submitted were as follows (name=value, some values were empty):

Segment=btb.hub
SubSegment=
searchType=0
searchPlatform=BEA
lob=btb.hub
queryText=
searchText=
ctl00$masterWebpartManager$gwpCustomLogin1$CustomLogin1$UserName=your@email.com
ctl00$masterWebpartManager$gwpCustomLogin1$CustomLogin1$PWD=yourpwd
ctl00$masterWebpartManager$gwpCustomLogin1$CustomLogin1$RememberMe=on
[email protected]
PASSWORD=yourpwd
SMENC=ISO-8859-1
SMLOCALE=US-EN
userFirstLoginUrl=https://myoffice.bt.com/ManageBusinessApplications/SecretQA.aspx
PrivateLoginSuccessUrl=https://myoffice.bt.com/sm/privatecreatesession.aspx?siteArea=btb.mya
PublicLoginSuccessUrl=https://myoffice.bt.com/sm/createsession.aspx?siteArea=btb.mya
target=https://myoffice.bt.com/sm/privatecreatesession.aspx?siteArea=btb.mya&TARGET=https%3a%2f%2fmyoffice.bt.com%2fdefault.aspx (hidden)
submitStatus=
smauthreason=
smagentname=
postpreservationdata=
[email protected]
authMode=SITEMINDER
smUrl=https://myoffice.bt.com/siteminderagent/forms/login.fcc
notSMUrl=https://myoffice.bt.com/default.aspx
smIdentifier=1

Try adding some or all of these (at least USER and PASSWORD) to your PostMethod, and make sure you are submitting to the correct URL.

Answer 2

If that website uses Siteminder authentication you will not be able to log in just like that. Siteminder uses cookies to identify authenticated sessions. These cookies are valid only as long as your session is alive. If you are not logged in, then the server redirects you to the Siteminder login page (hence the redirect). So what you'll need to do is follow the redirect, send your credentials (username/password), then follow the redirect again, sending the received cookies.

I've recorded sessions for regression tests using The Grinder (http://grinder.sourceforge.net/), and it was able to log in to the Siteminder protected website automatically! So it is definitely possible, but you'll have to do a bit more than simply send an HTTP request...

The best solution would be some kind of other authentication, like certificate-based authentication (but of course this must be configured on the server side as well, so this may not be an option in this case). Why not ask BT whether they provide other authentication methods?

EDIT: I've just found this: http://www.codeproject.com/KB/IP/SiteminderHttpWebRequest.aspx The source code is in VB, but the article is excellent, and it should be no problem to translate VB code to Java... ;-)