How to authorize to HTTP server using java

Question

What I do manually:

I open the URL: http://localhost:8080/webadmin/index.html enter login and password.
And click button wich is really do http get request: http://localhost:8080/rest/platform/domain/list

What I do in java:

String addr = "http://localhost:8080/rest/platform/domain/list?_dc=1325843792402"; //"http://localhost:8080/webadmin/index.html";

URL url = new URL(addr);
HttpURLConnection httpCon = (HttpURLConnection) url.openConnection();
httpCon.setDoOutput(true);
httpCon.setDoInput(true);
httpCon.setUseCaches(false);
httpCon.setAllowUserInteraction(false);
httpCon.setRequestMethod("GET");
OutputStreamWriter out = new OutputStreamWriter(httpCon.getOutputStream());

System.out.println(httpCon.getResponseCode());
System.out.println(httpCon.getResponseMessage());
out.close();

And get response: 401 Unauthorized.

Understandable why: I should create an authorised connection by entering a login and a password. But how I can do this?

duplicate of http://stackoverflow.com/questions/4883100/how-to-handle-http-authentication-using-httpurlconnection — Manish, Jan 06 '12 at 10:35

score 1 · Answer 1 · answered Jan 06 '12 at 10:42

That depends on the authentication scheme. There are several possibilities, including

The server will tell you the correct scheme in its 401 answer. Look for the WWW-Authenticate HTTP header in the answer.

For doing HTTP authentication in Java, see this tutorial which contains a lot of useful information.

parasietje · Accepted Answer · 2012-01-06T10:51:22.187

On authentication using form fields in a web page, what happens is the following:

You access a login page. The server marks your session using one of the following methods:
- Session cookie, present in the HTTP Response headers. You should store this cookie and resend it afterwards.
- Redirect to a new URL in which the session is marked (http://localhost:8080/?sessionKey=3292n9fafjwagwao2903j2fswioanw)
- (sometimes) hidden HTML form or Javascript variable which contains the session key and which is POST'ed on every click of a link.
Let us suppose the server uses cookies. You then do a POST request containing:
- The cookie you received.
- Your username and password in the POST data
The server now marks your session as "logged in" and may even give you a new or extra session identifier.
You then access a secured resource, providing a session identifier proving you are logged in.

You can follow this process very nicely using the Google Chrome Developer Network view (press CTRL+SHIFT+J, go to Network.

How do you translate this to Java code?

Do initial request to login page. Recover session cookie from HTTP headers.
Do a POST to the login form destination. Include the session cookie in the HTTP request header and the username/password in the POST data. Recover the session cookie from HTTP headers.
Now access the protected resource. Include the session cookies in the HTTP request header.

Of course, there are other ways of authenticating users at the webserver level (HTTP BASIC authentication, NTLM...), as explained by other answers here. The above method only works for HTML FORM-based authentication (as used by Facebook, Dropbox, ... and almost all major websites out there)

If you use firefox use `Live HTTP Headers :: Add-ons for Firefox` — RanRag, Jan 06 '12 at 10:49

How to authorize to HTTP server using java

2 Answers2