Cookie headers set through HttpURLConnection lost at the tomcat end
843824Mar 1 2011 — edited Mar 5 2011I have an externally-facing web application that is acting as a proxy for some internal application functionality. This is a combination of web service calls and HTTP requests to existing internally-facing applications (i.e. with no direct internet link - they're maintained in a different security zone).
I'm using the java.net.HttpURLConnection method of posting an HTTP request and I've included a self-contained working program below. The app does an initial touch to get the "Set-Cookie" header in order to access the JSESSIONID provided by the target application. In the final setup, I'll store this in my principle app's session so that I can keep using it. But the issue I'm facing is that when I include this JSESSIONID in a "Cookie" header for a second call to the app, tomcat is ignoring it. In fact, I don't get any of my headers showing up in the target app's request object.
Here's the simple program showing how I'm accessing the target app, the "Set-Cookie" header, making a second request with a "Cookie" header, and reading it back again.
import java.io.IOException;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.util.List;
import java.util.Map;
public class WebPageConsumer {
public static void main(String[] args) {
String charset = "UTF-8";
try {
URL url = new URL("http://localhost:8080/MyApp");
String query = "test="+ URLEncoder.encode("testString", "UTF-8");
HttpURLConnection.setFollowRedirects(true);
//We're opening this one ONLY to get the current session cookie details.
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
List<String> cookies = connection.getHeaderFields().get("Set-Cookie");
//Now we'll move on to the real deal
connection = (HttpURLConnection) url.openConnection();
connection.setDoOutput(true);
// Add the cookie information from the first request
for (String cookie : cookies) {
System.out.println("Here's the cookie from the FIRST call:\t"+cookie);
connection.addRequestProperty("Cookie", cookie.split(";", 2)[0]);
}
Map<String, List<String>> headers = connection.getRequestProperties();
System.out.println("These are the headers that we're sending. We SHOULD have the cookie in there.");
for(String headerName : headers.keySet()){
System.out.println("\tRequest Header: "+ headerName +" : "+ headers.get(headerName));
}
// Submit the query
OutputStream output = null;
try {
output = connection.getOutputStream();
output.write(query.getBytes(charset));
} finally {
if (output != null){
try {
output.close();
} catch(IOException exception){
System.err.println(exception.getMessage());
}
}
}
// Now check what session ID we're getting back
cookies = connection.getHeaderFields().get("Set-Cookie");
for (String cookie : cookies) {
System.out.println("Here's the cookie from the SECOND call:\t"+cookie);
}
// Optionally do something with the data - we're not really interested
//DataInputStream input = new DataInputStream(connection.getInputStream());
// In the real thing I'll include the HTML result in my application's response to the screen
//input.close();
} catch (Exception exception) {
System.err.println(exception.getMessage());
exception.printStackTrace();
}
}
}
And here are the results:
Here's the cookie from the FIRST call: JSESSIONID=98CE1DA0C47A502B3B2AEAFA6386A677; Path=/MyApp
These are the headers that we're sending. We SHOULD have the cookie in there.
Request Header: Cookie : [JSESSIONID=98CE1DA0C47A502B3B2AEAFA6386A677]
Here's the cookie from the SECOND call: JSESSIONID=939D8790DA3E9B3375554BB95843B9C9; Path=/MyApp
So as you can see, I'm accessing the initial JSESSIONID, turning it around BUT I'm getting a brand new session created as tomcat is ignoring my efforts at setting headers. This happens for any and all headers I set. Whether I'm setting new arbitrary headers or trying to modify the values of those headers is listing out.
Where am I going wrong with this? I want to ensure that I'm retaining the correct session rather than creating a new one with each request. Why is tomcat ignoring my headers?
Thanks,
Mark