Safely forward userID and password

I am writing a servlet/JSP application where a user will see a logon screen once. After successfully entering userID and password, I will display a list of available web applications. User selects one, and I want to forward them on to that application's entry servlet with the userID and password. My question is how to do that 'safely'.
1) Easy to do with a GET-type URL (where url = url?userid=value1&password=value2)using response.sendRedirect(url). However, I found after successful processing by the next application's entry servlet, the userid and password are still displayed in the address bar on the next screen. Is there any way within the receiving servlet to trim those off the displayed url?
2) I tried using the POST, where I contact the next application, get the page back and display it. The problem is the next application adds session data in the entry servlet, and when I just get the page back and display it, the session data is lost. Here's an example of the code I used:
String userInfo = �url?userid=value1&password=value2�;
byte[] bytesUserInfo = userInfo.getBytes();
HttpURLConnection urlConn = (HttpURLConnection)
url.openConnection();
urlConn.setDoInput(true);
urlConn.setDoOutput(true);
urlConn.setAllowUserInteraction(true);
urlConn.setUseCaches(false);
urlConn.setFollowRedirects(true);
urlConn.setRequestProperty("Content-length",
String.valueOf(bytesUserInfo.length));
OutputStream out = urlConn.getOutputStream();
urlConn.connect();
out.write(bytesUserInfo);
out.flush();
out.close();
String responsePage = "";
String line = "";
BufferedReader in = new BufferedReader(
new InputStreamReader(urlConn.getInputStream()));
while((line = in.readLine()) != null) {
responsePage += line + "\n";
response.setContentType("text/html");
PrintWriter pw = response.getWriter();
pw.println(responsePage);
pw.flush();
pw.close();
So I would display the responsePage (the second screen of the next appliction, typically a menu). But the next application expects there to be session data attached, which it established in the entry servlet. The way I get the page and display it, the session info is lost.
3) I also tried going to a 'invisible' page, then using META tag redirect, or JavaScript redirect, but then the userid and password got lost.
Is there a good way to transparently forward a user and the id and password?

Unfortunately cookies won't work here. The hidden
sessionID might - that's a good suggestion. My
question there is currently appB doensn't use
sessionID's. It just uses
HttpSession theSession = request.getSession(false);This only tells you to not create one if it doesnt exist. But if it exists, and as you are using one, it will use it. On the server there will be a sesssion which can be found by its sessionID, so you are using a sessionID. If a browser doesnt support cookies, a sessionID will be appended to the url, thats your sessionID to find your session in the session object. See request.getRequestedSessionID()
>
I might be missing something easy here, but if it
knows the sessionID is hidden, how can it convert that
to a HttpSession? Will it need some new collection
now to relate the sessionID's to the sessions? I was
looking the the API for an easy way to relate the
sessionID to the actual session, but nothing jumped
out at me.

Similar Messages

  • How to recover the userid and password with out losing data in c drive

    Hi, i have ibm server and installed windows server 2008 r2 standard. i forgot the userid and password for login so i used the password crack tool after that try to login but it shows " The login credentials are in correct" so how to login to
    system and get the c drive data safely with out loose.

    Hi,
    According to your description, I assume you have forgotten the administrator’s password. If you have another administrator account, you can use it to reset the password.
    If you don’t have another administrator account, then there is no Microsoft recommended way to reset passwords due to security considerations.
    Here are some similar threads below I suggest you refer to:
    Forgot Password for Windows Server 2008 R2
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/cc3a6a12-66e9-4a06-97fd-2a5c89d627bc/forgot-password-for-windows-server-2008-r2?forum=winservergen
    forgot windows server 2008 r2 admin password
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/ab435f7e-3927-4fda-a991-80f42e18089b/forgot-windows-server-2008-r2-admin-password?forum=winservergen
    Best Regards,
    Amy Wang

  • SSO Configuration not working - Still asking for Userid and password

    Hi Guys,
    I have configured Portal to use with backend server. Configured WAS & ITS and created System Alias.
    For Testing SSO I did following steps on portal:
    System Administration > Support > SAP Appliction > SAP Transaction
    Selected system Alias and tcode se12. Selected SAPGUI for HTML. Pressed Go.
    Instead of SE12 screen, I get Logon Screen asking for USERID and password.
    I should be getting SE12 screen directly without entering USERID and PASSWORD.
    I tested with Transaction iView (SE12)  and getting the same logon screen. After entering userid/password  it displays SAP Easy Access menu instead of displaying SE12
    Please help.
    Thanks a lot.
    mini

    Hi Sandeep.
    Thanks for your reply. Here are the answers to your questions:
    1. Is the username same in the portal and the backend that you are trying to connect, ensure that there is the same username that exists in the system you want to connect to. YES
    2. The ticket is imported properly- check the ACL and Certificate list in Tcode STRUSTSSO2.
    Ticket is valid from 01 Jan 2009 to 14 Mar 2012.
    3. Check for the parameters in place login_accept_ticket = 1 and login_create_ticket = 2 and icm_hostname_full is set to FQDN. 
    In RZ10 it has 3 parameters:
    login/accept_sso2_ticket = 1
    login/create_sso2_ticket = 2
    icm/host_name_full = sapecc6.tri.com 
    4. What is the result when you test the system connection?
    WAS & ITS Connections are successful.
    Connection test for Connectors is giving following results:
    Results
    Retrieval of default alias successful
    Connection failed. Make sure user mapping is set correctly and all connection properties are correct.
    My Connectors Details:
    Application Host : sapecc6
    Gateway Host : sapecc6.tri.com
    Gateway Host : 3301
    SAP Client : 800
    SAP Client : EC7
    SAP System Number : 01
    Server Port: 3201
    System Type: SAP_R3
    I am using same userid for Portal and backend.
    5. Are the 2 systems that you want to configure SSO in the same domain?
    I am trying to connect R3 to Portal.
    Please give me directions to fix the problem.

  • BSP - UserId and Password for Internal Users - Anonymous for other users

    Hello,
    We developed an application via BSP's. This application can be accessed by two kind of users.
    1. External Users, with should access the page without using a userId and password.
    2. Internal Users, they will have more authorisation and need to specify their userId and Password.
    How can we accomplish this? I tried internal aliases, but can't get it to work properly.
    In the first service 'zbsp' I didn't specify a userId and password in sicf.
    Then I created an internal alias 'zbsp' referring to this 'zbsp'. In this alias I specified a userId and Password, but the system still asks for a userId and Password. (and after logging in the system gives the following error: The application name in URL .../bc/bsp/sap/zbsp2/uat_report.htm is invalid.)
    What did I do wrong? Or are there other ways to accomplish this?
    Greetings,
    Bart

    Take a look at the following mesaages that discussed the whole SSO and SSO2 ticket logins.
    As for a way to handle the two different login types. Well first and formost - active the SSO Tickets on your system.  Set your BSP up for that.
    Then create a new starting page with an alias to the pöublic section for BSP's in your system. On this page make two links.
    For your external users - one that redirects to your BSP passing the user and password in the url for the "read only external user" - that's the sap-user=name here&sap-password=passwordhere.
    For your internal people give them simply the link to the BSP which when they click it will see no user name and password and redirect them to the BSP login.
    Make sure you setup the BSP login according to SAP note 517860 and follow the instructions from http://help.sap.com/saphelp_nw04/helpdata/en/1d/13c73cee4fb55be10000000a114084/frameset.htm using the supplied SYSTEM_PUBLIC)
    It's a bit basic but it works, we do it
    Oh and setting up the system for the SSO (transaction sso2) is very very simple!!

  • Hi, how to develop application , matching of userid and password to backend

    hi masters ,
                  , user  have to give userid and password of back end sap system  to see particular report. i mean there is a first view ( this first view muust not be first screen of portal ) with userid and password fields . after gave his id and password he can go to second view to see the particualr details .please suggest me about how to do custom bapi code and , in also  webdynpro java  how to develop .
               i know about sso. in this concept i have to use through webdynpro java only. no need of sso concept here .
              after giving the  userid and password , those details must be match with  backend sap database.if no  one of userid and passwrod field  is  matching it has to show some error message. and in password field must be in encrypted letters .

    hi surya,
    Use JCO api to create connection to the backend.
    [JCO tutorial|http://www.apentia-forum.de/viewtopic.php?t=1962&sid=9ac1506bdb153c14edaf891300bfde25]
    On the webdynpro screen you can ask users to enter login id and password. Use this information to create connection to backend using JCO.
    Hope this helps!
    Monalisa

  • How to authenticate userid and password of b2b user in a b2c portal

    I am having a reqirement in B2C web portal , where in i have to create two input text fields which will accept userid and password ( the userid and password will be of b2b users)and button to logon and if i click on the logon button, it should take into b2b web portal. Is it possible? if possible please help me in this issue.
    Please get back to me if i am not clear in my requirement.
    Thanks a lot in advance!
    lakshman reddy G.
    <MOVED BY MODERATOR TO THE CORRECT FORUM>
    Edited by: Alvaro Tejada Galindo on Oct 6, 2008 6:07 PM

    To get an idea check these links.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/aaa1a890-0201-0010-eb93-ae3d2bb74a78
    BSP/HowTo - Customizing the design of System Logon page in NetWeaver '04
    -Aman

  • Web report without userid and password

    Hi Experts,
    I exported a BW web report to excel spreadsheet and sent it through mail to others, When recepients tried to open that exported spreadsheet, It is prompting for userid and password. I dont want this to be happened and it should open without asking userid / passsword? Can any one suggest some clues onthis.

    Check to see if they are looking at the data or running the report.  If they are running the report, then they will be prompted for the user id and password.
    You can run the report for them and download the data only, then they will not get the prompts, however they will not be able to update the data or drill down.
    Alternatively, you can use the Broadcaster to send out the updated reports directly to them.
    Brian

  • How to encrypt UserID and Password in HTTP url

    Hello experts,
         We want to encrypt UserID and Password which has used in http URL in SAP PI 7.1.
    As we have used SOAP adapter with Transport Protocol HTTP for sender server.
    Kindly help us on it.
    Regards,
    Poonam.

    Hi,
    please go through below blog,
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b04408cc-f10e-2c10-b5b7-af11026b2393?QuickLink=index&overridelayout=true
    please go through below threads,
    SOAP Envelope with user id password
    Soap ---to ----file scenario
    regards,
    ganesh.

  • How to use the userid and password infor from Oracle DB in BO

    Out client has the userid and passwords(encrypted) infomration stored in oracle table.
    Is it possible to import this useid and password information into BO .And use the same userid and password from Oracle table for its login authentication and for data security...?
    In other words can the userid/pwd info from Oracle Profile Table imported and re-used in BO Enterprise Edition.

    If the users/pw are in an Oracle LDAP v3 compliant server then you can import them via LDAP plugin, else you would need to bring them in an enterprise users via script. The Import wizard can do this and the SDK (see the SDK forums for more info on how)
    Maintaining the passwords would be difficult unless you are using and industry standard directory like LDAP.
    Regards,
    Tim

  • How do pass the UserID and Password in the SOAP header for web services

    I am encountering issues trying to pass the userid and password in the SOAP header when consuming a 3rd party web service.  Rostewitz posted something similiar but I don't know how to type iv_xml.  Any help would be greatly appreciated.
    Thank you,
    jpina

    It helps to post a link to a thread when you refer to it.  If you are trying to implement that solution though, you can look at the parameter of the corresponding method being called.  The parameter has type 'SIMPLE' which means that it is compatible with all of the predefined elementary ABAP types.  In this case, you should use 'STRING'.

  • Where to set UserID and Password for NFS file share in Central File Adapter

    Hi All,
    Does anyone know if/where it is possible to set the userID and password if you want to connect to an NFS fileshare with the central XI30 file adapter?
    Cheers,
    Frank

    Hi Frank,
    The file adapter uses user ID SAPSERVICE... with the addition of the system ID of your SAP XI system. So if your system ID is EXD the user id which needs read/write access should be SAPSERVICEEXD.
    Have fun

  • How to Hide userid and password in the address bar

    Hello Dears
    I am using OAS 10g and calling a form from my web portal designed in ASP.Net. I pass userid and password to OAS as parameters and form is accessed but the problem is that userid and password are displayed in the address bar. How can I hide this info to secure my application.
    Note: This is a multi-user environment.
    Please guide. thanks
    Inayat Qazi

    On your reports server in the reports\conf directory there is a file called cgicmd.dat
    This file allows you to create a key that will be replaced with the entry from this file. You can put your userid and password parameters in here and thus remove them from the address line.
    Key value entries look like this in the file:
    examplekey: userid="scott/tiger@myoracleinstance" %*
    your url would then look like this:
    http://myreportsserver/servlet/rwservlet?examplekey&report=myreport.rdf&destype=cache

  • Hide userid and password

    How to make URL which should not show userid and password details for Forms and Reports.
    I am using Forms 10g.

    Hi!
    For running forms on the web without submit the username/password,
    just create a config entry in your formsweb.cfg for your application
    and write there a parameter userid=user/password@db.
    In the browser then just call http://yourpc:8889/forms/frmservlet?config=your_configFor Reports may you use the run_report_object build-in.
    Regards

  • How to create a desktop shortcut that includes UserID and Password

    I would like to know how to add my User ID and Password to allow seamless login to a site by using the userid and password
    I have an existing shortcut and would like FF to open and login to the site with one "double-click"
    I do appreciate that it is a security risk to do this, but the information on this site poses no risk for me if someone that has authorized access to my personal computer, click on this shortcut.
    I will appreciate any help to assist me in doing this.
    Kind Regards
    Frits

    iamjayakumars,
    Thanks for the advice, but the website does not give the option to save the password, hence my question
    Any other way I can perhaps in the properties specify that?

  • Please help me for checking the userid and password process

    hi master
    sir how i find any record such as user give userid and password in normat textfield thad not bound with data provider only i drop in page and also i drop dataprovider in page and i check that userid and password from table
    if found userid and password in table then move user to next page oterwise give message not righet user
    i am use this code but this code give me error
    see
    try {
    RowKey userRowKey = customerDataProvider.findFirst
    (new String[] { "CUSTOMER.USERID", "CUSTOMER.PASSWORD" },
    new Object[] { loginUserId.getText(), loginPassword.getText() });
    if (userRowKey == null) {
    error("Invalid user id or password");
    return null;
    i try this but this command also give me error
    textfieldy.setValue(partytableDataProvider.getValue("PARTYTABLE.PARTYID"));
    ==========
    textfiedlsetValue(getSessionBean1().getPartytableRowSet().setObject(1,partytableDataProvider.getValue("PARTYTABLE.PARTYID"));
    ===========
    texfield.setValue(partytableDataProvider.getValue("PARTYTABLE.PARTYID").toString());
    see error
    Possible Source of Error:
    Class Name: com.sun.data.provider.impl.CachedRowSetDataProvider
    File Name: CachedRowSetDataProvider.java
    Method Name: getFieldKeyInternal
    Line Number: 481
    Source not available. Information regarding the location of the exception can be identified using the exception stack trace below.
    Stack Trace:
    com.sun.data.provider.impl.CachedRowSetDataProvider.getFieldKeyInternal(CachedR owSetDataProvider.java:481)
    com.sun.data.provider.impl.CachedRowSetDataProvider.getFieldKey(CachedRowSetDat aProvider.java:439)
    com.sun.data.provider.impl.AbstractTableDataProvider.findFirst(AbstractTableDat aProvider.java:143)
    logintestform.Page1.button2_action(Page1.java:442)
    sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2)
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    sun
    please give me idea how i find record in table
    thank's
    aamir

    Hi ,
    Wondering if you were able to get past this issue. If not , I would suggest checking the prefix's on the metadata of the column name.
    Radhika

Maybe you are looking for