<< back
PD4ML: HTTP request authorization and Session ID
Very often a source URL for PDF conversion requires a "user" to explicitly authorize himself - in other words to enter login and password
in order to get an access to the document. As an HTTP request originated by PD4ML does not assume any
user interactions the PDF conversion either fails in the case, or its result
represents the web-application login page layout converted to PDF.
Another identical situation: an URL to be converted to PDF includes a valid
session identifier, so there is no explicit login needed. But all subsequent
requests (to load referenced images or stylesheets) do not include the session
ID, the resources are failed to load and the resulting PDF layout is broken.
The following explains how to workaround the typical situations.
1. Running PD4ML in authenticated context.
If PD4ML library and source HTML/JSP documents belong to the same Web application, there is a big probability there is no need
to explicitly authenticate HTTP requests, originated by PD4ML. You only need to associate PD4ML instance with the current HTTP session.
public void doGet(HttpServletRequest request, HttpServletResponse response) {
...
pd4ml.useHttpRequest(request, response)
...
pd4ml.render( ... );
}
PD4ML JSP taglib invokes the metod implicitly.
2. The basic HTTP authentication.
Map m = new HashMap();
m.put(PD4Constants.PD4ML_BASIC_AUTHENTICATION, "mylogin:mypassword");
pd4ml.setDynamicParams(m);
The parameter forces PD4ML to supply each outgoing HTTP request with the given
authentication info. According to HTTP spec, it appears in HTTP headers
base64-encoded, which is probably not the best way to secure your login
credentials.
3. Java Web application session ID.
Comparing to the basic HTTP authentication, Java Web applications does not
follow any standard way to submit user login and password. It is up to web
developers which HTML form fields to be used to hold a user identifier or
password. So PD4ML does not implement an authentication technique.
But it can take part in an already existing HTTP session (authenticated by a
user), using a session ID to "implicitly login" and to propagate the
ID to derived
HTTP requests.
It can be done by the following ways.
- embedding a session ID into URL. The session ID appears in URL like
that:
http://old.pd4ml.com/app/page.jsp;jsessionid=0928346576?param1=val1¶m2=val2
The URL, passed to PD4ML.render() method must have the session
info embedded. If the source HTML document, references images or stylesheets,
and the resources also require an authorization, PD4ML.setSessionID()
forces PD4ML to embed the session ID to all outgoing HTTP request URLs.
jsessionid is the default variable name. If a particular Web
application changes the defaults, PD4ML can be adjusted correspondingly.
Map m = new HashMap();
m.put(PD4Constants.PD4ML_SESSIONID_VARNAME, "customsessionidname");
pd4ml.setDynamicParams(m);
- passing a session ID with HTTP cookies. The code
pd4ml.setCookie("JSESSIONID", sessionID + ";path=/");
forces PD4ML
to add the session cookie to all outgoing HTTP requests (including the
"main" URL, passed to PD4ML.render()). The ";path=/" suffix is
important - it limits URI scope, the cookie is applied to. In our case the
most important thing that without the suffix, the cookies are simply
ignored.
4. Session ID in PHP and on other platforms.
PD4ML does not officially support session ID propagation for other environments
than Java. On the other hand the Java techniques can be used on other platforms.
First, try to use cookies. For example the default session ID cookie can be set like that:
pd4ml.setCookie("PHPSESSID", sessionID + ";path=/");
PHPSESSID is only a proposed name from PHP documentation, which can be easily overriden in
php.ini. Make sure it matches your config.If the session management
does not permit a session ID propagation via cookies, the only remaining method
is URL rewriting: to pass PHPSESSID=<sessionID> HTTP parameter along
with URL to inform the server about the active session.
Note: Modern PHP versions have turned this off using
session.use_trans_sid=0
in php.ini
|