It's all about the answers!

Ask a question

How to see if authentification failed when making rest calls

Staffan Solin (133) | asked Apr 10 '17, 8:56 a.m.
edited Apr 10 '17, 9:06 a.m.

 I've been doing the OLSC labs so im using the HttpUtils package with a built in connection to the NDG database. However I'm not able to find out when the authentication fails eventho there is an if statement in the code that is checking for this. But for some reason that part is allways null so the if statement is allways false. When login and password is correct the datafecthing works fine.

Declaring variables:

String serverURI = "https://<Server>.com/rm";
String rootServices = "https://<Server>.com/rm/oslc_rm/catalog"
HttpGet request = new HttpGet(rootServices);
rootServiceDoc.addHeader("Accept", "application/rdf+xml");
rootServiceDoc.addHeader("OSLC-Core-Version", "2.0");
String login= username;
String password = password;
HttpClient httpclient = new DefaultHttpClient();
public static HttpResponse sendGetForSecureDocument(String serverURI, HttpGet request, String login, String password, HttpClient httpClient)
throws IOException, InvalidCredentialsException {
// Step (1): Request the protected resource
if (DEBUG) System.out.println(">> GET(1) "+request.getURI());
HttpResponse documentResponse = httpClient.execute(request);
if (DEBUG) {
System.out.println(">> Response Headers:");
if (documentResponse.getStatusLine().getStatusCode() == 200) {
Header header = documentResponse.getFirstHeader(AUTHREQUIRED);
if ((header!=null) && ("authrequired".equals(header.getValue()))) {
// The server requires an authentication: Create the login form
HttpPost formPost = new HttpPost(serverURI+"/j_security_check");
List<NameValuePair> nvps = new ArrayList<NameValuePair>();
nvps.add(new BasicNameValuePair("j_username", login));
nvps.add(new BasicNameValuePair("j_password", password));
formPost.setEntity(new UrlEncodedFormEntity(nvps, HTTP.UTF_8));

// Step (2): The client submits the login form
if (DEBUG) System.out.println(">> POST "+formPost.getURI());
HttpResponse formResponse = httpClient.execute(formPost);
if (DEBUG) HttpUtils.printResponseHeaders(formResponse);
header = formResponse.getFirstHeader(AUTHREQUIRED);
if ((header!=null) && ("authfailed".equals(header.getValue()))) {
// The login failed
throw new InvalidCredentialsException("Authentication failed");
} else {
// The login succeed
// Step (3): Request again the protected resource
if (DEBUG) System.out.println(">> GET(2) "+request.getURI());
HttpGet documentGet2;
try {
documentGet2 = (HttpGet)(request.clone());
return httpClient.execute(documentGet2);
} catch (CloneNotSupportedException e) {
// TODO Auto-generated catch block
return  documentResponse;

One answer

permanent link
Donald Nong (14.4k213) | answered Apr 16 '17, 9:37 p.m.

You should carefully examine the response code and header, rather than assume how it works.

First of all, there is no /rm/authenticated/j_security_check, as RM delegates the authentication duty to JTS. If you POST to this URL, you will get HTTP 401 error, without the response header "X-com-ibm-team-repository-web-auth-msg" you are expecting. In case of correct username/password combination, you will get HTTP 302 then 404, which I can't explain why.

And, if you POST to /jts/authenticated/j_security_check and the authentication fails, you will get HTTP 302, redirecting to /jts/auth/authfailed, and again without the response header "X-com-ibm-team-repository-web-auth-msg". If your code is set to follow the redirecting, you will then get HTTP 200 and the response header "X-com-ibm-team-repository-web-auth-msg" with value "authfailed".

If you don't want to put in too many different codes, an easier way to do it is after the authentication, access the protected resource straightaway and check again. This is the same as the accepted answer in this post.

Your answer

Register or to post your answer.