Different HTTP response from Android app and Java application

Question

I am writing an Android app that needs to authenticate with a server by sending a HTTP POST request.

When run as a regular Java application on my desktop I get a 200 OK response code when the username and password are valid, and a 302 Found when they are not (from the browser, entering invalid username/password redirects to a page that says you are unauthorized).

However, when run from my Android app I get a 200 OK every time regardless of the validity of the password.

Here is the code:

public static boolean authenticate(String user, String pass) {
    HttpClient client = new DefaultHttpClient();
    HttpPost post = new HttpPost("https://website.com/login");

    try
    {
        // Add form parameters to request
        List<NameValuePair> params = new ArrayList<NameValuePair>();
        params.add(new BasicNameValuePair("basic", "true"));
        params.add(new BasicNameValuePair("j_username", user));
        params.add(new BasicNameValuePair ("j_password", pass));
        post.setEntity(new UrlEncodedFormEntity(params));


        // execute post request
        HttpResponse response = client.execute(post);
        int status = response.getStatusLine().getStatusCode();
        System.out.println("POST RESPONSE STATUS = " + status + ": " + response.getStatusLine().toString());

        // success if we get 200 OK
        // something went wrong if we get a 302 Found
        if (status == 200) {
            return true;
        } else if (status == 302) {
            return false;
        } else {
            System.out.println("Unknown response status: " + status);
            return false;
        }

    } 
    catch (IOException e) 
    {
        System.out.println("IOException trying to authenticate: " + e.getMessage());
    }

    return false;
}

Using netcat, I tried sending the request to my own computer to inspect the headers.

When executed from desktop this is what is sent:

kyle@kyle-Rev-1-0 ~ $ nc -l -p 8080
POST / HTTP/1.1
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
Host: 192.168.2.17:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.3 (java 1.5)

basic=true&j_username=bob14&j_password=meow%21

When executed on my Android 4.1 tablet this is sent:

kyle@kyle-Rev-1-0 ~ $ nc -l -p 8080
POST / HTTP/1.1
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
Host: 192.168.2.17:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

basic=true&j_username=bob14&j_password=meow%21

I thought it might be related to the user agent, I tried an empty string as well as "Apache-HttpClient/4.2.3 (java 1.5)" and neither made a difference.

The project is setup in Eclipse to use libraries httpcore-4.2.2.jar and httpclient-4.2.3.jar. The Android project also depends on commons-httpclient-3.1.jar at the moment.

Does anyone see why the requests are getting me different responses?

Answer 1

Maybe the Android HttpClient class doesn't redirect by default when you POST over https.

Try without SSL for test purposes.

Here's another related question