HTML to PDF converter for Java and .NET

<< back

PD4ML: HTTP request authorization and Session ID


Very often a source URL for PDF conversion requires a "user" to explicitly authorize himself - in other words to enter login and password in order to get an access to the document. As an HTTP request originated by PD4ML does not assume any user interactions the PDF conversion either fails in the case, or its result represents the web-application login page layout converted to PDF.

Another identical situation: an URL to be converted to PDF includes a valid session identifier, so there is no explicit login needed. But all subsequent requests (to load referenced images or stylesheets) do not include the session ID, the resources are failed to load and the resulting PDF layout is broken.

The following explains how to workaround the typical situations.

1. Running PD4ML in authenticated context.

If PD4ML library and source HTML/JSP documents belong to the same Web application, there is a big probability there is no need to explicitly authenticate HTTP requests, originated by PD4ML. You only need to associate PD4ML instance with the current HTTP session.

public void doGet(HttpServletRequest request, HttpServletResponse response) {
    pd4ml.useHttpRequest(request, response)
    pd4ml.render( ... );
PD4ML JSP taglib invokes the metod implicitly.

2. The basic HTTP authentication.
Map m = new HashMap();
m.put(PD4Constants.PD4ML_BASIC_AUTHENTICATION, "mylogin:mypassword");
The parameter forces PD4ML to supply each outgoing HTTP request with the given authentication info. According to HTTP spec, it appears in HTTP headers base64-encoded, which is probably not the best way to secure your login credentials.


3. Java Web application session ID.

Comparing to the basic HTTP authentication, Java Web applications does not follow any standard way to submit user login and password. It is up to web developers which HTML form fields to be used to hold a user identifier or password. So PD4ML does not implement an authentication technique. But it can take part in an already existing HTTP session (authenticated by a user), using a session ID to "implicitly login" and to propagate the ID to derived HTTP requests.

It can be done by the following ways.

  • embedding a session ID into URL. The session ID appears in URL like that:;jsessionid=0928346576?param1=val1&param2=val2

    The URL, passed to PD4ML.render() method must have the session info embedded. If the source HTML document, references images or stylesheets, and the resources also require an authorization, PD4ML.setSessionID()  forces PD4ML to embed the session ID to all outgoing HTTP request URLs.

    jsessionid is the default variable name. If a particular Web application changes the defaults, PD4ML can be adjusted correspondingly.
    Map m = new HashMap();
    m.put(PD4Constants.PD4ML_SESSIONID_VARNAME, "customsessionidname");
  • passing a session ID with HTTP cookies. The code

    pd4ml.setCookie("JSESSIONID", sessionID + ";path=/");
  • forces PD4ML to add the session cookie to all outgoing HTTP requests (including the "main" URL, passed to PD4ML.render()). The ";path=/" suffix is important - it limits URI scope, the cookie is applied to. In our case the most important thing that without the suffix, the cookies are simply ignored.

4. Session ID in PHP and on other platforms.  

PD4ML does not officially support session ID propagation for other environments than Java. On the other hand the Java techniques can be used on other platforms.

First, try to use cookies. For example the default session ID cookie can be set like that:

pd4ml.setCookie("PHPSESSID", sessionID + ";path=/");
PHPSESSID is only a proposed name from PHP documentation, which can be easily overriden in php.ini. Make sure it matches your config.

If the session management does not permit a session ID propagation via cookies, the only remaining method is URL rewriting: to pass PHPSESSID=<sessionID> HTTP parameter along with URL to inform the server about the active session.

Note: Modern PHP versions have turned this off using session.use_trans_sid=0 in php.ini


Copyright ©2004-17 zefer|org. All rights reserved. Bookmark and Share