Improve company productivity with a Business Account.Sign Up


Need servlet to add a customer http header then forward page, but header not coming through...

Posted on 2004-08-30
Medium Priority
Last Modified: 2013-11-24
Good afternoon Experts!

I will preface this with the statement that I am NOT a java programming expert, but mostly a front end html/javascript type who is fairly familiar with http so I appologize upfront if I'm a bit airheaded with any response :-).

I have a senario at work where we use a product called Siteminder for our application's authentication. It is configured so we can have a single sign on solution. Siteminder traps the URL of our application and returns an html sign-on page when not authenticated. On submitting the sign-on page it then does the authentication check, and assuming a valid user is found, it converts the input field value into a new http header attribute and *somehow* forwards to the original URL of our app.

We are in the process of having to modify all our application's login servlets to check the request.getHeader("username") instead of the request.getParameter("username"). While a minor change, it's compounded by the fact that the "powers that be" won't allow us developement copies of Siteminder on our desktops. This means we can't test the code til we deploy to our QA area and any new apps we build we have to hard code a username in the absence of getting the username in the http header of the request. I decided to fake Siteminder so I could test this app (and future apps).

The Problem:

I have begun the new fake login page solution. I copied the single sign on html page Siteminder uses and created a custom servlet in a new web application (weblogic 8.1). I added a hidden field on the fake login page called "forwardTo" which is the name of the logon servlet of the real app. So my custom servlet is supposed to mimic Siteminder and forward my login username in an http header to the location i've set with my forwardTo field. So far I have set the new http header with response.setHeader("username", request.getParameter("username")) and tried both a requestDispatcher(request.getParameter("forwardTo")) and response.sendRedirect(request.getParameter("forwardTo")) and neither seems to work. I found a nice piece of code on the net that prints an html page iterating through all the http headers and so far I haven't seen my custom header come through.

The Question:

Do I have a fundemental http/java lapse in understanding or can a forward or redirect keep the custom http header I added? If neither a forward or redirect can keep the custom header, is what i'm trying to do impossible? Doesn't seem impossible because Siteminder does it. I thought this would be a simple thing, create a servlet, grab the request param, add the http header, forward to login page and be done. Don't want to give up, but don't see where to go from here...

Any thoughts, help, code, etc. are greatly appreciated! I think this has turned out to be difficult so i'm giving 250 points. Hopefully you guys find it easy. If more are required please advise and i'll adjust the points if possible...

thanks in advance,

-"Lost in Javaland"
Question by:iammab2u
  • 3
  • 2

Expert Comment

ID: 11935416
Could you hardcode the base app url in the servlet and then append the user name?


String urlL   = "/siteminder/blah/blah/blah";

String username = request.getParameter( "username" );

url += "?user=" + username;

response.sendRedirect( url );



Author Comment

ID: 11935544
Unfortunately not. The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps. If it was put it on the querystring then we could call our logon servlets and just append the param (http://localhost/myapp?username=joeblow).

Because our new code has to check if there is a header variable called "username" and if it's not there we have to assume someone is trying to gain access to the app inappropriately. In other words, our login servlets MUST have this http header variable and when it's found it has already been authenticated on the corporate LDAP server so we know it's a valid username. We can then use the username to look up the user in the database to see if they are authenticated for our specific application.

My problem is that I can't seem to mimic setting an http header variable in my custom servlet and then forwarding it to the same login servlet that Siteminder would.

Author Comment

ID: 11935683
Thougth this illustration might help...

What Siteminder does:

1) user types url to web app in browser
2) Siteminder captures URL and redirects to a login page.
html login page / textfield with username and password
3) html page submits, siteminder takes username and converts
value into the http header and *redirects* to original url (1 above)
4) web application checks http header for "username" param to get
name of authenticated user. (used to check request.getParameter(),
now use request.getHeader().)

What i'm looking for is a servlet that mimics step 3 by taking the username, adding it to the response header and forwarding to the servlet of my choice (currently a servlet that prints all the http headers it gets). Once I see the header variable come through I can change to the "forwardTo" hidden field which will be the logon servlet of the real application...

hope this helps
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

LVL 36

Accepted Solution

girionis earned 1000 total points
ID: 11940369
What you are trying to do is certainly doable, at the end of the day we are programmers we can so anythign ;)

>  The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps.

Do you know the name of the header that contains the username? If we assume that Siteminder has somehow altered the header of the http-request you can simply do:

String username = request.getHeader("<header name>");
LVL 36

Expert Comment

ID: 11940375
LVL 36

Expert Comment

ID: 11940401
Have also a look here: of how to specify your own headers in the response.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This was posted to the Netbeans forum a Feb, 2010 and I also sent it to Verisign. Who didn't help much in my struggles to get my application signed. ------------------------- Start The idea here is to target your cell phones with the correct…
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
Video by: Michael
Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question