Need servlet to add a customer http header then forward page, but header not coming through...

Posted on 2004-08-30
Last Modified: 2013-11-24
Good afternoon Experts!

I will preface this with the statement that I am NOT a java programming expert, but mostly a front end html/javascript type who is fairly familiar with http so I appologize upfront if I'm a bit airheaded with any response :-).

I have a senario at work where we use a product called Siteminder for our application's authentication. It is configured so we can have a single sign on solution. Siteminder traps the URL of our application and returns an html sign-on page when not authenticated. On submitting the sign-on page it then does the authentication check, and assuming a valid user is found, it converts the input field value into a new http header attribute and *somehow* forwards to the original URL of our app.

We are in the process of having to modify all our application's login servlets to check the request.getHeader("username") instead of the request.getParameter("username"). While a minor change, it's compounded by the fact that the "powers that be" won't allow us developement copies of Siteminder on our desktops. This means we can't test the code til we deploy to our QA area and any new apps we build we have to hard code a username in the absence of getting the username in the http header of the request. I decided to fake Siteminder so I could test this app (and future apps).

The Problem:

I have begun the new fake login page solution. I copied the single sign on html page Siteminder uses and created a custom servlet in a new web application (weblogic 8.1). I added a hidden field on the fake login page called "forwardTo" which is the name of the logon servlet of the real app. So my custom servlet is supposed to mimic Siteminder and forward my login username in an http header to the location i've set with my forwardTo field. So far I have set the new http header with response.setHeader("username", request.getParameter("username")) and tried both a requestDispatcher(request.getParameter("forwardTo")) and response.sendRedirect(request.getParameter("forwardTo")) and neither seems to work. I found a nice piece of code on the net that prints an html page iterating through all the http headers and so far I haven't seen my custom header come through.

The Question:

Do I have a fundemental http/java lapse in understanding or can a forward or redirect keep the custom http header I added? If neither a forward or redirect can keep the custom header, is what i'm trying to do impossible? Doesn't seem impossible because Siteminder does it. I thought this would be a simple thing, create a servlet, grab the request param, add the http header, forward to login page and be done. Don't want to give up, but don't see where to go from here...

Any thoughts, help, code, etc. are greatly appreciated! I think this has turned out to be difficult so i'm giving 250 points. Hopefully you guys find it easy. If more are required please advise and i'll adjust the points if possible...

thanks in advance,

-"Lost in Javaland"
Question by:iammab2u
  • 3
  • 2

Expert Comment

ID: 11935416
Could you hardcode the base app url in the servlet and then append the user name?


String urlL   = "/siteminder/blah/blah/blah";

String username = request.getParameter( "username" );

url += "?user=" + username;

response.sendRedirect( url );



Author Comment

ID: 11935544
Unfortunately not. The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps. If it was put it on the querystring then we could call our logon servlets and just append the param (http://localhost/myapp?username=joeblow).

Because our new code has to check if there is a header variable called "username" and if it's not there we have to assume someone is trying to gain access to the app inappropriately. In other words, our login servlets MUST have this http header variable and when it's found it has already been authenticated on the corporate LDAP server so we know it's a valid username. We can then use the username to look up the user in the database to see if they are authenticated for our specific application.

My problem is that I can't seem to mimic setting an http header variable in my custom servlet and then forwarding it to the same login servlet that Siteminder would.

Author Comment

ID: 11935683
Thougth this illustration might help...

What Siteminder does:

1) user types url to web app in browser
2) Siteminder captures URL and redirects to a login page.
html login page / textfield with username and password
3) html page submits, siteminder takes username and converts
value into the http header and *redirects* to original url (1 above)
4) web application checks http header for "username" param to get
name of authenticated user. (used to check request.getParameter(),
now use request.getHeader().)

What i'm looking for is a servlet that mimics step 3 by taking the username, adding it to the response header and forwarding to the servlet of my choice (currently a servlet that prints all the http headers it gets). Once I see the header variable come through I can change to the "forwardTo" hidden field which will be the logon servlet of the real application...

hope this helps
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

LVL 35

Accepted Solution

girionis earned 250 total points
ID: 11940369
What you are trying to do is certainly doable, at the end of the day we are programmers we can so anythign ;)

>  The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps.

Do you know the name of the header that contains the username? If we assume that Siteminder has somehow altered the header of the http-request you can simply do:

String username = request.getHeader("<header name>");
LVL 35

Expert Comment

ID: 11940375
LVL 35

Expert Comment

ID: 11940401
Have also a look here: of how to specify your own headers in the response.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
runtime exception 2 50
restrict decimal places for double datatype 10 29
import as existing maven project 3 33
Java Inheritance super keyword use 8 29
In this post we will learn different types of Android Layout and some basics of an Android App.
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question