Solved

Need servlet to add a customer http header then forward page, but header not coming through...

Posted on 2004-08-30
8
943 Views
Last Modified: 2013-11-24
Good afternoon Experts!

I will preface this with the statement that I am NOT a java programming expert, but mostly a front end html/javascript type who is fairly familiar with http so I appologize upfront if I'm a bit airheaded with any response :-).

I have a senario at work where we use a product called Siteminder for our application's authentication. It is configured so we can have a single sign on solution. Siteminder traps the URL of our application and returns an html sign-on page when not authenticated. On submitting the sign-on page it then does the authentication check, and assuming a valid user is found, it converts the input field value into a new http header attribute and *somehow* forwards to the original URL of our app.

We are in the process of having to modify all our application's login servlets to check the request.getHeader("username") instead of the request.getParameter("username"). While a minor change, it's compounded by the fact that the "powers that be" won't allow us developement copies of Siteminder on our desktops. This means we can't test the code til we deploy to our QA area and any new apps we build we have to hard code a username in the absence of getting the username in the http header of the request. I decided to fake Siteminder so I could test this app (and future apps).

The Problem:

I have begun the new fake login page solution. I copied the single sign on html page Siteminder uses and created a custom servlet in a new web application (weblogic 8.1). I added a hidden field on the fake login page called "forwardTo" which is the name of the logon servlet of the real app. So my custom servlet is supposed to mimic Siteminder and forward my login username in an http header to the location i've set with my forwardTo field. So far I have set the new http header with response.setHeader("username", request.getParameter("username")) and tried both a requestDispatcher(request.getParameter("forwardTo")) and response.sendRedirect(request.getParameter("forwardTo")) and neither seems to work. I found a nice piece of code on the net that prints an html page iterating through all the http headers and so far I haven't seen my custom header come through.

The Question:

Do I have a fundemental http/java lapse in understanding or can a forward or redirect keep the custom http header I added? If neither a forward or redirect can keep the custom header, is what i'm trying to do impossible? Doesn't seem impossible because Siteminder does it. I thought this would be a simple thing, create a servlet, grab the request param, add the http header, forward to login page and be done. Don't want to give up, but don't see where to go from here...

Any thoughts, help, code, etc. are greatly appreciated! I think this has turned out to be difficult so i'm giving 250 points. Hopefully you guys find it easy. If more are required please advise and i'll adjust the points if possible...

thanks in advance,

-"Lost in Javaland"
0
Comment
Question by:iammab2u
  • 3
  • 2
8 Comments
 

Expert Comment

by:NorCal1876
Comment Utility
Could you hardcode the base app url in the servlet and then append the user name?

i.e.

String urlL   = "/siteminder/blah/blah/blah";

String username = request.getParameter( "username" );

url += "?user=" + username;

response.sendRedirect( url );

??



0
 

Author Comment

by:iammab2u
Comment Utility
Unfortunately not. The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps. If it was put it on the querystring then we could call our logon servlets and just append the param (http://localhost/myapp?username=joeblow).

Because our new code has to check if there is a header variable called "username" and if it's not there we have to assume someone is trying to gain access to the app inappropriately. In other words, our login servlets MUST have this http header variable and when it's found it has already been authenticated on the corporate LDAP server so we know it's a valid username. We can then use the username to look up the user in the database to see if they are authenticated for our specific application.

My problem is that I can't seem to mimic setting an http header variable in my custom servlet and then forwarding it to the same login servlet that Siteminder would.
0
 

Author Comment

by:iammab2u
Comment Utility
Thougth this illustration might help...

What Siteminder does:

1) user types url to web app in browser
  |
  V
2) Siteminder captures URL and redirects to a login page.
html login page / textfield with username and password
  |
  V
3) html page submits, siteminder takes username and converts
value into the http header and *redirects* to original url (1 above)
  |
  V
4) web application checks http header for "username" param to get
name of authenticated user. (used to check request.getParameter(),
now use request.getHeader().)

What i'm looking for is a servlet that mimics step 3 by taking the username, adding it to the response header and forwarding to the servlet of my choice (currently a servlet that prints all the http headers it gets). Once I see the header variable come through I can change to the "forwardTo" hidden field which will be the logon servlet of the real application...

hope this helps
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 35

Accepted Solution

by:
girionis earned 250 total points
Comment Utility
What you are trying to do is certainly doable, at the end of the day we are programmers we can so anythign ;)

>  The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps.

Do you know the name of the header that contains the username? If we assume that Siteminder has somehow altered the header of the http-request you can simply do:

String username = request.getHeader("<header name>");
0
 
LVL 35

Expert Comment

by:girionis
Comment Utility
0
 
LVL 35

Expert Comment

by:girionis
Comment Utility
Have also a look here: http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Response-Headers.html of how to specify your own headers in the response.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now