• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 968
  • Last Modified:

Need servlet to add a customer http header then forward page, but header not coming through...

Good afternoon Experts!

I will preface this with the statement that I am NOT a java programming expert, but mostly a front end html/javascript type who is fairly familiar with http so I appologize upfront if I'm a bit airheaded with any response :-).

I have a senario at work where we use a product called Siteminder for our application's authentication. It is configured so we can have a single sign on solution. Siteminder traps the URL of our application and returns an html sign-on page when not authenticated. On submitting the sign-on page it then does the authentication check, and assuming a valid user is found, it converts the input field value into a new http header attribute and *somehow* forwards to the original URL of our app.

We are in the process of having to modify all our application's login servlets to check the request.getHeader("username") instead of the request.getParameter("username"). While a minor change, it's compounded by the fact that the "powers that be" won't allow us developement copies of Siteminder on our desktops. This means we can't test the code til we deploy to our QA area and any new apps we build we have to hard code a username in the absence of getting the username in the http header of the request. I decided to fake Siteminder so I could test this app (and future apps).

The Problem:

I have begun the new fake login page solution. I copied the single sign on html page Siteminder uses and created a custom servlet in a new web application (weblogic 8.1). I added a hidden field on the fake login page called "forwardTo" which is the name of the logon servlet of the real app. So my custom servlet is supposed to mimic Siteminder and forward my login username in an http header to the location i've set with my forwardTo field. So far I have set the new http header with response.setHeader("username", request.getParameter("username")) and tried both a requestDispatcher(request.getParameter("forwardTo")) and response.sendRedirect(request.getParameter("forwardTo")) and neither seems to work. I found a nice piece of code on the net that prints an html page iterating through all the http headers and so far I haven't seen my custom header come through.

The Question:

Do I have a fundemental http/java lapse in understanding or can a forward or redirect keep the custom http header I added? If neither a forward or redirect can keep the custom header, is what i'm trying to do impossible? Doesn't seem impossible because Siteminder does it. I thought this would be a simple thing, create a servlet, grab the request param, add the http header, forward to login page and be done. Don't want to give up, but don't see where to go from here...

Any thoughts, help, code, etc. are greatly appreciated! I think this has turned out to be difficult so i'm giving 250 points. Hopefully you guys find it easy. If more are required please advise and i'll adjust the points if possible...

thanks in advance,

-"Lost in Javaland"
  • 3
  • 2
1 Solution
Could you hardcode the base app url in the servlet and then append the user name?


String urlL   = "/siteminder/blah/blah/blah";

String username = request.getParameter( "username" );

url += "?user=" + username;

response.sendRedirect( url );


iammab2uAuthor Commented:
Unfortunately not. The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps. If it was put it on the querystring then we could call our logon servlets and just append the param (http://localhost/myapp?username=joeblow).

Because our new code has to check if there is a header variable called "username" and if it's not there we have to assume someone is trying to gain access to the app inappropriately. In other words, our login servlets MUST have this http header variable and when it's found it has already been authenticated on the corporate LDAP server so we know it's a valid username. We can then use the username to look up the user in the database to see if they are authenticated for our specific application.

My problem is that I can't seem to mimic setting an http header variable in my custom servlet and then forwarding it to the same login servlet that Siteminder would.
iammab2uAuthor Commented:
Thougth this illustration might help...

What Siteminder does:

1) user types url to web app in browser
2) Siteminder captures URL and redirects to a login page.
html login page / textfield with username and password
3) html page submits, siteminder takes username and converts
value into the http header and *redirects* to original url (1 above)
4) web application checks http header for "username" param to get
name of authenticated user. (used to check request.getParameter(),
now use request.getHeader().)

What i'm looking for is a servlet that mimics step 3 by taking the username, adding it to the response header and forwarding to the servlet of my choice (currently a servlet that prints all the http headers it gets). Once I see the header variable come through I can change to the "forwardTo" hidden field which will be the logon servlet of the real application...

hope this helps
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

What you are trying to do is certainly doable, at the end of the day we are programmers we can so anythign ;)

>  The real Siteminder puts the value of the html text box "username" into the http header variable and then that gets forwarded to our apps.

Do you know the name of the header that contains the username? If we assume that Siteminder has somehow altered the header of the http-request you can simply do:

String username = request.getHeader("<header name>");
Have also a look here: http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Response-Headers.html of how to specify your own headers in the response.

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now