Authorization tag in  http header

Similar Messages

• SSRS web services 401 if you pass "Authorization" http header

  We use both SSRS 2008 R2 and 2012. When i access a report using url access (direct ssrs server hit) and add a "Authorization: Bearer xyzelkalklsjsdfalsjdf" http header, i get a 401 from somewhere in the request pipeline. I have a custom httpmodule
  registered at the top of the chain which does some OAuth related security checks. But when this header is included, the request never reaches the httpmodule. If i change the header slightly ex: "YAuthorization: ljlxzcvc..", then the request reaches
  the httpmodule and everything works. So obviously SSRS is looking for a particular header named "Authorization" and does something with it. Point to note: we have implemented a custom forms authentication module and we are doing some rich authorization
  using the extensible ssrs api. 
  Now my questions are:
  1. What is happening here? Who is acting on my request before my HttpModule registered on top in ssrs\reporting service\web.config gets it?
  2. How do i ensure my httpmodule executes before whatever component is terminating my request with a 401

  Sorry if this sounds like I am new to this but I am.
  So, the extended version is the format that would be used if you were not utilizing the files that the wsdl2java function creates?
  And this is done to when you want more flexibiility for the user to call your service?
  So, you would push to have the stub files used when you want to control how the web service is used?
  thanks for the feedback.

• Which OAM setting for passing values in HTTP header to application

  Experts, what is the setting in OAM 11gR2 that is set to pass a userid pulled from a LDAP directory (which is already configured with OAM) as a HTTP Header to an application.
  This is typically in cases where OAM is protecting or providing to protected resources on a Web Server or application.
  Is this setting (in OAM) by default set to userid? I wanted to know exactly where and how to set this value in OAM Console settings.

  In the protected resource policy and protected authorization policy in the responses tab set parameters to return headers for example if you want to return userid under name set header name like user_name, type header and the value as $user.userid. By default I guess OAM_REMOTE_USER is set in the http headers which contains the user id.

• OSB Http Transport Custom Authenticatiion (X509 in Http header)

  Hello!
  I'm trying to solve this case. We have F5 Load balancer that terminates SSL Connections From client to the OSB. When terminating the SSL, the LB adds the clients certificate into headers of the Http request going to OSB.
  OSb proxy service is configured to use custom authentication with token type X509 (only choice in the OSB console).
  What happens when I send the request to OSB, is that I get http code 401 (unauthorized) this error on server log:
  ####<Sep 27, 2011 3:08:05 PM EEST> <Error> <WliSbTransports> <appserver02> <MANSERV02> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1317125285598> <BEA-381327> <Transport-level custom token identity assertion failed
  java.lang.ClassCastException: java.lang.String cannot be cast to [Ljava.security.cert.X509Certificate;
  The HTTP header sent to OSB is in the messages below.
  It has also been wihotu the BEGIN CERTIFICATE and END CERTIFICATE lines with same results.
  Can somebody help me in:
  a) Should the certificate be sent in what form from LB to OSB.
  b) How should the OSB/WLS be configured for this to work?
  OSB version is 10.3.1.
  Request to the server is:
  POST /prjTemplateService/ProxyServices/psvcHelloWolrdWSSSLInterface HTTP/1.1
  Accept-Encoding: gzip,deflate
  Content-Type: text/xml;charset=UTF-8
  SOAPAction: "urn:#HelloWorldOperation"
  User-Agent: Jakarta Commons-HttpClient/3.1
  Host: <ip_here>
  Content-Length: 459
  SSLClientCertStatus: ok
  SSLClientCertb64: -----BEGIN CERTIFICATE-----
  MIICHDCCAYUCBE2sABcwDQYJKoZIhvcNAQEEBQAwVTELMAkGA1UEBhMCRkkxCzAJ
  BgNVBAgTAkZJMQ4wDAYDVQQHEwVFc3BvbzEMMAoGA1UEChMDRVpaMQswCQYDVQQL
  EwJUQzEOMAwGA1UEAxMFSnVzc2kwHhcNMTEwNDE4MDkxMDQ3WhcNMTEwNzI3MDkx
  MDQ3WjBVMQswCQYDVQQGEwJGSTELMAkGA1UECBMCRkkxDjAMBgNVBAcTBUVzcG9v
  MQwwCgYDVQQKEwNFWloxCzAJBgNVBAsTAlRDMQ4wDAYDVQQDEwVKdXNzaTCBnzAN
  BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvEPjEn3tvG3YuXlsLZnE7ZOKUJIF0Foy
  c1hp+k7dyGUoHu3Phva7eVOO1cmHaGkFHkg+EnnK3+/Y58EMQAEwPOfQTj0/vSSk
  cEx2X/2p2W7ACldJlYMxx2ZdFa1qaKTXtoieLy23/kJI+ZTfIoB+nmZiPRE9Hq8p
  LTPlcMWVFnkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQC3EZMQieOy4PFh+95R6W7/
  3xaaRm/BzmEU/Wf9JweEwrnttdSmRKsxx9vSkADnD0J7jGO+koym5CWvJHbox4Sk
  QMRPFaTOBRD4hzZeJMidds1LSzUm/QE9PXzjS/HLSjBBs5DmZfdR+uXPSFqTROkd
  87R5veuPX5KeKQHs8iesTw==
  -----END CERTIFICATE-----
  SSLClientCertSN: 4d:ac:00:17
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Hello:client">
  <soapenv:Body>
  <urn:HelloWorldRequest>
  <urn:FirstName>Jolly</urn:FirstName>
  <urn:Surname>Roger</urn:Surname>
  </urn:HelloWorldRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  Response from OSB:
  HTTP/1.1 401 Unauthorized
  Connection: close
  Date: Fri, 30 Sep 2011 08:32:33 GMT
  Content-Length: 1518
  Content-Type: text/html
  X-Powered-By: Servlet/2.5 JSP/2.1
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
  <HTML>
  <HEAD>
  <TITLE>Error 401--Unauthorized</TITLE>
  <META NAME="GENERATOR" CONTENT="WebLogic Server">
  </HEAD>
  <BODY bgcolor="white">
  <FONT FACE=Helvetica><BR CLEAR=all>
  <TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all>
  <FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 401--Unauthorized</H2>
  </FONT></TD></TR>
  </TABLE>
  <TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:</H3>
  </FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.2 401 Unauthorized</H4>
  </FONT><P><FONT FACE="Courier New">The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.</FONT></P>
  </FONT></TD></TR>
  </TABLE>
  </BODY>
  </HTML>

  >
  by using Client Cert authentication I have to set HTTPS required to true.
  >
  Yes.
  >
  When I try to invoke this service with http request, it redirects to https service.
  This actually just trashes the entire idea of terminating SSL in the load balancer.
  >
  Not necessarily. Although direct HTTP request to WebLogic is redirected to HTTPS enabled port, you can still use this settings with WebLogic plugin. I'm not aware of your deployment, but I use Apache plugin for WebLogic, terminate SSL on Apache and I'm still able to send requests authenticated by certificate from client through HTTPS.
  I don't know about F5, but I guess there should be similar feature as well.
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/cluster/load_balancing.html

• Passing username & password in HTTP Header

  Hi all,
  My 1st query.
  I want to access a url which asks for username & password.
  how can i put my username & password in the http header so that when i call that url it shouldn't ask for the username & password.can anyone plz show it as a piece of servlet code.
  Thanks,
  Neha

  I am uing the HttpUrlConnection and the way I set is using the "setRequestProperty()" method. The follwoing code snippet actually encodes the user + passwd and sets it in the HTTP header.
  if(this.user != null) {
  BASE64Encoder encoder = new BASE64Encoder();
  StringBuffer buf = new StringBuffer(user).append(":").append(this.passwd);
  String encoded = encoder.encode(buf.toString().getBytes());
  httpCon.setRequestProperty("Authorization", "Basic " + encoded);

• BC Ecommerce SOAP Error: Server did not recognize the value of HTTP Header SOAPAction

  I am trying to add a product to an ecommerce site with this soap action: Product_UpdateInsert
  I have followed this very brief instruction: https://jollyrogers.worldsecuresystems.com/catalystwebservice/catalystecommercewebservice. asmx?op=Product_UpdateInsert
  I have a html page in a secure area with a jQuery ajax soap script.
  I get the this error when I run the script:
  <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Server did not recognize the value of HTTP Header SOAPAction: https://jollyrogers.worldsecuresystems.com/CatalystDeveloperService/CatalystEcommerceWebse rvice/Product_UpdateInsert.</faultstring><detail /></soap:Fault></soap:Body></soap:Envelope>
  I have also tried to add a header with the Soap action with the beforeSend in the ajax call.
  This must have been solved before I suppose?
  Here is my script:
  <!DOCTYPE html>
  <html lang="en">
  <head>
  <title>Test SOAP Request</title>
      <script type="text/javascript" src="//code.jquery.com/jquery-1.10.2.min.js"></script>
      <script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.3.1/jquery.cookie.min.js"></script>
      <script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/underscore.js/1.5.1/underscore-min.js"></script>
      <script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/backbone.js/1.0.0/backbone-min.js"></script>
      <script type="text/javascript" src="//cdn.worldsecuresystems.com/bcapi/bcapi-0.0.1.min.js"></script>
  </head>
  <body>
  <script>
  var wsUrl = "https://jollyrogers.worldsecuresystems.com/catalystwebservice/catalystecommercewebservice. asmx";
  var soapRequest =
  '<?xml version="1.0" encoding="utf-8"?> \
  <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> \
    <soap12:Body> \
      <Product_UpdateInsert xmlns="https://jollyrogers.worldsecuresystems.com/CatalystDeveloperService/CatalystEcommerceWebse rvice"> \
        <username>myEmailAdress</username> \
        <password>mySecretPassw</password> \
        <siteId>1894001</siteId> \
        <productList> \
          <Products> \
            <productCode>ZJAWEyuuyN</productCode> \
            <productName>My test product</productName> \
            <description>Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.</description> \
            <smallImage>/images/product1/small.jpg</smallImage> \
            <largeImage>/images/product1/large.jpg</largeImage> \
           <cataloguesArray> \
               <string>/Store/</string> \
            </cataloguesArray> \
            <pricesSaleArray> \
              <string>US/19.95,3/17.96,7/16.96</string> \
            </pricesSaleArray> \
            <pricesRetailArray> \
              <string>US/20,5/19,8/20</string> \
            </pricesRetailArray> \
            <pricesWholesaleArray> \
              <string>US/20,5/19,8/20</string> \
            </pricesWholesaleArray> \
            <wholesaleTaxCodeArray> \
              <string>US/0.00</string> \
            </wholesaleTaxCodeArray> \
            <taxCodeArray> \
              <string>GB/VAT</string> \
            </taxCodeArray> \
            <groupProducts> \
              <string>580H0036BL</string> \
              <string>ACAI60</string> \
              <string>ABC-123</string> \
            </groupProducts> \
            <groupProductsDescriptions> \
              <string>Lorem ipsum dolor sit amet</string> \
              <string>consectetur adipisicing elit</string> \
            </groupProductsDescriptions> \
            <supplierEntityId>1234</supplierEntityId> \
            <supplierCommission>0</supplierCommission> \
            <weight>30</weight> \
            <tags>NEW!</tags> \
            <unitType>string</unitType> \
            <minUnits>0</minUnits> \
            <maxUnits>2</maxUnits> \
            <inStock>43</inStock> \
            <onOrder>3</onOrder> \
            <reOrder>2</reOrder> \
            <inventoryControl>true</inventoryControl> \
            <canPreOrder>true</canPreOrder> \
            <custom1>Text in custom field 1</custom1> \
            <custom2>Text in custom field 2</custom2> \
            <custom3>Text in custom field 3</custom3> \
            <custom4>Text in custom field 4</custom4> \
            <popletImages>/images/image1.jpg;/images/image2.jpg;</popletImages> \
            <enabled>true</enabled> \
            <deleted>false</deleted> \
            <captureDetails>true</captureDetails> \
            <downloadLimitCount>20</downloadLimitCount> \
            <limitDownloadsToIP>0</limitDownloadsToIP> \
            <isOnSale>true</isOnSale> \
            <hideIfNoStock>true</hideIfNoStock> \
            <productAttributes>Size*|5|Y:L||UK/2|US/20,S||UK/1|US/10</productAttributes> \
            <isGiftVoucher>false</isGiftVoucher> \
            <enableDropShipping>true</enableDropShipping> \
            <productWeight>0</productWeight> \
            <productWidth>0</productWidth> \
            <productHeight>0</productHeight> \
            <productDepth>0</productDepth> \
            <excludeFromSearch>false</excludeFromSearch> \
            <productTitle>My product title</productTitle> \
            <cycletypeId>3</cycletypeId> \
            <cycletypeCount>-1</cycletypeCount> \
            <slug>my-product</slug> \
            <hasVariations>true</hasVariations> \
            <variations> \
              <ProductVariation xsi:nil="true" /> \
              <ProductVariation xsi:nil="true" /> \
            </variations> \
          </Products> \
        </productList> \
      </Product_UpdateInsert> \
    </soap12:Body> \
  </soap12:Envelope>';
  $.ajax({
       type: "POST",
       beforeSend: function(xhr){xhr.setRequestHeader('SOAPAction', 'https://jollyrogers.worldsecuresystems.com/CatalystDeveloperService/CatalystEcommerceWebse rvice/Product_UpdateInsert');},
       url: wsUrl,
       contentType: "text/xml",
       dataType: "xml",
       data: soapRequest,
       success: processSuccess,
       error: processError
  function processSuccess(data, status, req)
     if (status == "success")
     alert("Success!");
  function processError(data, status, req)
     alert("Failed!");
     alert(req.responseText + " " + status);
  </script>
  </body>
  </html>

  This line is a target namespace so it should not be changed: <Product_Retrieve xmlns="http://tempuri.org/CatalystDeveloperService/CatalystEcommerceWebservice"> It is very easy to think that it's a placeholder and that it should be replaced with your own url, which it should not and which will fail.
  This works now:
  <!DOCTYPE html>
  <html lang="en">
      <head>
          <title>Test 7 SOAP Request</title>
          <script type="text/javascript" src="//code.jquery.com/jquery-1.10.2.min.js"></script>
      </head>
      <body>
          <script>    
              var SoapMessage = '<?xml version="1.0" encoding="utf-8"?> \
  <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> \
  <soap12:Body> \
  <Product_Retrieve xmlns="http://tempuri.org/CatalystDeveloperService/CatalystEcommerceWebservice"> \
  <username>Your Email</username> \
  <password>Your password</password> \
  <siteId>1894001</siteId> \
  <productCode>HHKDKXS5MB</productCode> \
              </Product_Retrieve> \
              </soap12:Body> \
              </soap12:Envelope>';
              var url = "https://jollyrogers.worldsecuresystems.com/catalystwebservice/catalystecommercewebservice. asmx";
              $.support.cors = true;
              $.ajax({
                  type: "POST",
                  url: url,
                  data: SoapMessage,
                  dataType: "xml",
                  processData: true,
                  contentType: "text/xml; charset=\"utf-8\"",
                  success: function (msg) {
                      alert("suc: " + msg);
                  error: function (msg) {
                      alert("Failed: " + msg);
          </script>
      </body>
  </html>   

• How to set custom HTTP header for single sign on

  Currently we just begin to use an application called "etran". This application requires user name and password to login. Now, my assignment is to integrate etran application in our internal application. This means that somewhere in our internal application, there is a link leads to the etran application.
  It is going to be single sign on, that means that once user logs into our internal application, when he/she clicks on the etran link, no sign on to etran is needed.
  I consult with the technical people in etran. they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
  My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?
  Thanks in advance for your help.

  sharon38_74 wrote:
  they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
  My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?Your application need to act like a proxy. You can invoke a HTTP request programmatically using java.net.URLConnection. You can set request headers using URLConnection#setRequestProperty(). Also see the API docs: [http://java.sun.com/javase/6/docs/api/java/net/URLConnection.html]. You only need to know the header field name where to set the Base64-encoded value in. You need to Base64-encode the value yourself.

• How to get the user and groups information from http header

  Hi All,
  In my current scneario, we are using Siteminder for SSO setup.. And in this process, after authentication and authorization, they are going to append the user information and group information of the user into a HTTP header and it will be sent back to our presentation services.. We have to extract the user information and group information from the http header.
  My HTTP header will look like as follows..
  SM_USER XYZ
  SM_USERDN CN=Firstname\, Lastname\, xyz, OU=GPO-Low Level Security,OU=Domain Users,OU=BU FDT,
  SM_USERGROUPS CN=GG-CA-SiteminderAdmins, OU=Global,OU=Domain Groups, DC=com^CN=GG-ServiceDeskAdmin-TCCORPCEFS
  And also if anyone explain me the overall working of SSO in detail like how presentation services will make a connection to BI server( I guess using Impersonator User), and also how our BI server will read the URL from presentation services and the over all working flow in our OBIEE..
  Thanks a lot....

  Please use the search! this topic has come up lots of times already.

• How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

  How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through
  Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first
  instance when it is opened from TMG.

  Hi,
  Thank you for the post.
  To modify the http header, please refer to this blog:
  http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
  Regards,
  Nick Gu - MSFT

• Setting HTTP header in soapMessage

  Hi,
  How can i set an specific HTTP header when using a SOAPConnection to send a SOAPMessage ?
  Please help,
  Pieter
  ps: it the Authorization header, so without it the other part won't accept my post !

  Pieterrr/ddossot
  I need to do the same thing. I have the code in place but it is still not adding the MimeHeaders to HTTPRequest object. I have the jxm-api.jar, and saaj-api.jar in my classpath.
  What am i doing wrong?
  This is my code
            try{
            // Create SOAP message
            MessageFactory factory = MessageFactory.newInstance();
            SOAPMessage message = factory.createMessage();
            // Create SOAP envelope
            SOAPPart soapPart = message.getSOAPPart();
            SOAPEnvelope envelope = soapPart.getEnvelope();
            SOAPHeader hh = envelope.getHeader();
            MimeHeaders headers = message.getMimeHeaders();
                      SOAPHeader     soapHeader = message.getSOAPHeader();
                      //headers.removeHeader("soapaction");
            headers.setHeader("soapction", "http://tempuri.org/GetData");
            String Hdr_Version_Name = "Version";
            String Hdr_Version_Value = "1.0";
            String Hdr_OnBehalfOf_Name = "OnBehalfOf";
            String Hdr_OnBehalfOf_Value = "";
            String Hdr_Role_Name = "Role";
            String Hdr_Role_Value = "1";
            String Hdr_EndPoint_Name = "EndPoint";
            String Hdr_EndPoint_Value = "001";
            String Hdr_ServiceId_Name = "ServiceId";
            String Hdr_ServiceId_Value = "001";
            String Hdr_DateTime_Name = "DateTime";
            String Hdr_DateTime_Value = "10/22/02";
            String Hdr_ClientApplication_Name = "ClientApplication";
            String Hdr_ClientApplication_Value = "APP001";
            String Hdr_TraceWebMethod_Name = "TraceWebMethod";
            String Hdr_TraceWebMethod_Value = "false";
            String Hdr_ClientTouchPoint_Name = "ClientTouchPoint";
            String Hdr_ClientTouchPoint_Value = "ClientTouchPoint";
            String Hdr_ChannelInfo_Name = "ChannelInfo";
            String Hdr_ChannelInfo_Value = "ChannelInfo";
            String Hdr_Environment_Name = "Environment";
            String Hdr_Environment_Value = "WINOS";
            String Hdr_USER_Name = "MUSER";
            String Hdr_USER_Value ="";
            String Hdr_SESSIONID_Name = "SESSIONID";
            String Hdr_SESSIONID_Value ="";
            String SAML_ASSERTION_Cookie_Name = "SAML_ASSERTION";
            String SAML_ASSERTION_Cookie_Value ="";
            String Hdr_tmsasessionticket_Name = "http_tmsamlsessionticket";
            String Hdr_tmsasessionticket_Value = token;
            headers.setHeader(Hdr_Version_Name,Hdr_Version_Value);
            headers.setHeader(Hdr_OnBehalfOf_Name,Hdr_OnBehalfOf_Value);
            headers.setHeader(Hdr_Role_Name,Hdr_Role_Value);
            headers.setHeader(Hdr_EndPoint_Name,Hdr_EndPoint_Value);
            headers.setHeader(Hdr_ServiceId_Name,Hdr_ServiceId_Value);
            headers.setHeader(Hdr_DateTime_Name,Hdr_DateTime_Value);
            headers.setHeader(Hdr_ClientApplication_Name,Hdr_ClientApplication_Value);
            headers.setHeader(Hdr_TraceWebMethod_Name,Hdr_TraceWebMethod_Value);
            headers.setHeader(Hdr_ClientTouchPoint_Name,Hdr_ClientTouchPoint_Value);
            headers.setHeader(Hdr_ChannelInfo_Name,Hdr_ChannelInfo_Value);
            headers.setHeader(Hdr_Environment_Name,Hdr_Environment_Value);
            headers.setHeader(Hdr_USER_Name,Hdr_USER_Value);
            headers.setHeader(Hdr_SESSIONID_Name,Hdr_SESSIONID_Value);
            // Necessary For Secure method
            headers.addHeader(Hdr_tmsasessionticket_Name, Hdr_tmsasessionticket_Value);
                 headers.addHeader("otc_header", "otcderiv");
            envelope.addNamespaceDeclaration("xsi","http://www.w3.org/2001/XMLSchema-instance");
            envelope.addNamespaceDeclaration("xsd","http://www.w3.org/2001/XMLSchema");
            envelope.addNamespaceDeclaration("soap","http://schemas.xmlsoap.org/soap/envelope/");
            boolean rem = envelope.removeNamespaceDeclaration("soapenv");
            SOAPBody body = envelope.getBody();
            soapPart.setContentId("");
            Name bodyName = envelope.createName("GetData", "", "http://tempuri.org/");
            SOAPBodyElement createuser = body.addBodyElement(bodyName);
            SOAPConnectionFactory scFactory = SOAPConnectionFactory.newInstance();
            message.saveChanges();
            SOAPConnection con = scFactory.createConnection();
            URL endpoint = new URL("http://abc.xyz.com/securitymanager.asmx");
            System.out.println("INPUT=" + envelope.toString());
            SOAPMessage responsex = con.call(message, endpoint);
            // print the response message
            ByteArrayOutputStream soapResponseStream = new ByteArrayOutputStream();
            responsex.writeTo(soapResponseStream);
            String sOutput = soapResponseStream.toString();
            //System.out.println("OUTPUT=" + sOutput);
            System.out.println(sOutput);
            }catch(Exception e)
            e.printStackTrace();
            }

• SSO to other apps via HTTP header variable

  We are on NW EP6.0 SP16. We need to add the "user id" as http header variable so that other apps which are non SAP can access our header variable and log on with that user id. Is this available by default? Or we want to achieve this how best we can achieve this.
  We can use the code to get the user id and add it to header variable. If we use this route which is the jsp page we need to add the code?
  Thanks

  Hi,
    we can you login modules provided by SAP to accomplish this.. you can use header variable authentication login module to acheive your requirement.
    please refer: http://help.sap.com/saphelp_nw04/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Hope that helps.
  Regards,
  S.Divakar

• Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

  Hello SDN community,
  in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
  As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
  I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
  My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
  Is there an application to be built on the java stack to deal with the authentication, modify http header?
  What will the Java stack return? a sap long ticket? a token?
  How will the redirect work (to by example a BSP which is in the ABAP stack)?
  SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
  A lot of questions about how this SSO http header should work,
  I would be very greatful for any help, or info,
  Kind regards,
  Tanguy Mezzano

  Hi Tanguy,
  to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
  Here are some answers to your question:
  in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
  The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
  My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
  You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
  So everything's is in a Java Client application without using any redirection.
  If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
  No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
  That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
  This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
  The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
  This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
  I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
  So my problem now, is how to call the servlet from the client browser:
  I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
  <FORM method="POST" action="SSORedirect2" >
  A JSP is a servlet too. There is just no JAVA Class involved!
  You do not need any POST Request to invoke a Servlet.
  I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE web-app (View Source for full doctype...)>
  - <web-app>
    <display-name>WEB APP</display-name>
    <description>WEB APP description</description>
  - <servlet>
    <servlet-name>SSOredirect2</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
    </servlet>
  - <servlet>
    <servlet-name>SSORedirect2.jsp</servlet-name>
    <jsp-file>/SSORedirect2.jsp</jsp-file>
    </servlet>
  - <security-constraint>
    <display-name>SecurityConstraint</display-name>
  - <web-resource-collection>
    <web-resource-name>WebResource</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
  - <auth-constraint>
    <role-name>DefaultSecurityRole</role-name>
    </auth-constraint>
    </security-constraint>
  - <security-role>
    <role-name>DefaultSecurityRole</role-name>
    </security-role>
    </web-app>
  If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
  e.g.
  <servlet>
    <description>
    </description>
    <display-name>AuthenticatorServlet</display-name>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <url-pattern>/AuthenticatorServlet</url-pattern>
  </servlet-mapping>
  You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
  I have also to pass my http header and the redirectUrl in the GET request.
  If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
  I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
  Thx for your input very helpful,
  But again 0 points
  Cheers

• What happens to the HTTP header parameters I put there?

  Our tool puts some parameters into the HTTP header. But, it appears that the Dispatcher is not passing them to the WAS.  Could this be?
  Is there a way to tell the Dispatcher to not drop our HTTP header stuff? Perhaps a configuration setting? I didn't find any.
  When I set a break in my servlet running on NW WAS, I see:
  referer:
  Cookie:
  etc.
  but I don't see the parameters we put there.
  This is the NW SneakPreview download.

  Hi Farokh,
  I think there should be much problem passing parameters  through the Url. I am sorry however that I have not worked much on the Servlet but on WebDynpro, which I can share with you if its of any use to you.
  Regards
  Noufal

• How do I set the Http Header POST URL in SAAJ?

  Hi ,
  I am a newbie in the field of web services. I was trying to create a SOAP request with Http Header POST information having a POST url like
  the following:
  POST /OMASTI.xml HTTP/1.1
  Content-Type: multipart/related; boundary="eladeladeladeladeladeladeladeladelad"; type=text/xml; start=11814460
  Content-Length: 54596
  Host: unspecified
  SOAPAction: ""
  to that effect I did the following in the SAAJ client:
  MimeHeaders md = message.getMimeHeaders();
            md.setHeader("SOAPAction" ,"\"\"");
            md.setHeader("POST" ,"/OMASTI.xml");
  However what I got was :
  POST / HTTP/1.1
  Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  SOAPAction: ""
  POST: /OMASTI.xml
  Content-Type: multipart/related; type="text/xml"; boundary="----=_Part_2_32124414.1153146262750"
  Content-Length: 3352
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_07
  Host: www.google.com
  Connection: keep-alive
  I have two POSTs in the header. How do I fix it? Please Help ASAP.
  Regards,
  Zeus

  Hi,
  Please forgive my ignorance. I did the same as you said. and then checked the Http request being sent out using ethreal software... it was the same as I had told earlier. Is only POST supported by the connection object? And the does the URL that comes in the Mime header as POST refer to the URL to which the request was sent? what I mean is that if the mime header says
  POST /OMASTI.xml HTTP 1.1, does it mean that the URL that was passed to the connection object was "/OMASTI.xml" ? I had given the url as http://www.google.com to test the request being sent.. I only have a sample SOAP request which shows a HTTP header with the post url as I said before. I need to create a SOAP request with the same sort of Http header and the body needs to follow a certain OMA-STI protocol. My experience in the SOAP domain is almost nil. So please enlighten me.
  Thanks in advance,
  zeus

• Error in setting up HTTP Header Variable Authentication

  Hi,
  I am trying to set-up SSO for SAP Biller Direct aplication (deployed on SAP J2EE 7.0) using HTTP Header variable authentication.
  As per SAP documentation I have created a new login module "HeaderVariableLoginModule" pointing to class "com.sap.security.core.server.jaas.HeaderVariableLoginModule".
  Then I have added this new login module to Statck "Ticket" and the new config looks as below. HTTP header when UID is passed is USI_LOP.
  Name                                                                                Flag                                            Options
  com.sap.security.core.server.jaas.HeaderVariableLoginModule    Sufficient                                    ume.configuration.active= tue,
                                                                                  Header=USI_LOP
  BasicPasswordLoginModule                                                           Optional
  CreateTicketLoginModule                                                                 Optional                                         ume.configuration.active= tue
  EvaluateTicketLoginModule                                                              Sufficient                                      ume.configuration.active= tue
  The problem I am now having is that the authentication through HTTP_HEADEr does not work. Even though I ahve increased the trace level for JAAS module to debug, there is not any type of information generated in the log.
  Each time I call the Biller Direct URL from the extrenal web server which also passes the HEADER variable for Authntication, the authrisation just fails and I am being shown a Logon Screen to pust UID/PASSWORD.
  Can someone please guide me, how I can debug this? There is very no information whether anyone tried to login with HEADER varibale and that has failed...
  Also, I am not pretty sure whether I am using the right Authentication Stack, which is is Ticket in my case..
  But when I enter the application without any URL redirects and enter UID and password directly for Biller Direct, I get the following in log file, which makes me believe that I am using the right stack.
  LOGIN.OK
  User: CONDLG
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.HeaderVariableLoginModule             SUFFICIENT  ok          false      false                
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   OPTIONAL    ok          true       true                 
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  4. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  Central Checks                                                                                true                 
  Any help will be very much apprecated..
  Thanks,
  Vikrant Sud

  Vikrant,
  The reason why it is not working is because your login modules in ticket stack are in wrong order and with wrong flags. The first one should be EvaluateTicketLoginModule with flag=SUFFICIENT, then the Header Variable login module, with flag=OPTIONAL, then CreateTicketLoginModule with flag=SUFFICIENT, then BasicPasswordLoginModule with flag=REQUISITE, and lastly CreateTicektLoginModule with flag=OPTIONAL
  Thanks,
  Tim