HTTP Header in Servlet-Response

Similar Messages

• REG : HTTP header fields (Synchronous response)

  Hi All,
           Can anyone please explain the advantage of using this function in the receiver HTTP adapter( ie
  "Set adapter specific message attribute -> HTTP header fields (Synchronous response)")
  and how this can be implemented?
  Thanks in Adavnce,
  Siva

  >
  sivarama krishna wrote:
  > Hi All,
  >
  >          Can anyone please explain the advantage of using this function in the receiver HTTP adapter( ie
  > "Set adapter specific message attribute -> HTTP header fields (Synchronous response)")
  >  and how this can be implemented?
  >
  >
  >
  > Thanks in Adavnce,
  > Siva
  from help:
  If you want to save HTTP header fields from the synchronous response in the XI message header, choose HTTP Header Fields (Synchronous Response) and enter the fields in the fields Field 1 to Field 6.
  The fields must have the same names as the fields that are also to be sent in the HTTP response.
  The technical names of the fields are HeaderFieldOne,...,HeaderFieldSix.
  this means that in case you look to access the header of the response message of a sync http you can use this ASMA.
  the implementation will be in your response mapping, using dynamic configuration - /people/shabarish.vijayakumar/blog/2009/03/26/dynamic-configuration-vs-variable-substitution--the-ultimate-battle-for-the-file-name

• HTTP header in HTTP reponse

  i have a HTTP request--->BPM--->Http Response, there is a S/A bridge to implement this
  for which i there is a
  1. HTTP sender channel (outbound synchronous message interface),
  2. BPM,
  the requirement is...in the sync HTTP response, i need the HTTP header "content-length"to be changed to 0,
  for this i wanted to use the "Set adapter specific message attribute -> HTTP header fields (Synchronous response)" in the HTTP sender channel,
  but i cant see this field in the sxi_monitor in the Dynamic configuration tab of the Response Message...
  pls help me solving this

  Try this
  [http://help.sap.com/saphelp_nw04/helpdata/en/43/64dbb0af9f30b4e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04/helpdata/en/43/64dbb0af9f30b4e10000000a11466f/content.htm]
  Also the Stream Transformation Constants which we can access using Dynamic Configuration:
  [http://help.sap.com/javadocs/NW04S/current/pi/com/sap/aii/mapping/api/StreamTransformationConstants.html|http://help.sap.com/javadocs/NW04S/current/pi/com/sap/aii/mapping/api/StreamTransformationConstants.html]
  Edited by: Praveen Gujjeti on Apr 21, 2009 12:24 PM

• How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

  How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through
  Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first
  instance when it is opened from TMG.

  Hi,
  Thank you for the post.
  To modify the http header, please refer to this blog:
  http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
  Regards,
  Nick Gu - MSFT

• ACE http header response

  Hi,
  I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
  How would I rewrite the response remove the port on the server that is being used.
  Thank you,

  Hi,
  You have rewrite the 30x redirect response from server or is it a normal response?
  You can try below:
  (config)# action-list type modify http H
  (config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008  replace http://abc.com
  I am using header name as Location. Please use according to your need.
  I haven't tried this myself but it should work. Try and let me know.
  Regards,
  Kanwal

• OSB Http Transport Custom Authenticatiion (X509 in Http header)

  Hello!
  I'm trying to solve this case. We have F5 Load balancer that terminates SSL Connections From client to the OSB. When terminating the SSL, the LB adds the clients certificate into headers of the Http request going to OSB.
  OSb proxy service is configured to use custom authentication with token type X509 (only choice in the OSB console).
  What happens when I send the request to OSB, is that I get http code 401 (unauthorized) this error on server log:
  ####<Sep 27, 2011 3:08:05 PM EEST> <Error> <WliSbTransports> <appserver02> <MANSERV02> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1317125285598> <BEA-381327> <Transport-level custom token identity assertion failed
  java.lang.ClassCastException: java.lang.String cannot be cast to [Ljava.security.cert.X509Certificate;
  The HTTP header sent to OSB is in the messages below.
  It has also been wihotu the BEGIN CERTIFICATE and END CERTIFICATE lines with same results.
  Can somebody help me in:
  a) Should the certificate be sent in what form from LB to OSB.
  b) How should the OSB/WLS be configured for this to work?
  OSB version is 10.3.1.
  Request to the server is:
  POST /prjTemplateService/ProxyServices/psvcHelloWolrdWSSSLInterface HTTP/1.1
  Accept-Encoding: gzip,deflate
  Content-Type: text/xml;charset=UTF-8
  SOAPAction: "urn:#HelloWorldOperation"
  User-Agent: Jakarta Commons-HttpClient/3.1
  Host: <ip_here>
  Content-Length: 459
  SSLClientCertStatus: ok
  SSLClientCertb64: -----BEGIN CERTIFICATE-----
  MIICHDCCAYUCBE2sABcwDQYJKoZIhvcNAQEEBQAwVTELMAkGA1UEBhMCRkkxCzAJ
  BgNVBAgTAkZJMQ4wDAYDVQQHEwVFc3BvbzEMMAoGA1UEChMDRVpaMQswCQYDVQQL
  EwJUQzEOMAwGA1UEAxMFSnVzc2kwHhcNMTEwNDE4MDkxMDQ3WhcNMTEwNzI3MDkx
  MDQ3WjBVMQswCQYDVQQGEwJGSTELMAkGA1UECBMCRkkxDjAMBgNVBAcTBUVzcG9v
  MQwwCgYDVQQKEwNFWloxCzAJBgNVBAsTAlRDMQ4wDAYDVQQDEwVKdXNzaTCBnzAN
  BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvEPjEn3tvG3YuXlsLZnE7ZOKUJIF0Foy
  c1hp+k7dyGUoHu3Phva7eVOO1cmHaGkFHkg+EnnK3+/Y58EMQAEwPOfQTj0/vSSk
  cEx2X/2p2W7ACldJlYMxx2ZdFa1qaKTXtoieLy23/kJI+ZTfIoB+nmZiPRE9Hq8p
  LTPlcMWVFnkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQC3EZMQieOy4PFh+95R6W7/
  3xaaRm/BzmEU/Wf9JweEwrnttdSmRKsxx9vSkADnD0J7jGO+koym5CWvJHbox4Sk
  QMRPFaTOBRD4hzZeJMidds1LSzUm/QE9PXzjS/HLSjBBs5DmZfdR+uXPSFqTROkd
  87R5veuPX5KeKQHs8iesTw==
  -----END CERTIFICATE-----
  SSLClientCertSN: 4d:ac:00:17
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Hello:client">
  <soapenv:Body>
  <urn:HelloWorldRequest>
  <urn:FirstName>Jolly</urn:FirstName>
  <urn:Surname>Roger</urn:Surname>
  </urn:HelloWorldRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  Response from OSB:
  HTTP/1.1 401 Unauthorized
  Connection: close
  Date: Fri, 30 Sep 2011 08:32:33 GMT
  Content-Length: 1518
  Content-Type: text/html
  X-Powered-By: Servlet/2.5 JSP/2.1
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
  <HTML>
  <HEAD>
  <TITLE>Error 401--Unauthorized</TITLE>
  <META NAME="GENERATOR" CONTENT="WebLogic Server">
  </HEAD>
  <BODY bgcolor="white">
  <FONT FACE=Helvetica><BR CLEAR=all>
  <TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all>
  <FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 401--Unauthorized</H2>
  </FONT></TD></TR>
  </TABLE>
  <TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:</H3>
  </FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.2 401 Unauthorized</H4>
  </FONT><P><FONT FACE="Courier New">The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.</FONT></P>
  </FONT></TD></TR>
  </TABLE>
  </BODY>
  </HTML>

  >
  by using Client Cert authentication I have to set HTTPS required to true.
  >
  Yes.
  >
  When I try to invoke this service with http request, it redirects to https service.
  This actually just trashes the entire idea of terminating SSL in the load balancer.
  >
  Not necessarily. Although direct HTTP request to WebLogic is redirected to HTTPS enabled port, you can still use this settings with WebLogic plugin. I'm not aware of your deployment, but I use Apache plugin for WebLogic, terminate SSL on Apache and I'm still able to send requests authenticated by certificate from client through HTTPS.
  I don't know about F5, but I guess there should be similar feature as well.
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/cluster/load_balancing.html

• No "Remote-User" in HTTP header when HTTP request gets to WLS

  Hello Exprers,
  I have a customer, using 10.3.3 on Linux machine. Web server as Apache.
  He wants Remote-User in HTTP header, he used to get it when he used Tomcat. But when he transffered to Apache and 10.3.3, he is not getting the Remote-User in header, instead he is getting proxy-remote-user.
  He wants the Remote-user in HTTP header.
  Any clue, on why he is not getting it.

  Hi,
  We are facing error while doing openConnection
  When I tried with simple java file it worked as shown below
  import java.io.*;
  import javax.net.ssl.HttpsURLConnection;
  public class test
  public static void main(String[] args) throws Exception
  String httpsURL = "https://rcfe.aspac.citicorp.com:40054/servlet/Verify";
  URL myurl = new URL(httpsURL);
  HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
  InputStream ins = con.getInputStream();
  InputStreamReader isr = new InputStreamReader(ins);
  BufferedReader in = new BufferedReader(isr);
  if (con!=null)
  System.out.println("con="+con);
  System.out.println(ins);
  Output*
  [rcrrgbg2@kauh0079:/rcrmap2/weblogic/bea/ORA_PFRD/forms/j2ee] java test
  con=com.ibm.net.ssl.www2.protocol.https.e:https://rcfe.aspac.citicorp.com:40054/servlet/Verify
  sun.net.www.protocol.http.HttpURLConnection$HttpInputStream@5f6c5f6c
  However when I tried with below program I am able to write upto Web CL URL but after that no log is written when it tries to do openConnection() for this line csConn=(HttpsURLConnection)new URL(webclURL).openConnection(); in the below code
  Some part of the code:_
  =======================================================================
  import java.io.*;
  import javax.servlet.http.*;
  import javax.servlet.*;
  import java.util.Hashtable;
  import java.io.File;
  import java.io.FileInputStream;
  import javax.servlet.ServletException;
  import javax.servlet.ServletOutputStream;
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import javax.net.ssl.HttpsURLConnection;
  import java.net.URL;
  public class CRMSLogin extends HttpServlet
  private static final long serialVersionUID=-6294676216324813290L;
  public void doPost(HttpServletRequest request,HttpServletResponse response) throws ServletException,IOException
  String iniFile=request.getParameter("CRMS_INI_FILE_PATH");
  String sessionId=request.getParameter("SessionId");
  String applId=request.getParameter("apl_id");
  String userId=request.getParameter("userId");
  String clientIp=request.getRemoteAddr();
  Properties iniProp=this.getProperties(iniFile);
  String crmsAppServerContext=iniProp.getProperty("CRMS_APP_SERVER_CONTEXT");
  String appModule=iniProp.getProperty("CRMS_MODULE");
  String webclURL=iniProp.getProperty("WEBCL_URL");
  // HttpsURLConnection csConn=null;
  String crmsFormsTerm=null;
  crmsFormsTerm=getEntitlements(iniFile.trim(),sessionId,applId.trim(),clientIp.trim(),webclURL.trim());
  String baseContent=this.getBaseContent(iniProp);
  ServletOutputStream out=response.getOutputStream();
  baseContent=baseContent.replaceAll("<!APP_TITLE!>","Credit Risk Management System");
  baseContent=baseContent.replaceAll("<!APP_CONTEXT!>",crmsAppServerContext);
  baseContent=baseContent.replaceAll("<!APP_MODULE!>",appModule);
  baseContent=baseContent.replaceAll("<!APP_TRACE!>",crmsFormsTerm.replaceAll(" ", ""));
  baseContent=baseContent.replaceAll("<!USER_ID!>",userId);
  baseContent=baseContent.replaceAll("<!SESSION_ID!>",sessionId);
  baseContent=baseContent.replaceAll("<!APPL_ID!>",applId.trim());
  baseContent=baseContent.replaceAll("<!CLIENT_IP!>",clientIp.trim());
  baseContent=baseContent.replaceAll("<!INI_FILE!>",iniFile.trim());
  out.println(baseContent);
  out.flush();
  out.close();
  private synchronized Properties getProperties(String inifile)
  Properties iniProp=new Properties();
  FileInputStream iniFileStream=null;
  try
  iniFileStream=new FileInputStream(inifile);
  iniProp.load(iniFileStream);
  iniFileStream.close();
  catch(Exception e)
  finally
  try
  if(iniFileStream!=null)
  iniFileStream.close();
  catch(Exception e)
  return iniProp;
  public static synchronized String getEntitlements(String inifile,String sessionId,String applId,String clientIp,String webclURL)
       HttpsURLConnection csConn=null;
       OutputStreamWriter requestStream=null;
       BufferedReader responseStream=null;
       StringBuffer responseData=new StringBuffer();
       String csReturnString=null;
       //String webclURL=null;
       BufferedWriter traceLog=null;
       int csCount=6;
       Properties iniProp=new Properties();
       String traceFile=null;
       String entitlementData=null;
       try
       readIniProperties(inifile,iniProp);
       traceFile=getTraceFile(iniProp);
       traceLog=new BufferedWriter(new FileWriter(traceFile,true));
       if(traceFile!=null)
       traceLog.write("###########################");
       traceLog.write("P A R A M E T E R S");
       traceLog.write("###########################");
       traceLog.newLine();
       traceLog.write("INI_FILE:"+inifile);
       traceLog.newLine();
       traceLog.write("SESSION_ID:"+sessionId);
       traceLog.newLine();
       traceLog.write("APPL_ID:"+applId);
       traceLog.newLine();
       traceLog.write("CLIENT_IP:"+clientIp);
       traceLog.newLine();
       traceLog.write("count:"+csCount);
       traceLog.newLine();
       traceLog.write("###########################");
       traceLog.newLine();
       //webclURL=getWebclURL(traceLog,iniProp);
       if(webclURL!=null)
       traceLog.write("Web CL URL:"+webclURL);
            traceLog.newLine();
       csConn=(HttpsURLConnection)new URL(webclURL).openConnection();     
  traceLog.write("Open Connection - Completed!");
       traceLog.newLine();
       csConn.setRequestMethod("POST");
       csConn.setDoInput(true);
       csConn.setDoOutput(true);
       requestStream=new OutputStreamWriter(csConn.getOutputStream());
       traceLog.write("Open Request Stream - Completed!");
       traceLog.newLine();
       requestStream.write("SessionId="+sessionId+"&ClientIP="+clientIp+"&apl_id="+applId+"&count="+csCount);
       requestStream.flush();
       requestStream.close();
       traceLog.write("Write Params to Request Stream - Completed!");
       traceLog.newLine();
       responseStream=new BufferedReader(new InputStreamReader(csConn.getInputStream()));
       traceLog.write("Open Response Stream - Completed!");
       traceLog.newLine();
       while((csReturnString=responseStream.readLine())!=null)
       responseData.append(csReturnString);
       traceLog.write("Response Stream Reading - Completed!");
       traceLog.newLine();
       responseStream.close();
       csConn.disconnect();
       entitlementData=getEntitlementData(traceLog,responseData.toString(),iniProp);
       traceLog.write("responseData::"+responseData);
       traceLog.newLine();
       traceLog.newLine();
       traceLog.write("entitlementData::"+entitlementData);
       traceLog.newLine();
       traceLog.flush();
       traceLog.close();
       catch(Exception e)
       e.printStackTrace();
       finally
       try
       if(requestStream!=null)
       requestStream.close();
  =======================================================================
  output_
  ###########################P A R A M E T E R S###########################
  INI_FILE:/rcrmap1/rcrrgbg2/crms.ini
  SESSION_ID:%2526%253ASIGNED_TICKET%253D%2526PROVIDER_TICKET%253D002c6e4cH0tZy2Gj4JBCOiSL7uSlKisfsqgwP9KoRRn7e%252BY%253D%253AKRSERVER0006%252BA9A52AAE%252B4D1DC7AA%252B14400
  APPL_ID:RCRMKR
  CLIENT_IP:169.165.42.174
  count:6
  Web CL URL:https://rcfe.aspac.citicorp.com:40054/servlet/Verify
  Please help to guide us.
  Regards,
  Harish

• Can I send an HTTP Header from an iView

  Hello Developers,
  I'm trying to run an external web application from a URL iView.  In the URL I point it to a reverse proxy that starts the web application.  The reverse proxy requires a user name in the field HTTP_USER.  Sending a value as a URL Parameter doesn't work.
  My question is, can I include the Portal users name in a HTTP Header and sendt the Header from the iView?
  Thank you

  Hello,
  you can get the servlet response and set a header value using the following code :
  HttpServletResponse res = aRequest.getServletResponse(true);
  res.setHeader("header name","header value");
  Hope it helps.
  Regards
  Guillaume

• Servlet Responses without a Content-Type

  Hi,
  <p>
  Is it possible to configure OC4J running in a full iAS install not to set a default Content-Type header if the servlet code does not set one?
  <p>
  e.g. Using code such as:
  public class MyServlet extends HttpServlet
      public void doGet(HttpServletRequest request,
                        HttpServletResponse response) throws ServletException, IOException {
          //response.setContentType(CONTENT_TYPE);
          PrintWriter out = response.getWriter();
          out.println("<html>");
          out.println("<head><title>My Servlet</title></head>");
          out.println("<body>");
          out.println("The servlet has received a GET. This is the reply.");
          out.println("</body></html>");
          out.close();
  }There are no 'default-mime-type' attributes in either the global-web-application.xml or orion-web.xml files. However, a debugger reveals that the AJPHttpServletResponse has a contentType member variable set to 'text/plain' when it is passed to the Servlet. This then gets used as a value for a Content-Type header in the response sent to the browser.
  <p>
  Is there anywhere else in the server's configuration that could be providing this default value? The documentation states that "If default-mime-type is not specified, then there is no default content type."
  <p>
  This is required to allow requests to be proxied through a Servlet and in cases where the proxied response doesn't have a Content-Type set, the Servlet should not set one either.
  <p>
  Thanks,
  <p>
  Andy.

  Hi Andy,
  I am not fully sure I understand your question but I will try and clarfiy the AS architecture which might help answer your question.
  The HTTP server is the "front-end" piece that receives ALL incoming requests. The HTTP server is a licensed version of Apache and we have written a module called mod_oc4j which allows for the HTTP server to communicate with the OC4J instance. We use a protocol called AJP to communicate between HTTP and OC4J.
  The AJPHttpServletResponse is the response that you are seeing being passed between these 2 modules and as the documentation state OC4J does not set any default mime types. This AJPHttpServletResponse is solely used for communication between HTTP and OC4J, I would however check the HTTP configuration to see if there any mime-settings there.
  Hope this helps.
  Deepak

• Problems with http header "Content-Location"

  Does anyone know how to override the
  "Content-Location" http header. We are having issues with search engines and this header being returned from Apache/oc4j. In a nutshell, I have a site that uses the
  Struts framework, where the actual urls submitted would be for example
  (http://mysite/home.do), where ".do" is just a servlet mapping. When we have
  tried to follow the one link that has been spidered, it actually contains
  the full path that appears in the "Content-Location" header (i.e.
  http://mysite/web-inf/jsps/bogus.jsp) which in this case can't even be
  accessed. The feedback we get from third-party utilities that try to spider
  the site is that it is stopping because it has already indexed "bogus.jsp",
  which in reality will always appear since it is a template, where the actual
  urls will be different as is above.
  Because the "Content-Location" header is being returned to any
  client hitting the site, search engine spiders stop indexing at the first page because the value in "Content-Location" is the same.
  Solutions tried:
  mod_headers in Apache - have tried "Header unset"
  HttpServletResponse.setHeader()
  Any help would be appreciated

  Hi there,
  i'm having a similar problem to this when trying to run some web page speed optimisation software...
  i think the issue also causes problems with the Opera browser (although this may have been fixed in the latest version).
  anybody any ideas how to stop the header being sent in the response?
  many thanks,
  Andy

• HTTP Status 503 - Servlet action is currently unavailable

  Hai,
  I'm developing a Struts application, where the control be forwarded to an Action class, I used globalforwards, as shown
  <code>
  <global-forwards>
  <forward
  name="Welcome"
  path="/Welcome"/>
  </global-forwards>
  </code>
  <code>
  <action
  path="/Welcome.do"
  type="WelcomeAction"
  scope="session"
  <forward name="success" path="/Login.jsp" />
  </action>
  </code>
  I've deployed the application, when run the program I got the following error
  HTTP Status 503 - Servlet action is currently unavailable
  type Status report
  message Servlet action is currently unavailable
  description The requested service (Servlet action is currently unavailable) is not currently available.
  Please help me ...

  503 Service Unavailable
  The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay MAY be indicated in a Retry-After header. If no Retry-After is given, the client SHOULD handle the response as it would for a 500 response.
  Note: The existence of the 503 status code does not imply that a
  server must use it when becoming overloaded. Some servers may wish
  to simply refuse the connection.

• Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

  Hello SDN community,
  in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
  As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
  I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
  My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
  Is there an application to be built on the java stack to deal with the authentication, modify http header?
  What will the Java stack return? a sap long ticket? a token?
  How will the redirect work (to by example a BSP which is in the ABAP stack)?
  SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
  A lot of questions about how this SSO http header should work,
  I would be very greatful for any help, or info,
  Kind regards,
  Tanguy Mezzano

  Hi Tanguy,
  to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
  Here are some answers to your question:
  in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
  The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
  My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
  You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
  So everything's is in a Java Client application without using any redirection.
  If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
  No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
  That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
  This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
  The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
  This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
  I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
  So my problem now, is how to call the servlet from the client browser:
  I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
  <FORM method="POST" action="SSORedirect2" >
  A JSP is a servlet too. There is just no JAVA Class involved!
  You do not need any POST Request to invoke a Servlet.
  I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE web-app (View Source for full doctype...)>
  - <web-app>
    <display-name>WEB APP</display-name>
    <description>WEB APP description</description>
  - <servlet>
    <servlet-name>SSOredirect2</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
    </servlet>
  - <servlet>
    <servlet-name>SSORedirect2.jsp</servlet-name>
    <jsp-file>/SSORedirect2.jsp</jsp-file>
    </servlet>
  - <security-constraint>
    <display-name>SecurityConstraint</display-name>
  - <web-resource-collection>
    <web-resource-name>WebResource</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
  - <auth-constraint>
    <role-name>DefaultSecurityRole</role-name>
    </auth-constraint>
    </security-constraint>
  - <security-role>
    <role-name>DefaultSecurityRole</role-name>
    </security-role>
    </web-app>
  If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
  e.g.
  <servlet>
    <description>
    </description>
    <display-name>AuthenticatorServlet</display-name>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <url-pattern>/AuthenticatorServlet</url-pattern>
  </servlet-mapping>
  You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
  I have also to pass my http header and the redirectUrl in the GET request.
  If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
  I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
  Thx for your input very helpful,
  But again 0 points
  Cheers

• What happens to the HTTP header parameters I put there?

  Our tool puts some parameters into the HTTP header. But, it appears that the Dispatcher is not passing them to the WAS.  Could this be?
  Is there a way to tell the Dispatcher to not drop our HTTP header stuff? Perhaps a configuration setting? I didn't find any.
  When I set a break in my servlet running on NW WAS, I see:
  referer:
  Cookie:
  etc.
  but I don't see the parameters we put there.
  This is the NW SneakPreview download.

  Hi Farokh,
  I think there should be much problem passing parameters  through the Url. I am sorry however that I have not worked much on the Servlet but on WebDynpro, which I can share with you if its of any use to you.
  Regards
  Noufal

• How to Set UserId in Http Header for SSO?

  Hello All,
  I have a requirement to set the userid into the HTTP Header so that i can use the "Header Variables for User Authentication" module provided by SAP to achieve the SSO .
  Could some 1 let me know how can I achieve this? I know abt the HTTPServlet.setheader() method, But i need to set it using my JAVA application. Is there any way to set the HTTP Header using Java. I have already done a lot of googling, but havent got any results.
  I am sure that, there must definitely be a way in which we can add the user id into the HTTP header, in all the results, they tell abt adding it using the HTTP Servlet or PHP and so on, but i need to add it from JAVA.(setting REMOTE_USER as "mysapuserid")
  I have already added the "HeaderVariableLoginModule" in my login stack in the 2nd position, as per
  http://help.sap.com/saphelp_nw04/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Any pointers will be helpful,
  Meghana
  Edited by: Meghana Phadke on Apr 14, 2008 2:49 PM

  Hi
  As I understand, your java application is an EP client, check framework HttpClient :
  http://hc.apache.org/httpclient-3.x/
  http://hc.apache.org/httpclient-3.x/tutorial.html
  Hope this help
  Jakub Krecicki

• OIF11g - Help on sending user attributes in HTTP header

  Hello, I have a OIF11g setup configured for both IdP and SP. Upon successfull authentication against LDAP, I need to end some user attributes on the HTTP header to the SP application. I do no have OAM in my setup, so there is no option of Webgate or Policy Manager to do that. As far as I read the config doc, I'm in the impression that we need to write a custom authentication engine to accept user credentials and code to authenticate against LDAP and also add attributes to the response header.
  Before I go down that path, just wanted to confirm if anybody has done this with OIF?
  Thanks,
  Sunil.

  Bernhard:
  Actually the headers are not set to null. I have an intermediate index.jsp page which is the first page that is redirected to by the AM - it is this page which calls my LoginServlet.
  The value appears consistently on this index.jsp page but after it is forwarded to the LoginServlet it starts behaving inconsistently. I check the system.out log in my websphere /logs folder and that tells me that LoginServlet does not consistenly get these values from the header.
  The wierd part is that if I use cookies or attributes, it works perfectly - each time every time. However, only in the case of headers (which is the method i am required to do) it behaves inconsistently.
  ANY feedback/help on this would be really appreciated bern.. thanks..
  ~saahil