Https header rewrite

Similar Messages

• ACE http header rewrite

  hi
  is there any chance to change my requeste on ace like this?
  the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
  thanks in advance
  Antero

  Hi Antero,
  Yes, this is possible. Just check the link below for more details
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
  Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
  If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
  I hope this helps
  Daniel

• CSS11506 http header rewrite question

  Hi
  I read the ACE doc, and it said that cisco ACE supports the capability to rewrite http headers in both client requests and server responses. Is CSS11506 can do it?
  I have a lot of problems that application on the local server redirect https to http. Because the way they do installation which standard way and it can not fix or hardly to fix.
  I would like to get a tip to let css11506 rewrite the server's rewrite. is it possible?
  Any comments will be appropriated
  Thanks in advice
  julxu

  Hello Julxu,
  If I understand your question correctly, you are looking for the CSS rewrite the URL from http to https when the server sends a redirect to the client.  If I'm correct, then you can find out how to accomplish this in the Specifying Secure URL Rewrite sectioin of the CSS configuration guides.
  Hope this helps,
  Sean

• Cisco ACE - dynamic header rewrite

  Can the ACE do dynamic http host and URL rewrites using an action list and variables?
  I need to rewrite a URL like this...
  http://*.domain.com rewritten to http://www.domain.com/user1/*
  For example...
  http://mikeyd.domain.com would be rewritten to http://www.domain.com/user1/mikeyd
  ... and so on for a large number of user names at the beginning of the URL string.
  I am trying to find the action-list syntax for header rewrite and having trouble figuring this out.  Would a redirection be a better option?
  Thanks, in advance, for any help with this.

  It's more related to disaster recovery planning than ACE configuration
  The cleanest way is to use L2 extension.
  Otherwise you can use VMWare SRM to change the ip addresses of your VMs, or run an OSPF process and replicate all the subnets and put it in the "shutdown state" (or announcing it with a very high cost, proximity routing will do the rest - ACE module can do this for the VIPs with OSPF route health injection, ACE4710 doesn't support RHI but on the upstream router you can define an IP SLA probe and perform conditionnal redistribution), or use a dummy VRF with all your subnets and when enabling DRP, perform route leaking... use NAT with DNS-based failover etc...
  There is no generic answer to your problem.

• ACE http header response

  Hi,
  I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
  How would I rewrite the response remove the port on the server that is being used.
  Thank you,

  Hi,
  You have rewrite the 30x redirect response from server or is it a normal response?
  You can try below:
  (config)# action-list type modify http H
  (config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008  replace http://abc.com
  I am using header name as Location. Please use according to your need.
  I haven't tried this myself but it should work. Try and let me know.
  Regards,
  Kanwal

• 302 Redirect Location Header Rewrite not working with code upgrade

  Hi,
  Description:
  We have a portal webservice hosted by an ACE4710. It has two services (www/https) on the same IP 10.1.1.1.
  One is a redirect service that redirects all requests to tcp/80 on this ip to the other which is a 'standard' https proxy service.
  The backend servers are http only. Externally everything needs to be https.
  So we have an ssl proxy and Location header http to https rewrite on the https service.
  The configuration below operates correctly on v5_1_2.
  But with a code upgrade to 5_3_1b, the Location header rewrite does not work.
  We've tried several different configurations and even 'ssl url location rewrite ".*". It just looks like the ACE is completely ignoring the configuration to rewrite the Location field.
  Reverting to the older code fixes the problem.
  Problem seen:
  Here is the problem as seen on the *client*. The 302 redirect Location header is NOT rewritten:
  Response headers:
  HTTP/1.1 302 FOUND
  Server: nginx
  Date: Fri, 20 Mar 2015 10:59:43 GMT
  Content-Type: text/html; charset=utf-8
  Content-Length: 295
  Connection: keep-alive
  Location: http://website.liveportal.nhs.uk/homepage/information
  Cache-Control: no-cache, no-store
  Set-Cookie: information=35a7831d-928d-4122-aef3-39ef48ac4440; Path=/; secure; HttpOnly
  X-Frame-Options: DENY
  HTTPSampleResult fields:
  ContentType: text/html; charset=utf-8
  DataEncoding: utf-8
  Config extract:
  1) Set up the servers (4 normal on tcp/80 and one for a redirect)
  rserver host WEBSERVICE-1
    ip address 192.168.1.1
    conn-limit max 200000 min 160000
    inservice
  ...and the same for the other three
  rserver redirect PORTAL_REDIRECT
    webhost-redirection https://%h/%p 302
    inservice
  2) Set up the server farms
  serverfarm host PORTAL_LIVE
    probe webping
    rserver WEBSERVICE-1 80
      inservice
    rserver WEBSERVICE-2 80
      inservice
    rserver WEBSERVICE-3 80
      inservice
    rserver WEBSERVICE-4 80
      inservice
  serverfarm redirect PORTAL_HTTP_REDIRECT
    rserver PORTAL_REDIRECT
      inservice
  3) Setup the ssl proxy and a location rewrite to https for responses from the servers
  action-list type modify http HTTPS_LOCATION
    header rewrite response Location header-value "http://(.*)" replace "https://%1"
  ssl-proxy service WEB_SSL_PROXY
    key webportal.key
    cert webportal.crt
    chaingroup root-chain
    ssl advanced-options SSL-SECURE-STRONG-WEB
  4) Set up the L4 services
  class-map match-all PORTAL_HTTP
    2 match virtual-address 10.1.1.1 tcp eq www
  class-map match-all PORTAL_SSL
    2 match virtual-address 10.1.1.1 tcp eq https
  5) Setup the policy maps - one for the reals servers with header rewrite for redirects
  policy-map type loadbalance http first-match PORTAL_HTTP
    class class-default
      serverfarm PORTAL_HTTP_REDIRECT
  policy-map type loadbalance http first-match PORTAL_SSL
    class class-default
      serverfarm PORTAL_LIVE
      action HTTPS_LOCATION
  6) Create the service policy
  policy-map multi-match EXTERNAL-SERVICES
    class PORTAL_SSL
      loadbalance vip inservice
      loadbalance policy PORTAL_SSL
      loadbalance vip icmp-reply
      appl-parameter http advanced-options PARAM-HTTP
      ssl-proxy server WEB_SSL_PROXY
    class PORTAL_HTTP
      loadbalance vip inservice
      loadbalance policy PORTAL_HTTP
      loadbalance vip icmp-reply
  7) Apply to the interface
  interface vlan 211
    description External Access
    ip address x.x.x.x 255.255.255.0
    alias x.x.x.x 255.255.255.0
    peer ip address x.x.x.x 255.255.255.0
    access-group input PERMIT-ALL
    service-policy input EXTERNAL-SERVICES
    no shutdown

  I found that the v5_3_1b code seems to need a bit of extra configuration and it now works ok.
  parameter-map type http PARAM_HTTP
  header modify per-request
  no persistence-rebalance
  case-insensitive

• SSO to other apps via HTTP header variable

  We are on NW EP6.0 SP16. We need to add the "user id" as http header variable so that other apps which are non SAP can access our header variable and log on with that user id. Is this available by default? Or we want to achieve this how best we can achieve this.
  We can use the code to get the user id and add it to header variable. If we use this route which is the jsp page we need to add the code?
  Thanks

  Hi,
    we can you login modules provided by SAP to accomplish this.. you can use header variable authentication login module to acheive your requirement.
    please refer: http://help.sap.com/saphelp_nw04/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Hope that helps.
  Regards,
  S.Divakar

• Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method

  Hello SDN community,
  in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
  As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
  I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
  My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
  Is there an application to be built on the java stack to deal with the authentication, modify http header?
  What will the Java stack return? a sap long ticket? a token?
  How will the redirect work (to by example a BSP which is in the ABAP stack)?
  SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
  A lot of questions about how this SSO http header should work,
  I would be very greatful for any help, or info,
  Kind regards,
  Tanguy Mezzano

  Hi Tanguy,
  to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
  Here are some answers to your question:
  in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
  The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
  My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
  You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
  So everything's is in a Java Client application without using any redirection.
  If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
  No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to  procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
  That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
  This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
  The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
  This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
  I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
  So my problem now, is how to call the servlet from the client browser:
  I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
  <FORM method="POST" action="SSORedirect2" >
  A JSP is a servlet too. There is just no JAVA Class involved!
  You do not need any POST Request to invoke a Servlet.
  I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE web-app (View Source for full doctype...)>
  - <web-app>
    <display-name>WEB APP</display-name>
    <description>WEB APP description</description>
  - <servlet>
    <servlet-name>SSOredirect2</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
    </servlet>
  - <servlet>
    <servlet-name>SSORedirect2.jsp</servlet-name>
    <jsp-file>/SSORedirect2.jsp</jsp-file>
    </servlet>
  - <security-constraint>
    <display-name>SecurityConstraint</display-name>
  - <web-resource-collection>
    <web-resource-name>WebResource</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
  - <auth-constraint>
    <role-name>DefaultSecurityRole</role-name>
    </auth-constraint>
    </security-constraint>
  - <security-role>
    <role-name>DefaultSecurityRole</role-name>
    </security-role>
    </web-app>
  If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
  e.g.
  <servlet>
    <description>
    </description>
    <display-name>AuthenticatorServlet</display-name>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticatorServlet</servlet-name>
    <url-pattern>/AuthenticatorServlet</url-pattern>
  </servlet-mapping>
  You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
  I have also to pass my http header and the redirectUrl in the GET request.
  If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
  I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
  Thx for your input very helpful,
  But again 0 points
  Cheers

• What happens to the HTTP header parameters I put there?

  Our tool puts some parameters into the HTTP header. But, it appears that the Dispatcher is not passing them to the WAS.  Could this be?
  Is there a way to tell the Dispatcher to not drop our HTTP header stuff? Perhaps a configuration setting? I didn't find any.
  When I set a break in my servlet running on NW WAS, I see:
  referer:
  Cookie:
  etc.
  but I don't see the parameters we put there.
  This is the NW SneakPreview download.

  Hi Farokh,
  I think there should be much problem passing parameters  through the Url. I am sorry however that I have not worked much on the Servlet but on WebDynpro, which I can share with you if its of any use to you.
  Regards
  Noufal

• How do I set the Http Header POST URL in SAAJ?

  Hi ,
  I am a newbie in the field of web services. I was trying to create a SOAP request with Http Header POST information having a POST url like
  the following:
  POST /OMASTI.xml HTTP/1.1
  Content-Type: multipart/related; boundary="eladeladeladeladeladeladeladeladelad"; type=text/xml; start=11814460
  Content-Length: 54596
  Host: unspecified
  SOAPAction: ""
  to that effect I did the following in the SAAJ client:
  MimeHeaders md = message.getMimeHeaders();
            md.setHeader("SOAPAction" ,"\"\"");
            md.setHeader("POST" ,"/OMASTI.xml");
  However what I got was :
  POST / HTTP/1.1
  Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  SOAPAction: ""
  POST: /OMASTI.xml
  Content-Type: multipart/related; type="text/xml"; boundary="----=_Part_2_32124414.1153146262750"
  Content-Length: 3352
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_07
  Host: www.google.com
  Connection: keep-alive
  I have two POSTs in the header. How do I fix it? Please Help ASAP.
  Regards,
  Zeus

  Hi,
  Please forgive my ignorance. I did the same as you said. and then checked the Http request being sent out using ethreal software... it was the same as I had told earlier. Is only POST supported by the connection object? And the does the URL that comes in the Mime header as POST refer to the URL to which the request was sent? what I mean is that if the mime header says
  POST /OMASTI.xml HTTP 1.1, does it mean that the URL that was passed to the connection object was "/OMASTI.xml" ? I had given the url as http://www.google.com to test the request being sent.. I only have a sample SOAP request which shows a HTTP header with the post url as I said before. I need to create a SOAP request with the same sort of Http header and the body needs to follow a certain OMA-STI protocol. My experience in the SOAP domain is almost nil. So please enlighten me.
  Thanks in advance,
  zeus

• SSRS web services 401 if you pass "Authorization" http header

  We use both SSRS 2008 R2 and 2012. When i access a report using url access (direct ssrs server hit) and add a "Authorization: Bearer xyzelkalklsjsdfalsjdf" http header, i get a 401 from somewhere in the request pipeline. I have a custom httpmodule
  registered at the top of the chain which does some OAuth related security checks. But when this header is included, the request never reaches the httpmodule. If i change the header slightly ex: "YAuthorization: ljlxzcvc..", then the request reaches
  the httpmodule and everything works. So obviously SSRS is looking for a particular header named "Authorization" and does something with it. Point to note: we have implemented a custom forms authentication module and we are doing some rich authorization
  using the extensible ssrs api. 
  Now my questions are:
  1. What is happening here? Who is acting on my request before my HttpModule registered on top in ssrs\reporting service\web.config gets it?
  2. How do i ensure my httpmodule executes before whatever component is terminating my request with a 401

  Sorry if this sounds like I am new to this but I am.
  So, the extended version is the format that would be used if you were not utilizing the files that the wsdl2java function creates?
  And this is done to when you want more flexibiility for the user to call your service?
  So, you would push to have the stub files used when you want to control how the web service is used?
  thanks for the feedback.

• Error in setting up HTTP Header Variable Authentication

  Hi,
  I am trying to set-up SSO for SAP Biller Direct aplication (deployed on SAP J2EE 7.0) using HTTP Header variable authentication.
  As per SAP documentation I have created a new login module "HeaderVariableLoginModule" pointing to class "com.sap.security.core.server.jaas.HeaderVariableLoginModule".
  Then I have added this new login module to Statck "Ticket" and the new config looks as below. HTTP header when UID is passed is USI_LOP.
  Name                                                                                Flag                                            Options
  com.sap.security.core.server.jaas.HeaderVariableLoginModule    Sufficient                                    ume.configuration.active= tue,
                                                                                  Header=USI_LOP
  BasicPasswordLoginModule                                                           Optional
  CreateTicketLoginModule                                                                 Optional                                         ume.configuration.active= tue
  EvaluateTicketLoginModule                                                              Sufficient                                      ume.configuration.active= tue
  The problem I am now having is that the authentication through HTTP_HEADEr does not work. Even though I ahve increased the trace level for JAAS module to debug, there is not any type of information generated in the log.
  Each time I call the Biller Direct URL from the extrenal web server which also passes the HEADER variable for Authntication, the authrisation just fails and I am being shown a Logon Screen to pust UID/PASSWORD.
  Can someone please guide me, how I can debug this? There is very no information whether anyone tried to login with HEADER varibale and that has failed...
  Also, I am not pretty sure whether I am using the right Authentication Stack, which is is Ticket in my case..
  But when I enter the application without any URL redirects and enter UID and password directly for Biller Direct, I get the following in log file, which makes me believe that I am using the right stack.
  LOGIN.OK
  User: CONDLG
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.HeaderVariableLoginModule             SUFFICIENT  ok          false      false                
  2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   OPTIONAL    ok          true       true                 
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  4. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  Central Checks                                                                                true                 
  Any help will be very much apprecated..
  Thanks,
  Vikrant Sud

  Vikrant,
  The reason why it is not working is because your login modules in ticket stack are in wrong order and with wrong flags. The first one should be EvaluateTicketLoginModule with flag=SUFFICIENT, then the Header Variable login module, with flag=OPTIONAL, then CreateTicketLoginModule with flag=SUFFICIENT, then BasicPasswordLoginModule with flag=REQUISITE, and lastly CreateTicektLoginModule with flag=OPTIONAL
  Thanks,
  Tim

• Any way to get HTTP header in web dynpro Java?

  Is there any way to get HTTP header in web dynpro java? This method gives me the params. Is params same as header? It doesn't have any way to retrieve header data. I am on NW 7.0.19
  WDProtocolAdapter.getProtocolAdapter().getRequestObject().getParameter("param");

  Dear Faraz,
  I'm afraid the code you've pasted is only to retrieve URL parameters.
  Have you tried this document to see if it offers any good hint:
  [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0446f5c-fcb9-2910-e082-88becbe3ddc9]
  Not sure if you can process the HTTP header with a WD4J.
  An alternative could be to develop some Portal component in plain JAVA working as a proxy to call your WD4J afterwards.
  That portal component would process your HTTP header and forward any parameter to your WD4J.
  But this is me just guessing.
  Kind Regards
  /Ricardo

• How to Set UserId in Http Header for SSO?

  Hello All,
  I have a requirement to set the userid into the HTTP Header so that i can use the "Header Variables for User Authentication" module provided by SAP to achieve the SSO .
  Could some 1 let me know how can I achieve this? I know abt the HTTPServlet.setheader() method, But i need to set it using my JAVA application. Is there any way to set the HTTP Header using Java. I have already done a lot of googling, but havent got any results.
  I am sure that, there must definitely be a way in which we can add the user id into the HTTP header, in all the results, they tell abt adding it using the HTTP Servlet or PHP and so on, but i need to add it from JAVA.(setting REMOTE_USER as "mysapuserid")
  I have already added the "HeaderVariableLoginModule" in my login stack in the 2nd position, as per
  http://help.sap.com/saphelp_nw04/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
  Any pointers will be helpful,
  Meghana
  Edited by: Meghana Phadke on Apr 14, 2008 2:49 PM

  Hi
  As I understand, your java application is an EP client, check framework HttpClient :
  http://hc.apache.org/httpclient-3.x/
  http://hc.apache.org/httpclient-3.x/tutorial.html
  Hope this help
  Jakub Krecicki

• OIF11g - Help on sending user attributes in HTTP header

  Hello, I have a OIF11g setup configured for both IdP and SP. Upon successfull authentication against LDAP, I need to end some user attributes on the HTTP header to the SP application. I do no have OAM in my setup, so there is no option of Webgate or Policy Manager to do that. As far as I read the config doc, I'm in the impression that we need to write a custom authentication engine to accept user credentials and code to authenticate against LDAP and also add attributes to the response header.
  Before I go down that path, just wanted to confirm if anybody has done this with OIF?
  Thanks,
  Sunil.

  Bernhard:
  Actually the headers are not set to null. I have an intermediate index.jsp page which is the first page that is redirected to by the AM - it is this page which calls my LoginServlet.
  The value appears consistently on this index.jsp page but after it is forwarded to the LoginServlet it starts behaving inconsistently. I check the system.out log in my websphere /logs folder and that tells me that LoginServlet does not consistenly get these values from the header.
  The wierd part is that if I use cookies or attributes, it works perfectly - each time every time. However, only in the case of headers (which is the method i am required to do) it behaves inconsistently.
  ANY feedback/help on this would be really appreciated bern.. thanks..
  ~saahil