How to set custom HTTP header for single sign on

[sharon3874]

my company is a financial sector. Currently we just begin to use an application called "etran". This application requires user name and password to login. Now, my assignment is to integrate etran application in our internal application. This means that somewhere in our internal application, there is a link leads to the etran application.

It is going to be single sign on, that means that once user logs into our internal application, when he/she clicks on the etran link, no sign on to etran is needed.

I consult with the technical people in etran. they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.

My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?

Thanks in advance for your help.

 

[Ascalonian]

I am not sure about putting it into base 64, but to set the HTTP headers, you need to use HttpServletResponse object. An example of this is at:

http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Response-Headers.html

 

[Diancecht]

First, don't double post.

Second, here you have a Base 64 encoder

Cheers,
Dian

 

[sharon3874]

Thank you for your responses.

I am sorry that I double post it since I am not sure which forum this question should go to.

I tried redirect in servlet, it didn't work. I was able to set the header on the response object, but when it goes to the redirecting jsp page (I created one jsp to test), I was not able to get the header from the request object (it was null).

I also tried XMLHTTPRequest in javascript, it did not work either. some people told me that it is due to security constraints in web browsers. web browser will not allow an XMLHTTPRequest to send to a different domain.

I don't want to use cookie if I have other choices.

I don't want to use URL rewriting due to security reasons.

any idea?

 

[Diancecht]

That should work, I remember doing it in the past. Maybe if you post the relevant code we can take a look

Cheers,
Dian

 

[Ascalonian]

How did you try reading the response object?

 

[sharon3874]

Thank you for your replies.

I tried to set the header in the response object like the following in my servlet (struts action):
response.setHeader("Authorization", "test");

i did something like the following in my jsp page to see the result:
<%
System.out.println("test " + request.getHeader("Authorization"));
%>

the result is "null".

any idea?

 

[Ascalonian]

That might be because you are not setting the Authorization header properly.

Instead of "test", try: "user fred:mypassword".

If not, I will be more than happy to keep digging into this.

 

[Diancecht]

Or try using another keyword.

Here you have some examples

Setting headers
Getting headers

Cheers,
Dian

 

[timw]

Hang on a mo. Sharon3874, in your servlet you're setting the http header in the response. But in the jsp you are querying the http header for the request. So the jsp will show null since it hasn't been set in the request, it's been set in the response. If the servlet delegates to the jsp to render the page (it's been I while since I did any Struts) then the jsp would need to look at the response object too, would it not?

I may be wrong here, but that would explain the null you are seeing.

Tim

 

[Ascalonian]

timw... i think you may be correct. Didn't even think of that.