Classification: UNCLASSIFIED
Caveats: NONE
Folks,
I hope someone out there has some insight regarding the problem that I'm
about to describe. All custom request header fields that are added via the
SiteMinder policy server are being stripped (intentionally or accidentally)
from the request header after passing through the Apache Tomcat
"isapi_redirect.dll" ISAPI filter.
We have a website running on IIS and ColdFusion 10 that is protected using
SiteMinder. When a web request comes in, SiteMinder intercepts the request and
performs a HTTP 302 redirect to the policy servers for authentication. After
successful authentication, the policy server adds some custom fields, such as
"userid" and "mail", to the request header and fires it back to our web server.
When using an ASP script below, I can see that these custom header fields
appear in IIS, so I have proof that they are arriving intact in the header.
However, the problem is that the custom request header fields get stripped out
when viewing a ColdFusion page, which goes through the Apache Tomcat ISAPI
filter.
Here is the "showheaders.asp" page that I used to view the custom header
fields:
--- BEGIN showheaders.asp ---
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--
This is a VERY simple example to display all the http headers
DO NOT run this on a production server. Sensitive information is
exposed here, and should not be made public.
For more free source code, tutorials, programs, and generally cool
stuff, go to http://renegademinds.com
-->
<HTML>
<HEAD>
<TITLE> Get HTTP headers </TITLE>
<META NAME="Generator" CONTENT="Renegade">
<META NAME="Author" CONTENT="Ryan Smyth">
<META NAME="Keywords" CONTENT="get http headers iis asp">
<META NAME="Description" CONTENT="Get and display all the http
headers for a server and client">
</HEAD>
<BODY>
<H1>HTTP Headers</H1>
<%
' Iterate through the server variables collection and display each
header along with its value
for each header in Request.ServerVariables
response.write header & " = " & Request.ServerVariables(header)
& " <br><br> "
next
%>
<strong><font size="+3">For more free source code, tutorials, programs,
and generally
cool stuff, go to <a
href="http://renegademinds.com";>http://renegademinds.com</a>.</font></strong>
</BODY>
</HTML>
--- END showheaders.asp ---
Here is the "showheaders.cfm" page that I used to view the custom header fields:
--- BEGIN showheaders.cfm ---
<HTML>
<HEAD>
<TITLE> Get HTTP headers </TITLE>
</HEAD>
<BODY>
<cfoutput>ALL_HTTP = #cgi.ALL_HTTP#</cfoutput>
<cfdump var="#cgi#" label="cgi" expand="yes" />
<cfdump var="#getHTTPRequestData()#" />
</BODY>
</HTML>
--- END showheaders.cfm ---
The missing headers problem started after upgrading our server from
ColdFusion MX 7 to ColdFusion 10. ColdFusion MX 7 ran on JRun; ColdFusion 10
runs on a modified version of Apache Tomcat. I suspect that the header fields
are being stripped out by the ISAPI filter, because the custom fields are
missing whether I use ColdFusion's built-in "getHTTPRequestData()" function, or
from a Java equivalent on the ColdFusion page.
--- BEGIN GetCredentialsFromHeader() ---
<cffunction name="GetCredentialsFromHeader" access="private" returntype="any"
output="false">
<!--- This is the Java way of getting request headers. --->
<!--- This method still uses ColdFusion tags, but it --->
<!--- but it make Java function calls through --->
<!--- getPageContext(). --->
<cfset pageRequest = getPageContext().getRequest() />
<cfset pageRequestHeaderNames = pageRequest.getHeaderNames() />
<cfloop condition="#pageRequestHeaderNames.hasMoreElements()#">
<cfset thisName = pageRequestHeaderNames.nextElement() />
<cfoutput>
#thisName#='#pageRequest.getHeader(thisName)#'<br />
</cfoutput>
</cfloop>
<cfdump var="#pageRequest#" label="Java Page Request" />
<!--- This is the ColdFusion way of getting request headers. --->
<cfdump var="#GetHTTPRequestData()#" label="HTTP Request Headers" />
<cfabort />
</cffunction>
--- END GetCredentialsFromHeader() ---
Another quirk that I noticed is that the "ALL_HTTP" CGI field exists after
passing through the ISAPI filter, but it's blank. In contrast, the ALL_HTTP
field is populated when viewing in IIS via the ASP script.
Now the specs:
ColdFusion: version 10,282462
CF-Tomcat: N/A (It's integrated into ColdFusion 10)
isapi_direct.dll: version 1.2.32.0
OS: Windows 2003
Java: JDK 1.6.0_33
VM Version: 20.8-b03
IIS: 6
I can't think of anything else at the moment. If anyone knows what's
causing this, please help me. I'd be very grateful.
Thanks!
John Lowman, Java SCP, CIW, A+, Security+ (Contractor)
Programmer
CALIBRE
256.217.1648
www.calibresys.com
Classification: UNCLASSIFIED
Caveats: NONE
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
