This topic describes how to use the SAP-specific HTTP Callbacks HttpSetterCallback and HttpGetterCallback, both which inherit the interface HttpCallback.
The interface com.sap.engine.lib.security.http.HttpCallback defines the following fields:
HttpCallback Interface Constants
Name |
Value |
Description |
public final static byte HEADER |
1 |
Get a header with a specified name from the request. If there are multiple headers with the same name, this first head in the request is retrieved. The returned value is of type java.lang.String. Add a header with a specified name and value in the response. The object passed as value should be of type java.lang.String. |
public final static byte COOKIE |
2 |
Get a cookie with a specified name from the request. The returned value is of type java.lang.String. Set a cookie with a specified name and value in the response. The object passed as value should be of type java.lang.String. |
public final static byte REQUEST_PARAMETER |
3 |
Get all request parameters with a specified name from the request. The returned value is an array of java.lang.String. |
public final static byte CERTIFICATE |
4 |
Get the certificate from the request. The returned value is an array of java.security.cert.X509Certificate. |
public final static byte CLIENT_IP |
5 |
Get the client IP from the request. The returned value is of type java.lang.String. |
public final static byte METHOD_TYPE |
6 |
Get the HTTP method type from the request. The returned value is of type java.lang.String. |
public final static byte IS_SECURE |
7 |
Get a boolean value indicating whether the request was made using a secure channel. The returned value is of type java.lang.Boolean. |
public final static byte RESPONSE_CODE |
8 |
Set the response code. The object passed as value should be of type java.lang.String. |
public final static byte BODY |
9 |
Get the request body. The type of the returned value is of type java.io.InputStream. Set the response body. The object passed as value should be of type java.lang.String. |
public final static byte SESSION_ATTRIBUTE |
10 |
Get a session attribute with a specified name from the request. The returned value is of type java.lang.Object. Set a session attribute with a specified name and value in the request. The object passed as value should be of type java.lang.Object. |
public final static byte ALL_SESSION_ATTRIBUTES |
11 |
Get all session attributes names from the request. The returned value is an array of java.lang.String. |
public final static byte REMOVE_SESSION_ATTRIBUTE |
12 |
Remove a session attribute with a specified name from the request. |
public final static byte byte REQUEST_ATTRIBUTE |
13 |
Set a request attribute with a specified name and value in the request. The object passed as value should be of type java.lang.Object. |
public final static byte SET_HEADER |
14 |
Set a header with a specified name and value in the response. If the header had already been set, the new value overwrites the previous one. The object passed as value should be of type java.lang.String. |
public final static byte REMOVE_HEADER |
15 |
Remove a header with a specified name from the request. |
public final static byte BODY_READER |
16 |
Get the request body. The returned value is of type java.io.BufferedReader. |
The HttpGetterCallback is used by the login modules to obtain arbitrary information from the HTTP request.
Usually, callbacks are used to obtain the required information about a user during login. If the server needs to know the name of the user, for example, it could be obtained as follows:
// Require the name of the user Callback nameCallback = new NameCallback(); // Tells the server that a user name is required and the server sets this name in the callback CallbackHandler.handle(new Callback[] {nameCallback }); // Receives the user name String userName = nameCallback.getName(); |
It is not strictly defined what information is required from the user. For example, it could be the user name, password, telephone number, certificate, or the name of the company where the user works. There is a great variety of information that could identify a user.
What will be checked during the authentication depends on:
...
1. The type of the user storage that is running on the server. One user store could store information only for the user name and password, until another user store with users that have bank accounts could contain information about the user’s addresses, telephone numbers and bank account number.
2. The level of security you want to be applied on the current application, to which the user must authenticate. For example, the user name and password authentication method is much less secure than the certificate authentication, yet it is used more often because of its simplicity.
The interface is meant to be used only for Web clients – that is, users who access the server using HTTP or HTTPS connection. All the information represented by the client about himself or herself is contained in the HTTP request, which is sent to the server. The server tries to gather the required information and if such is missing or is wrong does not allows access to the desired site.
Other then the requirement for different types of data about the user, different combinations of data could be required in different applications. For example, in order to authenticate a user, an application may require only a user name, since in another application the user has to provide his or her user name, password and e-mail as well. These combinations represents the different methods for authentication and are performed using different login modules.
Use the HttpGetterCallback in the following way:
// Shows that data from the HTTP headers of the request is required HttpGetterCallback getterCallback = new HttpGetterCallback(); getterCallback.setType(HttpCallback.HEADER); // Shows that the header with the name "address" is required getterCallback.setName("address"); // Tells the server that the address of the user is required. Then the server sets it to the callback. // The callbackHandler instance is passed to the login module via its initialize () method. callbackHandler.handle(new Callback[] { getterCallback }); // Gets the address that is contained in the header field "address" or null if the client did not specified an address Object value = getterCallback.getValue();
|
After that, the server could decide if the client with this address could be granted access to the site or not.
If the same user must authenticate him or herself a second time, the login module first checks if a ticket is already created for that user. If not, it then asks for login information for the user. Any type of information could be obtained using the HttpGetterCallback:
// Shows that data is required to be taken from the http cookies of the request HttpGetterCallback getterCallback = new HttpGetterCallback (); getterCallback.setType(HttpCallback.COOKIE); // Shows that the cookie with the name "ticket" is required by the request getterCallback.setName("ticket"); // Tells the server that the ticket of the user is required // and the server gives it back and sets it to the context CallbackHandler.handle(new Callback[] {getterCallback}); // Gets the ticket that is in the cookies Object value = getterCallback.getValue(); |
The login module creates an instance of the HttpGetterCallback, calls setType(HttpCallback.HEADER) and setName(“Authorization”), and passes this instance to the handle method of CallbackHandler. The CallbackHandler calls getType() and getName() on this instance, selects the header with name Authorization from the HTTP requests, and calls setValue(authorizationHeader). Now the login module can get the required information via the getValue() method of the HttpGetterCallback instance.
When the client browses an application, he or she could access different types of resources – that is files or other type of information. Usually an application enables a wide variety of functionalities and at a request on each one of them, the server has to request repeatedly the full package of login information – the user name, password and e-mail. In order to avoid this problem, the server marks the exact type of user after the first authentication. This could be done, for example, after the first successful authentication. A login module creates and assigns a mark to the user, for example a SAP Logon Ticket. At the next login, the login module first checks if there is a ticket already created for the user, and if it exists, the client will not be asked again for information.
To set the ticket or any other information about the user, which could be later used on the server, the HttpSetterCallback interface is used.
// Shows that something will be set in the cookies of the response HttpSetterCallback setterCallback = new HttpSetterCallback (); setterCallback.setType(HttpCallback.COOKIE); // Shows that "ticket" will be set in the response setterCallback.setName("ticket"); // Sets the created ticket to the user setterCallback.setValue(ticket); // Tells the server to set the ticket in the response CallbackHandler.handle(new Callback[] {getterCallback}); |
The HttpSetterCallback is used to pass information gained in the login module (for example, a Single Sign-On token) back to the CallbackHandler, which attaches this information to the response.