Show TOC Start of Content Area

Background documentation Using the HTTP Callback Classes  Locate the document in its SAP Library structure

This topic describes how to use the SAP-specific HTTP Callbacks HttpSetterCallback and HttpGetterCallback, both which inherit the interface HttpCallback.

HttpCallback

The interface com.sap.engine.lib.security.http.HttpCallback defines the following fields:

HttpCallback Interface Constants

Name

Value

Description

public final static byte HEADER

1

Get a header with a specified name from the request. If there are multiple headers with the same name, this first head in the request is retrieved.

The returned value is of type java.lang.String. Add a header with a specified name and value in the response. The object passed as value should be of type java.lang.String.

public final static byte COOKIE

2

Get a cookie with a specified name from the request. The returned value is of type java.lang.String.

Set a cookie with a specified name and value in the response. The object passed as value should be of type java.lang.String.

public final static byte REQUEST_PARAMETER

3

Get all request parameters with a specified name from the request. The returned value is an array of java.lang.String.

public final static byte CERTIFICATE

4

Get the certificate from the request. The returned value is an array of java.security.cert.X509Certificate.

public final static byte CLIENT_IP

5

Get the client IP from the request. The returned value is of type java.lang.String.

public final static byte METHOD_TYPE

6

Get the HTTP method type from the request. The returned value is of type java.lang.String.

public final static byte IS_SECURE

7

Get a boolean value indicating whether the request was made using a secure channel. The returned value is of type java.lang.Boolean.

public final static byte RESPONSE_CODE

8

Set the response code. The object passed as value should be of type java.lang.String.

public final static byte BODY

9

Get the request body. The type of the returned value is of type java.io.InputStream.

 Set the response body. The object passed as value should be of type java.lang.String.

public final static byte SESSION_ATTRIBUTE

10

Get a session attribute with a specified name from the request. The returned value is of type java.lang.Object.

Set a session attribute with a specified name and value in the request. The object passed as value should be of type java.lang.Object.

public final static byte ALL_SESSION_ATTRIBUTES

11

Get all session attributes names from the request. The returned value is an array of java.lang.String.

public final static byte REMOVE_SESSION_ATTRIBUTE

12

Remove a session attribute with a specified name from the request.

public final static byte byte REQUEST_ATTRIBUTE

13

Set a request attribute with a specified name and value in the request.

The object passed as value should be of type java.lang.Object.

public final static byte SET_HEADER

14

Set a header with a specified name and value in the response. If the header had already been set, the new value overwrites the previous one. The object passed as value should be of type java.lang.String.

public final static byte REMOVE_HEADER

15

Remove a header with a specified name from the request.

public final static byte BODY_READER

16

Get the request body. The returned value is of type java.io.BufferedReader.

HttpGetterCallback

The HttpGetterCallback is used by the login modules to obtain arbitrary information from the HTTP request.

Usually, callbacks are used to obtain the required information about a user during login. If the server needs to know the name of the user, for example, it could be obtained as follows:

This graphic is explained in the accompanying text

// Require the name of the user

Callback nameCallback = new NameCallback();

// Tells the server that a user name is required and the server sets this name in the callback

CallbackHandler.handle(new Callback[] {nameCallback });

// Receives the user name

String userName = nameCallback.getName();

It is not strictly defined what information is required from the user. For example, it could be the user name, password, telephone number, certificate, or the name of the company where the user works. There is a great variety of information that could identify a user.

What will be checked during the authentication depends on:

...

       1.      The type of the user storage that is running on the server. One user store could store information only for the user name and password, until another user store with users that have bank accounts could contain information about the user’s addresses, telephone numbers and bank account number.

       2.      The level of security you want to be applied on the current application, to which the user must authenticate. For example, the user name and password authentication method is much less secure than the certificate authentication, yet it is used more often because of its simplicity.

The interface is meant to be used only for Web clients – that is, users who access the server using HTTP or HTTPS connection. All the information represented by the client about himself or herself is contained in the HTTP request, which is sent to the server. The server tries to gather the required information and if such is missing or is wrong does not allows access to the desired site.

Other then the requirement for different types of data about the user, different combinations of data could be required in different applications. For example, in order to authenticate a user, an application may require only a user name, since in another application the user has to provide his or her user name, password and e-mail as well. These combinations represents the different methods for authentication and are performed using different login modules.

Use the HttpGetterCallback in the following way:

This graphic is explained in the accompanying text

// Shows that data from the HTTP headers of the request is required

HttpGetterCallback getterCallback = new HttpGetterCallback();

getterCallback.setType(HttpCallback.HEADER);

// Shows that the header with the name "address" is required

getterCallback.setName("address");

// Tells the server that the address of the user is required. Then the server sets it to the callback.

// The callbackHandler instance is passed to the login module via its initialize () method.

callbackHandler.handle(new Callback[] { getterCallback });

// Gets the address that is contained in the header field "address" or null if the client did not specified an address

Object value = getterCallback.getValue();

 

After that, the server could decide if the client with this  address could be granted access to the site or not.

If the same user must authenticate him or herself a second time, the login module first checks if a ticket is already created for that user. If not, it then asks for login information for the user. Any type of information could be obtained using the HttpGetterCallback:

This graphic is explained in the accompanying text

// Shows that data is required to be taken from the http cookies of the request

HttpGetterCallback getterCallback = new HttpGetterCallback ();

getterCallback.setType(HttpCallback.COOKIE);

// Shows that the cookie with the name "ticket" is required by the request

getterCallback.setName("ticket");

// Tells the server that the ticket of the user is required

// and the server gives it back and sets it to the context

CallbackHandler.handle(new Callback[] {getterCallback});

// Gets the ticket that is in the cookies

Object value = getterCallback.getValue();

Example

The login module creates an instance of the HttpGetterCallback, calls setType(HttpCallback.HEADER) and setName(“Authorization”), and passes this instance to the handle method of CallbackHandler. The CallbackHandler calls getType() and getName() on this instance, selects the header with name Authorization from the HTTP requests, and calls setValue(authorizationHeader). Now the login module can get the required information via the getValue() method of the HttpGetterCallback instance.

HttpSetterCallback

When the client browses an application, he or she could access different types of resources – that is files or other type of information. Usually an application enables a wide variety of functionalities and at a request on each one of them, the server has to request repeatedly the full package of login information – the user name, password and e-mail. In order to avoid this problem, the server marks the exact type of user after the first authentication. This could be done, for example, after the first successful authentication. A login module creates and assigns a mark to the user, for example a SAP Logon Ticket. At the next login, the login module first checks if there is a ticket already created for the user, and if it exists, the client will not be asked again for information.

To set the ticket or any other information about the user, which could be later used on the server, the HttpSetterCallback interface is used.

This graphic is explained in the accompanying text

// Shows that something will be set in the cookies of the response

HttpSetterCallback setterCallback = new HttpSetterCallback ();

setterCallback.setType(HttpCallback.COOKIE);

// Shows that "ticket" will be set in the response

setterCallback.setName("ticket");

// Sets the created ticket to the user setterCallback.setValue(ticket);

// Tells the server to set the ticket in the response

CallbackHandler.handle(new Callback[] {getterCallback});

The HttpSetterCallback is used to pass information gained in the login module (for example, a Single Sign-On token) back to the CallbackHandler, which attaches this information to the response.

 

 

End of Content Area