See wam Menu

Accessing WAM HTTP Request Headers

HTTP request headers provide a convenient, programming-environment-neutral method for obtaining information about a request. Each HTTP browser request contains header variables that you can use to make programmatic decisions.

By default, WAM adds secure HTTP request headers to each request. WAM HTTP request headers are secure because they are inserted by the WAM web agent before the request is handed to the web app. Any HTTP request headers sent by the client (usually an HTML browser) that start with CAMS-HTTP- are treated as malicious and result in an error. By default, the following WAM HTTP request headers are inserted into each request:

WAM HTTP Request Header Description
CAMS-HTTP-SESSION-ID The authenticated user’s session ID.
CAMS-HTTP-SESSION-CREATED The date/time when the user’s session was created.
CAMS-HTTP-SECURITY-DOMAIN The security domain to which the authenticated user session belongs.
CAMS-HTTP-USER The authenticated user name.
CAMS-HTTP-ROLE The role(s) assigned to the authenticated user. One instance of this header is added for each role. Some environments may permit multiple instances of this request header.
CAMS-HTTP-ROLES A comma-delimited list of roles assigned to the authenticated user.

Use of dashes in WAM request headers is generally considered to be best practice. However, some programming environments convert request header values with dashes to underscores and prepend HTTP_ before the name/value pair is passed to the programming environment. Hence, values such as HTTP_CAMS_HTTP_SESSION_ID and HTTP_CAMS_HTTP_USER should be expected when programming with the following programming environments:

  • Apache cgi-bin languages and interpreters such as shell script, PERL, PHP, and so forth.

  • Microsoft IIS ASP.NET supported languages such as Jscript, Visual Basic, C/C++, and so forth.

J2EE servers such as JBoss, Tomcat, WebLogic, and WebSphere provide the values with dashes.

NOTE: Web server cgi-bin interfaces make HTTP request headers available as environment variables. Request header CAMS-HTTP-ROLE may have multiple instances for each role in some environments like a J2EE servlet container. For cgi-bin, however, only one instance of an environment variable is accessible, which makes use of the CAMS-HTTP-ROLES request headers more appropriate.

You can use these intrinsic WAM HTTP request headers to customize your web applications. For example, your web applications might give different privileges to users with the Admin, Manager, and Everyone roles. You can define the program logic and presentation based on these roles and then use WAM HTTP request headers at runtime to dynamically change the presentation based on the authenticated user.

Using Java

To fetch a WAM HTTP request header value with Java, use the HttpServletRequest API calls:

  • request.getHeader(String name): Returns the value of the specified header as a String. Learn more

  • request.getHeaders(String name): Returns all the values of the specified header as an enumeration of String objects. Learn more

  • request.getHeaderNames(): Returns an Enumeration of all the header names. Learn more

  • request.getIntHeader(String name): Returns the value of the specified header as an int. Learn more

NOTE: Multiple HTTP headers can have the same name. For example, a WAM user may have multiple CAMS-HTTP-ROLE values. To fetch all the values for a header name with multiple values, you must use the getHeaders(name) method and iterate over the enumeration.

Example 1 shows the use of request.getHeaderNames() and request.getHeaders() in a JSP page to obtain, find, and display the names and values of all intrinsic WAM HTTP request headers.

<%@ page language="java" %>
<%@ page import="java.util.Enumeration" %>

...

<h2>WAM HTTP Request Headers</h2>
   <table border="0" cellspacing="1" cellpadding="2">
      <tr>
         <th>Name</th>
         <th>Value</th>
      </tr>
  
<%
   // Get all WAM HTTP request headers names/values
   if (request.getHeader("CAMS-HTTP-SESSION-ID") != null)
   {
    Enumeration e1 = request.getHeaderNames();
    while (e1.hasMoreElements())
    {
     boolean doLoop = true;
     String name = ((String)e1.nextElement()).toUpperCase();
     if (name.startsWith("CAMS-HTTP-"))
     {
      Enumeration e2 = request.getHeaders(name);
      while (e2.hasMoreElements())
      { 
       String value = (String)e2.nextElement();
%>
   
<tr> 
   <td class=gray><%= name %></td>
   <td class=gray><%= value %></td>
</tr>

<%
    }
   }
  }
 }
%>

Example 1 - JSP code snippet that displays the intrinsic WAM HTTP request headers

As you will see later in this documentation, you can use the J2EE servlet security API isUserInRole() and getUserPrincipal() methods in J2EE servers with WAM web agents to make programmatic role based decisions. If the servlet security API is not available you can also use WAM HTTP request header to accomplish the same role based decisions as shown in Example 2.

<%@ page language="java" %>
<%@ page import="java.util.ArrayList" %>
<%@ page import="java.util.Enumeration" %>

...

<%
 // Determine role and get corresponding list
 ArrayList list = null;
 Enumeration e = request.getHeaders("CAMS-HTTP-ROLE");
 while (e.hasMoreElements())
 {
  if ("Manager".equals((String)e.nextElement()))
  {
   // Managers see a list of all employees
   list = EmployeeList.getAllEmployees();
   break;
  }
 }

 // Employees see a list with their own identity 
 if (list == null)
 {
  list = EmployeeList.getEmployee(request.getRemoteUser());
 }
%>

Example 2 - JSP code snippet that uses WAM HTTP request headers to make role based programmatic decisions

This JSP code snippet that shows the use of the WAM HTTP request headers to determine if an employee account information list should contain all employees or only the currently authenticated user. If the authenticated user has the role of Manager, then he will see a list with all employees. Otherwise, he only sees a list with his own account information.

Using ASP.NET Scripts

Example 2 shows the use of Microsoft Jscript to obtain, find, and display the names and values of all the WAM HTTP request headers.

<%@ language = JScript %>

<html>
<head>
<title>Display WAM Headers</title>
</head>
<body>

<h2>WAM HTTP Request Headers</h2>
<table border="1" cellspacing="0" cellpadding="5" width="700">
 <tr> 
  <th>Name</th>
  <th>Value</th>
 </tr>

<%
 // Initialize variables
 var variablesKeys : String[] = Request.ServerVariables.AllKeys;

// Use regular expression to parse WAM headers only
var re = new RegExp("^HTTP_CAMS_HTTP_.*");
  
for (var i = 1; i < variablesKeys.Length; i++)
{
       if (!variablesKeys[i].search(re))
     {
      Response.Write("<tr><td align=\"right\">"         
    + variablesKeys[i] + "</td><td>" 
    + Request.ServerVariables(variablesKeys[i])
    + "</td></tr>");
  }         
 }
%>

</table>
</body>
</html>

Example 2 - ASP.NET code snippet that displays the intrinsic WAM HTTP request headers

NOTE: The value HTTP_ is prepended to each WAM HTTP request header in the ASP.NET environment by IIS.

Using CGI-Based Programming Languages Including PHP, Python, Ruby, and Perl

Example 3 shows the use of PERL to display the cgi-bin environment variables, which includes the WAM HTTP request headers.

#!/usr/bin/perl

#
# Displays the cgi environment variables in a table.
#

print "Content-type:text/html\n\n";
print "<html>\n";
print " <head>\n";
print " <title>View CGI Environment Variables</title>\n";
print " </head>\n";
print " <body bgcolor=white>\n";
print " <h2><font face=helv color=cc9900>CGI Environment Variables</font></h2>\n";
print " <table cellpadding=3 cellspacing=0 border=1>\n";

foreach $key (sort(keys %ENV))
{
  print " <tr><td align=right>$key:</td><td>&nbsp;$ENV{$key}</td></tr>\n";
}

print " </table>\n";
print " </body>\n";
print "</html>\n";

exit(0);

Example 3 - Using Perl to display CGI environment variables including the intrinsic WAM HTTP headers

NOTE: The value HTTP_ is prepended to each WAM HTTP request header by Apache.

Creating Custom WAM HTTP Request Headers

In addition to the intrinsic WAM HTTP request headers shown in this section, you can also create custom request headers using the WAM Session API. For example, you might want to make certain user profile information securely available to all of your web applications without requiring each web application to do a query to obtain the information.

With WAM, you can query this information once when the user authenticates and his session is created. Then, you can pass the information to your web applications using WAM HTTP request headers. Using this method allows you to easily make any user data you require available to web applications in almost any programming environment.

Furthermore, you improve performance and security by centralizing and reducing the number of queries to what may be sensitive information.


Have a Question?

Have a how-to question? Seeing a weird error? Contact us.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.