Scenario 7: Adding response headers based upon values of the request headers
This scenario illustrates how to add headers to the HTTP Response if certain conditions are met by the value of the HTTP Request headers. An example of the usefulness of this is adding CORS headers.
The example shows how to add the CORS header "Access-Control-Allow-Origin" if the value of the request header Origin contains the value "test.com". Perform the following steps to add the response headers:
- Check the HTTP Request header "Origin" to see if it contains "test.com".
- If it does then add a new HTTP Response header Access-Control-Allow-Origin = <Value of the HTTP Request Origin header>.
- If it does not contain "test.com", do nothing.
Input documents
The following sample input documents are used for this scenario:
HTTP
Response
<?xml version="1.0" encoding="UTF-8"?>
<HTTPResponse>
<Scheme>https</Scheme>
<ResponseLine>
<Version>HTTP/1.1</Version>
<StatusCode>200</StatusCode>
<Reason>OK</Reason>
</ResponseLine>
<Headers>
<Header name="Server">IBM_HTTP_Server</Header>
</Headers>
<HTTPRequest>
<Scheme>https</Scheme>
<RequestLine>
<Method>GET</Method>
<URI>/en/us/</URI>
<Version>HTTP/1.1</Version>
</RequestLine>
<Headers>
<Header name="Origin">myserver.test.com</Header>
</Headers>
</HTTPRequest>
</HTTPResponse>
XSLT Rules
Note: These rules must be stored in an XSL document that is defined as a response resource with an
associated POP. See Configuration.
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<!-- Firstly, strip any space elements -->
<xsl:strip-space elements="*" />
<!--
Perform a match on the root of the document. Output the required
HTTPResponseChange elements and then process templates.
-->
<xsl:template match="/">
<HTTPResponseChange>
<xsl:apply-templates />
</HTTPResponseChange>
</xsl:template>
<!--
Do nothing to the version
-->
<xsl:template match="//HTTPResponse/ResponseLine/Version" />
<!--
Do nothing to the status code
-->
<xsl:template match="//HTTPResponse/ResponseLine/StatusCode" />
<!--
Do nothing to the reason
-->
<xsl:template match="//HTTPResponse/ResponseLine/Reason" />
<!--
Do nothing to the response headers
-->
<xsl:template match="//HTTPResponse/Headers" />
<!--
Do nothing to the cookies
-->
<xsl:template match="//HTTPResponse/Cookies" />
<!--
Find the Origin header from the Request. Add CORS header
Access-Control-Allow-Origin with the value of the Origin header
But only if it has the value test.com
-->
<xsl:template match="//HTTPResponse/HTTPRequest/Headers/Header">
<xsl:choose>
<xsl:when test="@name='origin' and contains(text(),'test.com')">
<Header action="add" name="Access-Control-Allow-Origin">
<xsl:value-of select="node()"/>
</Header>
</xsl:when>
</xsl:choose>
</xsl:template>
</xsl:stylesheet>
Output XML document
In this scenario, the following XML document is the output from the XSL transformation. This
document outlines changes for WebSEAL to perform on the original HTTP
response
<?xml version="1.0" encoding="UTF-8"?>
<HTTPResponseChange>
< Header action="add" name="Access-Control-Allow-Origin">myserver.test.com</Header>
</HTTPResponseChange>
.