Scenario 7: Adding response headers based upon values of the request headers

This scenario illustrates how to add headers to the HTTP Response if certain conditions are met by the value of the HTTP Request headers. An example of the usefulness of this is adding CORS headers.

The example shows how to add the CORS header "Access-Control-Allow-Origin" if the value of the request header Origin contains the value "test.com". Perform the following steps to add the response headers:

  1. Check the HTTP Request header "Origin" to see if it contains "test.com".
  2. If it does then add a new HTTP Response header Access-Control-Allow-Origin = <Value of the HTTP Request Origin header>.
  3. If it does not contain "test.com", do nothing.

Input documents

The following sample input documents are used for this scenario:

HTTP Response

<?xml version="1.0" encoding="UTF-8"?>
<HTTPResponse>
   <Scheme>https</Scheme>
   <ResponseLine>
       <Version>HTTP/1.1</Version>
       <StatusCode>200</StatusCode>
       <Reason>OK</Reason>
    </ResponseLine>
    <Headers>
        <Header name="Server">IBM_HTTP_Server</Header>
    </Headers>
    <HTTPRequest>
        <Scheme>https</Scheme>
        <RequestLine>
            <Method>GET</Method>
            <URI>/en/us/</URI>
            <Version>HTTP/1.1</Version>
         </RequestLine>
         <Headers>
             <Header name="Origin">myserver.test.com</Header>
         </Headers>
    </HTTPRequest>
</HTTPResponse>

XSLT Rules

Note: These rules must be stored in an XSL document that is defined as a response resource with an associated POP. See Configuration.
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
        version="1.0">
       <!-- Firstly, strip any space elements -->
        <xsl:strip-space elements="*" />
       <!--
               Perform a match on the root of the document. Output the required
               HTTPResponseChange elements and then process templates.
       -->
                  <xsl:template match="/">
                   <HTTPResponseChange>
                    <xsl:apply-templates />
                   </HTTPResponseChange>
                  </xsl:template>
       <!--
               Do nothing to the version
       -->
       <xsl:template match="//HTTPResponse/ResponseLine/Version" />
       <!--
               Do nothing to the status code
       -->
       <xsl:template match="//HTTPResponse/ResponseLine/StatusCode" />
       <!--
               Do nothing to the reason
       -->
       <xsl:template match="//HTTPResponse/ResponseLine/Reason" />
       <!--
               Do nothing to the response headers
       -->
       <xsl:template match="//HTTPResponse/Headers" />
       <!--
               Do nothing to the cookies
       -->
       <xsl:template match="//HTTPResponse/Cookies" />
       <!-- 
               Find the Origin header from the Request. Add CORS header
             Access-Control-Allow-Origin with the value of the Origin header
             But only if it has the value test.com
       -->
       <xsl:template match="//HTTPResponse/HTTPRequest/Headers/Header">
            <xsl:choose>
                <xsl:when test="@name='origin' and contains(text(),'test.com')">
                <Header action="add" name="Access-Control-Allow-Origin">
                    <xsl:value-of select="node()"/>
                </Header>
                </xsl:when>
            </xsl:choose>
        </xsl:template>
</xsl:stylesheet>

Output XML document

In this scenario, the following XML document is the output from the XSL transformation. This document outlines changes for WebSEAL to perform on the original HTTP response

<?xml version="1.0" encoding="UTF-8"?>
<HTTPResponseChange>
      < Header action="add" name="Access-Control-Allow-Origin">myserver.test.com</Header>
</HTTPResponseChange>
.