Skip to Content

Java to XSJS AppToAppSSO authentication

Hi Experts,

We are trying to read content from XSJS and print it in Java Servlet after SAML authentication and AppToAppSSO. The java application is deployed on SCP and IDP is configured as SF. SAML is configured in Hana. We are receiving unauthorized error in Servlet. Kindly find the Java code:

package com.poc;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.BasicResponseHandler;
import org.apache.http.impl.client.HttpClients;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.naming.Context;
import javax.naming.InitialContext;


public class CheckUser extends HttpServlet {
	private static final long serialVersionUID = 1L;

	private final Logger log = LoggerFactory.getLogger(this.getClass());

	public CheckUser() {

	protected void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		// TODO Auto-generated method stub

		// String user = request.getRemoteUser();
		// response.getWriter().println("Hello:"+ user);

		// look up the connectivity authentication header provider resource
		// called "myAuthHeaderProvider"
		Context ctx;
		try {
			ctx = new InitialContext();
			ConnectivityConfiguration configuration = (ConnectivityConfiguration) ctx
			DestinationConfiguration destConfiguration = configuration.getConfiguration("xsjstest");"dest config:" + destConfiguration);
			String url = destConfiguration.getProperty("URL") + "/sandbox/getUser.xsjs";"url" + url);

			AuthenticationHeaderProvider authHeaderProvider = (AuthenticationHeaderProvider) ctx
			AuthenticationHeader appToAppSSOHeader = authHeaderProvider.getAppToAppSSOHeader(url);"sso header:" + appToAppSSOHeader.getValue());
			HttpClient httpClient = HttpClients.createDefault();
			HttpGet req = new HttpGet(url);
			req.addHeader(appToAppSSOHeader.getName(), appToAppSSOHeader.getValue());

			HttpResponse res = httpClient.execute(req);
			String responseString = new BasicResponseHandler().handleResponse(res);

		} catch (NamingException e) {
			// TODO Auto-generated catch block


	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
	 *      response)
	protected void doPost(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		// TODO Auto-generated method stub
		doGet(request, response);


Please find the destination :

Please find the logs of java application:

2019 03 13 06:20:25#+00#ERROR#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/auth].[CheckUser]##anonymous#https-jsse-nio-8041-exec-6#na#a047f26b1#auth#web#a047f26b1#na#na#na#na#Servlet.service() for servlet [CheckUser] in context with path [/auth] threw exception org.apache.http.client.HttpResponseException: Unauthorized at org.apache.http.impl.client.BasicResponseHandler.handleResponse( at com.poc.CheckUser.doGet( at javax.servlet.http.HttpServlet.service( at javax.servlet.http.HttpServlet.service( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.apache.tomcat.websocket.server.WsFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.apache.catalina.core.StandardWrapperValve.invoke( at org.apache.catalina.core.StandardContextValve.invoke( at org.apache.tomee.catalina.OpenEJBValve.invoke( at at org.apache.catalina.authenticator.AuthenticatorBase.invoke( at at org.apache.catalina.core.StandardHostValve.invoke( at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke( at org.apache.catalina.valves.AbstractAccessLogValve.invoke( at org.apache.catalina.valves.AbstractAccessLogValve.invoke( at at at at at at org.apache.catalina.valves.ErrorReportValve.invoke( at org.apache.catalina.core.StandardEngineValve.invoke( at org.apache.catalina.connector.CoyoteAdapter.service( at org.apache.coyote.http11.Http11Processor.service( at org.apache.coyote.AbstractProcessorLight.process( at org.apache.coyote.AbstractProtocol$ConnectionHandler.process( at$SocketProcessor.doRun( at at java.util.concurrent.ThreadPoolExecutor.runWorker( at java.util.concurrent.ThreadPoolExecutor$ at org.apache.tomcat.util.threads.TaskThread$ at 

Kindly let us know your insights on the same. I will be really thankful.

Best regards,


capture.jpg (58.5 kB)
Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Mar 13 at 01:30 PM

    Hi Ankit,

    Why are you using myAuthHeaderProvider as JNDI lookup?

    According to the docs you are supposed to use the default authentication lookup - not a custom one.

    You should define it on your web.xml like so:


    I also see that you've configured the destination with a wrong setting for saml_audience.

    Please read the blog with full step-by-step procedure on what you are trying here.

    Best regards,

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Ivan,

      Thanks for your reply.

      We have already defined authentication in web.xml. I forgot to include in my question.

      Also, I hope we are using right value only for saml_audience. Kindly look at the saml service provider.



      capture.jpg (59.4 kB)
  • Mar 13 at 08:42 PM

    Hi Ankit,

    How is your web.xml?

    How do you initiate user authentication on SCP? Through your java application? Do you have an UI? Is this running on Neo or CF?

    I've found the following piece of code that should work for principal propagation:

    Apparently your java code should work. However, I wanted to see how authentication is taking place - as the original error you are facing is:

    HttpResponseException: Unauthorized

    Best regards,

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Ankit,

      I don't really have any Successfactors instance to test this - but it should make no difference since we are just switching IdPs. So I believe I would be able to reproduce your error if you could share your project on github (at least a prototype where I could reproduce the error here).

      If not possible, than I would suggest you to debug your code and see what is really throwing the Unauthorized error.

      I would inspect the request headers being made by your code versus a request that works while calling the service from Postman.

      Best regards,