OK, in our development environment I can detect the presence of the Authorization header, base64 decode the username and password and then use PD4MLs support for basic authentication. It would be easier to just forward the Authorization header though. I need to use the identity of the user who made the original request as the images and charts are personalised. However, that doesn’t help me in our production environment.

You are correct that the browser does not set the iv-user header, as I said, it is the Tivoli Access Manager proxy server that does this. It’s quite standard practice for a security proxy to use such a header to pass information about authenticated users to an application server.

The browser maintains the session with the security proxy using a cookie.

I want PD4ML to send its requests for images directly from the application server to the application server, and not via the security proxy. There are several reasons for this, but mainly that there is no network path that allows a request from the application server out to the security proxy and back to the application server. Further, even if there was a such a network route sending the session cookie used between browser and security proxy would not work. It would not be a very good security solution if you could replay the cookie and get an authenticated session from a different client on a different host!

So, for this to work, I need to be able to forward headers recieved in the original HTTP request when requesting images etc. to be included in the PDF. If that’s not possible, then I’ll need to look at a different architecture.

Out of interest, what HTTP request context does PD4ML.useHttpRequest() transfer if it doesn’t include the HTTP headers ? Basically, what does it allow me to do that isn’t already covered by other methods such as PD4ML.useServletContext() and PD4ML.setCookie() ?