OK, a little more information about our environment.

We have Tivoli Access Manager (TAM) in front of Day Communique (CQ). TAM handles authentication, it validates login details and then sets a trusted header in the request that’s forwarded to CQ. If the header is set, CQ checks it matches a user account in that system and applies its own authorisation before serving the requested page.

The page doing the PDF generation resides on the CQ server, as do the images and chart servlet that I reference in the HTML I want to use to generate PDF.

The URLs in the HTML address the CQ server such that requests bypass TAM.

For this to work, the HTTP header containing the user authentication information needs to be included in the request that PD4ML makes to retrieve the images.

We don’t use JSESSIONID or cookies to identify the user to CQ, only .