You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/03/25 05:05:42 UTC
[Bug 57753] New: Single sign on returns null for getRemoteUser when
accessing insecure page
https://bz.apache.org/bugzilla/show_bug.cgi?id=57753
Bug ID: 57753
Summary: Single sign on returns null for getRemoteUser when
accessing insecure page
Product: Tomcat 8
Version: 8.0.20
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: kenneth.gendron@gmail.com
When using the SingleSignOn valve, any call to getRemoteUser() on the HTTP
request will return null when accessing an insecure page (in other words, a
page not configured in the security section of the web.xml).
If the valve is not used, a call to getRemoteUser() will return the currently
logged in user regardless if accessing an secured page or not.
Not sure whether this is a bug or by design.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57753] Single sign on returns null for getRemoteUser when
accessing insecure page
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57753
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
I agree that the current code is working as designed so there is nothing to do
here.
One thins you may like to look at is the use of the preemptiveAuthentication
option on the Context. This will trigger authentication for non-protected
resources assuming that the request includes the necessary credentials.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57753] Single sign on returns null for getRemoteUser when
accessing insecure page
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57753
--- Comment #2 from Kenneth Gendron <ke...@gmail.com> ---
Even more investigation. This only occurs when setting requireReauthentication
to true. In the SingleSignOn implementation it explicitly does not set the
user principal if requireReauthentication is set, but instead delegates this to
the realm downstream; however, since the downstream realm knows that the page
requested is insecure, it does not perform reauthentication. The only way I
can think of to correct this would be to invoke the SingleSignOn again after
the realm is completed, but I think that is too cumbersome. Sorry you can
close it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57753] Single sign on returns null for getRemoteUser when
accessing insecure page
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57753
--- Comment #1 from Kenneth Gendron <ke...@gmail.com> ---
After further investigation it appears the first web application that
authenticates will get the user back when calling getRemoteUser(); however, any
other web applications that come after will get null.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org