You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by FR <ra...@gmail.com> on 2008/04/23 00:05:42 UTC
How to figure out if a user is authenticated when using single sign on?
I recently attempted to upgrade our sites from tomcat 5.5.17, and at
some point the behavior of request.getUserPrincipal() changed so it
now returns null for all URLs except those declared to require
authentication. (Actually, it seems like the behavior was changed
long before 5.5.17, but regressed then was fixed again). That
completely sucks and seems completely contrary to what the servlet
javadoc implies, but whatever, deal with it or write my own container,
I guess.
The standard workaround mentioned is to place user information in
session, but that won't work across webapps using Single Sign On. I
have a bunch of webapps, only one of which is protected and requires
login, the rest work fine without logging in, but display different
information when the user is logged in. This worked great when
getUserPrincipal returned a Principal on every URL after login, but I
can't figure out any way to do it now. I can just pass the userid
around in every URL, but that seems... not good... and involves
changing a lot of links.
Is there any way of seeing if a user has been authenticated (and get
their username) that works across webapps?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to figure out if a user is authenticated when using single
sign on?
Posted by Mark Thomas <ma...@apache.org>.
FR wrote:
> The standard workaround mentioned is to place user information in
> session, but that won't work across webapps using Single Sign On. I
> have a bunch of webapps, only one of which is protected and requires
> login, the rest work fine without logging in, but display different
> information when the user is logged in. This worked great when
> getUserPrincipal returned a Principal on every URL after login, but I
> can't figure out any way to do it now. I can just pass the userid
> around in every URL, but that seems... not good... and involves
> changing a lot of links.
>
> Is there any way of seeing if a user has been authenticated (and get
> their username) that works across webapps?
I don't see a way to do this without changing the SSO code. I haven't
looked at the SSO code so some of this may already be there. You'd need to:
- always send the SSO cookie
- always check for the cookie and process it regardless of whether or not
authentication is required.
The patches at the end of
https://issues.apache.org/bugzilla/show_bug.cgi?id=1242 may give you some
pointers although they are hard to read as they are in the wrong format.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org