You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by André Warnier <aw...@ice-sa.com> on 2008/11/17 16:18:06 UTC

HttpServletRequest.getUserPrincipal

Hi.

More of a general curiosity question :

To get the authenticated user-id from within a filter or a servlet, one 
calls HttpServletRequest.getUserPrincipal.getName() e.g.

But where and more mysteriously how, does this Principal get set ?
I cannot find any setUserPrincipal() anywhere.

Thanks


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: HttpServletRequest.getUserPrincipal

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: HttpServletRequest.getUserPrincipal
>
> As for the 1.5 Java specs, there are indeed a couple of
> black holes in the "Principal" area.

I think you have to look at the security discussion in the spec in light of the JAAS and related security documentation in the JRE (not in Tomcat).  Unfortunately, that doc is somewhat obtuse, so it takes some digging and contemplation for a real understanding.

> I tried to follow the links between doc pages in that
> respect, but could never get a clear description of
> what a "Principal" really looks like.

Basically, a Principal is just a representation of a potentially authenticatable entity - it may or may not be a person, may or may not have a userid (think biometrics), but it does have a label ("name") associated with it for display purposes.  In Java terms, a Principal is an interface, so its actual implementation in any given environment is whatever that environment chooses to make it.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HttpServletRequest.getUserPrincipal

Posted by André Warnier <aw...@ice-sa.com>.

Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: HttpServletRequest.getUserPrincipal
> 
> Sorry for not answering sooner 
you are forgiven

- it's easier to do the source searching at home.
> 
>> is getRemoteUser() merely a shortcut, under which
>> happens a getUserPrincipal.getName()
> 
> At least in Tomcat, they're the same:
> 
>     public String getRemoteUser() {
>         if (userPrincipal != null) {
>             return (userPrincipal.getName());
>         } else {
>             return (null);
>         }
>     }
> 
> Can't speak for what goes on in other containers, or why the spec is somewhat ambiguous in that area.
> 
Thanks for clarifying this anyway for Tomcat.

As for the 1.5 Java specs, there are indeed a couple of black holes in 
the "Principal" area.  I tried to follow the links between doc pages in 
that respect, but could never get a clear description of what a 
"Principal" really looks like.  The only thing being said clearly is 
that "it" contains the authenticated user "id", or "name", and that "it" 
is null when the user is not authenticated.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: HttpServletRequest.getUserPrincipal

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: HttpServletRequest.getUserPrincipal

Sorry for not answering sooner - it's easier to do the source searching at home.

> is getRemoteUser() merely a shortcut, under which
> happens a getUserPrincipal.getName()

At least in Tomcat, they're the same:

    public String getRemoteUser() {
        if (userPrincipal != null) {
            return (userPrincipal.getName());
        } else {
            return (null);
        }
    }

Can't speak for what goes on in other containers, or why the spec is somewhat ambiguous in that area.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HttpServletRequest.getUserPrincipal

Posted by André Warnier <aw...@ice-sa.com>.

Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: HttpServletRequest.getUserPrincipal
>>
>> To get the authenticated user-id from within a filter or a
>> servlet, one calls HttpServletRequest.getUserPrincipal.getName()
> 
> or HttpServletRequest.getRemoteUser()
> 
Are these *really* equivalent ?

The 1.5 specs for HttpServletRequest.getRemoteUser say :

Returns the login of the user making this request, if the user has been 
authenticated, or null if the user has not been authenticated. Whether 
the user name is sent with each subsequent request depends on the 
browser and type of authentication. Same as the value of the CGI 
variable REMOTE_USER.

It is the association with the CGI variable and with the browser sending 
or not a header that makes me have a doubt.  This CGI variable is 
usually set as per the HTTP Header "Authorization", which is only 
present in case of Basic or Digest authentication.
In the case of a Windows-based authentication, or a form-based 
authentication, this HTTP header would not be sent by the browser.

Another way to phrase my question would be : is getRemoteUser() merely a 
shortcut, under which happens a getUserPrincipal.getName(), or do those 
two use a different underlying source to provide a user name ?

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: HttpServletRequest.getUserPrincipal

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: HttpServletRequest.getUserPrincipal
>
> To get the authenticated user-id from within a filter or a
> servlet, one calls HttpServletRequest.getUserPrincipal.getName()

or HttpServletRequest.getRemoteUser()

> But where and more mysteriously how, does this Principal get set ?
> I cannot find any setUserPrincipal() anywhere.

That's the responsibility of the servlet container, not any webapp code.  The appropriate Realm does the authentication, driven by (in Tomcat) an authenticator class such as BasicAuthenticator, FormAuthenticator, or SSLAuthenticator.  These authenticators are subclasses of AuthenticatorBase, which includes a register() method that does the actual setUserPrincipal() call to StandardSession.  The register() method is called when the Realm validates the authentication.

Other servlet containers will have similar implementations, but not necessarily the same class names.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HttpServletRequest.getUserPrincipal

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

André Warnier wrote:
> To get the authenticated user-id from within a filter or a servlet, one
> calls HttpServletRequest.getUserPrincipal.getName() e.g.

Technically, it's not the user id. It's just a name for the principal.
For most authentication systems, it's the username of the user.

> But where and more mysteriously how, does this Principal get set ?
> I cannot find any setUserPrincipal() anywhere.

This is an implementation detail. HttpServletRequest doesn't have a
"setUserPrincipal" method because it would be somewhat dangerous to
allow user code to change the principal during request processing.

Of course, such rogue code is still very easy to write: wrap the request
in your own wrapper and use the RequestDispatcher to call include() or
forward() and boom: the user "is" someone else.

If you dig down into the internals of Tomcat's source code, you'll find
that the "coyote request" has these types of mutators in the class.

If you take a look at securityfilter, there is a setUserPrincipal
method, but it is not directly accessible because it's not part of the
HttpServletRequest interface.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkhk1cACgkQ9CaO5/Lv0PCmSwCfeJc7C5YAPcrQJ2Q4mDrXFSbG
bJUAoKYsMWBk7tsH10TvoWemX08P1pUi
=chAc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org