You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/09/17 20:42:13 UTC
DO NOT REPLY [Bug 23192] -
getRemoteUser() returns null with Authorization header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192
getRemoteUser() returns null with Authorization header
medthomas@ntlworld.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From medthomas@ntlworld.com 2003-09-17 18:42 -------
I have had a look at the spec at I think what you are trying to do runs
contrary to the concept of programmatic security as described in the spec. The
relevant part of the spec is:
"SRV.12.3 Programmatic Security
Programmatic security is used by security aware applications when declarative
security alone is not sufficient to express the security model of the
application.
Programmatic security consists of the following methods of the
HttpServletRequest interface:
• getRemoteUser
• isUserInRole
• getUserPrincipal"
My understanding of this is that using setStatus() to force the sending of an
authentication header is not considered a valid part of programmatic security.
I am therefore marking this bug as INVALID.
However, if you have a security model you can't implement using an appropriate
combination declarative and programmatic security please reopen this bug,
provide a description of your security model and I will be happy to take
another look at this.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org