DO NOT REPLY [Bug 23192] - getRemoteUser() returns null with Authorization header

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192

getRemoteUser() returns null with Authorization header

medthomas@ntlworld.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From medthomas@ntlworld.com  2003-09-17 18:42 -------
I have had a look at the spec at I think what you are trying to do runs 
contrary to the concept of programmatic security as described in the spec. The 
relevant part of the spec is:
"SRV.12.3 Programmatic Security
Programmatic security is used by security aware applications when declarative
security alone is not sufficient to express the security model of the 
application.
Programmatic security consists of the following methods of the
HttpServletRequest interface:
• getRemoteUser
• isUserInRole
• getUserPrincipal"

My understanding of this is that using setStatus() to force the sending of an 
authentication header is not considered a valid part of programmatic security. 
I am therefore marking this bug as INVALID.

However, if you have a security model you can't implement using an appropriate 
combination declarative and programmatic security please reopen this bug, 
provide a description of your security model and I will be happy to take 
another look at this.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org