You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brian K Bonner <br...@paraware.com> on 2003/05/28 20:38:00 UTC
getUserPrincipal() returning null after authenticated
Hello,
I'm seeing something wierd with 4.1.24. If I access an unprotected
resource after I am authenticated, I receive null from getUserPrincipal().
I am using the Coyote Http 1.1 connector, although I've tried it with the
old catalina Http 1.1 connector.
Here's the test case:
1) access the unprotected servlet first you'll see "testing unprotected
servlet. user is null" using either:
http://localhost:8083/testing/unprotected or
http://localhost:8080/testing/unprotected
2) access the protected servlet, you'll be challenged with the basic auth
dialog and then see: "testing protected servlet. user is
GenericPrincipal[tomcat]" using either:
http://localhost:8083/testing/protected or
http://localhost:8080/testing/protected
3) access the unprotected servlet, I still see: "testing unprotected
servlet. user is null" access it the same as in #1
This should return the same as #2, but it doesn't. Can someone explain
why?? and How can I workaround this problem?? I've been searching on the
web, but www.mail-archive appears to be down.
Brian
Using Tomcat 4.1.24 standalone with the memory realm.
Here's my abbreviated conf/tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="editor"/>
<user username="tomcat" password="tomcat" roles="editor"/>
</tomcat-users>
The get methods of my two servlets (protected and unprotected)
unprotected servlet's doGet:
PrintWriter out = res.getWriter();
out.println("testing unprotected servlet");
out.print("user is ");
Principal p = req.getUserPrincipal();
out.print(p);
protected servlet's doGet:
PrintWriter out = res.getWriter();
out.println("testing protected servlet");
out.print("user is ");
Principal p = req.getUserPrincipal();
out.print(p);
Here's my web.xml file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>testing</display-name>
<description>Test Unsecured Pages App</description>
<servlet>
<servlet-name>protected</servlet-name>
<servlet-class>com.paraware.test.TestServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>unprotected</servlet-name>
<servlet-class>com.paraware.test.TestServlet2</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>protected</servlet-name>
<url-pattern>/protected</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>unprotected</servlet-name>
<url-pattern>/unprotected</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure
Servlets</web-resource-name>
<description>Files secured for
testing</description>
<url-pattern>/protected</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Editors</description>
<role-name>editor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<description>Page Editors</description>
<role-name>editor</role-name>
</security-role>
</web-app>
And from the server.xml:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="100" debug="4" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8009" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
<Connector
className="org.apache.catalina.connector.http.HttpConnector"
port="8083" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" />
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: getUserPrincipal() returning null after authenticated
Posted by Brian K Bonner <br...@paraware.com>.
I'm not sure it's explicitly stated what the behavior will be for access
to unprotected resources. I do know that it's different than how it used
to work in Tomcat 4.0.6.
Case in point, if after you authenticate a user, you want to bring them to
a page that will show them content based upon a particular role, it isn't
possible if you return null for the principal.
Brian
seb_esp <se...@hotpop.com> wrote on 05/28/2003 05:04:10 PM:
> That's the expected behavior. It's in Sun's Servlet spec., don't
> remember exactly where...
>
> The user will be null if you are in an unprotected resource, EVEN if
> your are authenticated.
>
> Regards,
>
> Brian K Bonner wrote:
> > Hello,
> >
> > I'm seeing something wierd with 4.1.24. If I access an unprotected
> > resource after I am authenticated, I receive null from
getUserPrincipal().
> > I am using the Coyote Http 1.1 connector, although I've tried it with
the
> > old catalina Http 1.1 connector.
> >
> > Here's the test case:
> > 1) access the unprotected servlet first you'll see "testing
unprotected
> > servlet. user is null" using either:
> > http://localhost:8083/testing/unprotected or
> > http://localhost:8080/testing/unprotected
> > 2) access the protected servlet, you'll be challenged with the basic
auth
> > dialog and then see: "testing protected servlet. user is
> > GenericPrincipal[tomcat]" using either:
> > http://localhost:8083/testing/protected or
> > http://localhost:8080/testing/protected
> > 3) access the unprotected servlet, I still see: "testing unprotected
> > servlet. user is null" access it the same as in #1
> >
> > This should return the same as #2, but it doesn't. Can someone
explain
> > why?? and How can I workaround this problem?? I've been searching on
the
> > web, but www.mail-archive appears to be down.
> >
> > Brian
> >
> >
> >
> > Using Tomcat 4.1.24 standalone with the memory realm.
> >
> > Here's my abbreviated conf/tomcat-users.xml:
> > <?xml version='1.0' encoding='utf-8'?>
> > <tomcat-users>
> > <role rolename="editor"/>
> > <user username="tomcat" password="tomcat" roles="editor"/>
> > </tomcat-users>
> >
> > The get methods of my two servlets (protected and unprotected)
> >
> > unprotected servlet's doGet:
> >
> > PrintWriter out = res.getWriter();
> > out.println("testing unprotected servlet");
> > out.print("user is ");
> > Principal p = req.getUserPrincipal();
> > out.print(p);
> >
> > protected servlet's doGet:
> >
> > PrintWriter out = res.getWriter();
> > out.println("testing protected servlet");
> > out.print("user is ");
> > Principal p = req.getUserPrincipal();
> > out.print(p);
> >
> > Here's my web.xml file:
> >
> > <?xml version="1.0" encoding="ISO-8859-1"?>
> > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application
> > 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" >
> > <web-app>
> > <display-name>testing</display-name>
> > <description>Test Unsecured Pages App</description>
> > <servlet>
> > <servlet-name>protected</servlet-name>
> > <servlet-class>com.paraware.test.TestServlet</servlet-class>
> > </servlet>
> > <servlet>
> > <servlet-name>unprotected</servlet-name>
> > <servlet-class>com.paraware.test.TestServlet2</servlet-class>
> > </servlet>
> > <servlet-mapping>
> > <servlet-name>protected</servlet-name>
> > <url-pattern>/protected</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> > <servlet-name>unprotected</servlet-name>
> > <url-pattern>/unprotected</url-pattern>
> > </servlet-mapping>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Secure
> > Servlets</web-resource-name>
> > <description>Files secured for
> > testing</description>
> > <url-pattern>/protected</url-pattern>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <description>Editors</description>
> > <role-name>editor</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > </login-config>
> > <security-role>
> > <description>Page Editors</description>
> > <role-name>editor</role-name>
> > </security-role>
> > </web-app>
> >
> >
> >
> > And from the server.xml:
> >
> > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> > port="8080" minProcessors="5" maxProcessors="75"
> > enableLookups="true" redirectPort="8443"
> > acceptCount="100" debug="4" connectionTimeout="20000"
> > useURIValidationHack="false"
disableUploadTimeout="true" />
> >
> >
> > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> > port="8009" minProcessors="5" maxProcessors="75"
> > enableLookups="true" redirectPort="8443"
> > acceptCount="10" debug="0" connectionTimeout="0"
> > useURIValidationHack="false"
> > protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
> >
> > <Connector
> > className="org.apache.catalina.connector.http.HttpConnector"
> > port="8083" minProcessors="5" maxProcessors="75"
> > enableLookups="true" redirectPort="8443"
> > acceptCount="10" debug="0" />
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: getUserPrincipal() returning null after authenticated
Posted by seb_esp <se...@hotpop.com>.
That's the expected behavior. It's in Sun's Servlet spec., don't remember exactly where...
The user will be null if you are in an unprotected resource, EVEN if your are authenticated.
Regards,
Brian K Bonner wrote:
> Hello,
>
> I'm seeing something wierd with 4.1.24. If I access an unprotected
> resource after I am authenticated, I receive null from getUserPrincipal().
> I am using the Coyote Http 1.1 connector, although I've tried it with the
> old catalina Http 1.1 connector.
>
> Here's the test case:
> 1) access the unprotected servlet first you'll see "testing unprotected
> servlet. user is null" using either:
> http://localhost:8083/testing/unprotected or
> http://localhost:8080/testing/unprotected
> 2) access the protected servlet, you'll be challenged with the basic auth
> dialog and then see: "testing protected servlet. user is
> GenericPrincipal[tomcat]" using either:
> http://localhost:8083/testing/protected or
> http://localhost:8080/testing/protected
> 3) access the unprotected servlet, I still see: "testing unprotected
> servlet. user is null" access it the same as in #1
>
> This should return the same as #2, but it doesn't. Can someone explain
> why?? and How can I workaround this problem?? I've been searching on the
> web, but www.mail-archive appears to be down.
>
> Brian
>
>
>
> Using Tomcat 4.1.24 standalone with the memory realm.
>
> Here's my abbreviated conf/tomcat-users.xml:
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
> <role rolename="editor"/>
> <user username="tomcat" password="tomcat" roles="editor"/>
> </tomcat-users>
>
> The get methods of my two servlets (protected and unprotected)
>
> unprotected servlet's doGet:
>
> PrintWriter out = res.getWriter();
> out.println("testing unprotected servlet");
> out.print("user is ");
> Principal p = req.getUserPrincipal();
> out.print(p);
>
> protected servlet's doGet:
>
> PrintWriter out = res.getWriter();
> out.println("testing protected servlet");
> out.print("user is ");
> Principal p = req.getUserPrincipal();
> out.print(p);
>
> Here's my web.xml file:
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
> 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" >
> <web-app>
> <display-name>testing</display-name>
> <description>Test Unsecured Pages App</description>
> <servlet>
> <servlet-name>protected</servlet-name>
> <servlet-class>com.paraware.test.TestServlet</servlet-class>
> </servlet>
> <servlet>
> <servlet-name>unprotected</servlet-name>
> <servlet-class>com.paraware.test.TestServlet2</servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>protected</servlet-name>
> <url-pattern>/protected</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
> <servlet-name>unprotected</servlet-name>
> <url-pattern>/unprotected</url-pattern>
> </servlet-mapping>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure
> Servlets</web-resource-name>
> <description>Files secured for
> testing</description>
> <url-pattern>/protected</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description>Editors</description>
> <role-name>editor</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
> <security-role>
> <description>Page Editors</description>
> <role-name>editor</role-name>
> </security-role>
> </web-app>
>
>
>
> And from the server.xml:
>
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="100" debug="4" connectionTimeout="20000"
> useURIValidationHack="false" disableUploadTimeout="true" />
>
>
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="10" debug="0" connectionTimeout="0"
> useURIValidationHack="false"
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
>
> <Connector
> className="org.apache.catalina.connector.http.HttpConnector"
> port="8083" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="10" debug="0" />
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org