You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/09/16 14:50:43 UTC
DO NOT REPLY [Bug 23192] New: -
getRemoteUser() returns null with Authorization header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192
getRemoteUser() returns null with Authorization header
Summary: getRemoteUser() returns null with Authorization header
Product: Tomcat 4
Version: 4.1.27
Platform: PC
URL: http://localhost:8080/examples/jsp/snp/snoop.jsp
OS/Version: Windows NT/2K
Status: NEW
Severity: Major
Priority: Other
Component: Connector:Coyote HTTP/1.1
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: kbg@hugvit.is
Even though the browser sends Authorization header in the request it is
apparantly not processed and the username is not set in the request WHEN the
url is not one of the protected urls in the web.xml. What this means is that it
is impossible to have application specific security managment in your code, for
example using setStatus(HttpServletResponse.SC_UNAUTHORIZED) in servlet code.
I am using Java v1.4.2_01 and Internet Explorer v6.0.2800.1106
Steps to reproduce:
1) Install Tomcat 4.1.27-LE
1) Change to BASIC authentication in web.xml in the examples webapplication.
2) add "/jsp/snp" to protected urls in security-constraint section.
3) Open browser and go to the page:
http://localhost:8080/examples/jsp/snp/snoop.jsp
log in as tomcat/tomcat, the page return you as user tomcat, ok so far.
4) Stop tomcat and remove the "/jsp/snp" as a protected url.
Start tomcat again
5) Refresh the page in the browser, remote user is now null.
If you monitor the communications between the server and browser you will see
that the browser sends the Authorization header in the second request, but
getRemoteUser still returns null. Here is the request and response:
GET /examples/jsp/snp/snoop.jsp HTTP/1.1
Accept: */*
Accept-Language: is
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)
Host: localhost
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=9A0358D041949A450A3E87DE750D8EC1
Authorization: Basic dG9tY2F0OnRvbWNhdA==
HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 745
Date: Tue, 16 Sep 2003 11:47:16 GMT
Server: Apache Coyote/1.0
<html>
<!--
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
-->
<body bgcolor="white">
<h1> Request Information </h1>
<font size="4">
JSP Request Method: GET
<br>
Request URI: /examples/jsp/snp/snoop.jsp
<br>
Request Protocol: HTTP/1.1
<br>
Servlet path: /jsp/snp/snoop.jsp
<br>
Path info: null
<br>
Query string: null
<br>
Content length: -1
<br>
Content type: null
<br>
Server name: localhost
<br>
Server port: 80
<br>
Remote user: null
<br>
Remote address: 127.0.0.1
<br>
Remote host: 127.0.0.1
<br>
Authorization scheme: null
<br>
Locale: is
<hr>
The browser you are using is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
T312461)
<hr>
</font>
</body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org