DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192 getRemoteUser() returns null with Authorization header Summary: getRemoteUser() returns null with Authorization header Product: Tomcat 4 Version: 4.1.27 Platform: PC URL: http://localhost:8080/examples/jsp/snp/snoop.jsp OS/Version: Windows NT/2K Status: NEW Severity: Major Priority: Other Component: Connector:Coyote HTTP/1.1 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Even though the browser sends Authorization header in the request it is apparantly not processed and the username is not set in the request WHEN the url is not one of the protected urls in the web.xml. What this means is that it is impossible to have application specific security managment in your code, for example using setStatus(HttpServletResponse.SC_UNAUTHORIZED) in servlet code. I am using Java v1.4.2_01 and Internet Explorer v6.0.2800.1106 Steps to reproduce: 1) Install Tomcat 4.1.27-LE 1) Change to BASIC authentication in web.xml in the examples webapplication. 2) add "/jsp/snp" to protected urls in security-constraint section. 3) Open browser and go to the page: http://localhost:8080/examples/jsp/snp/snoop.jsp log in as tomcat/tomcat, the page return you as user tomcat, ok so far. 4) Stop tomcat and remove the "/jsp/snp" as a protected url. Start tomcat again 5) Refresh the page in the browser, remote user is now null. If you monitor the communications between the server and browser you will see that the browser sends the Authorization header in the second request, but getRemoteUser still returns null. Here is the request and response: GET /examples/jsp/snp/snoop.jsp HTTP/1.1 Accept: */* Accept-Language: is Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461) Host: localhost Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONID=9A0358D041949A450A3E87DE750D8EC1 Authorization: Basic dG9tY2F0OnRvbWNhdA== HTTP/1.1 200 OK Content-Type: text/html;charset=ISO-8859-1 Content-Length: 745 Date: Tue, 16 Sep 2003 11:47:16 GMT Server: Apache Coyote/1.0 <html> <!-- Copyright (c) 1999 The Apache Software Foundation. All rights reserved. --> <body bgcolor="white"> <h1> Request Information </h1> <font size="4"> JSP Request Method: GET <br> Request URI: /examples/jsp/snp/snoop.jsp <br> Request Protocol: HTTP/1.1 <br> Servlet path: /jsp/snp/snoop.jsp <br> Path info: null <br> Query string: null <br> Content length: -1 <br> Content type: null <br> Server name: localhost <br> Server port: 80 <br> Remote user: null <br> Remote address: 127.0.0.1 <br> Remote host: 127.0.0.1 <br> Authorization scheme: null <br> Locale: is <hr> The browser you are using is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461) <hr> </font> </body> </html> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
