Hi, we have an issue with later and latest Tomcat versions, that prevent us from upgrading to a version later than something like 7.0.22.
We use FormBasedAuthentication with a custom realm. This is tested with Tomcat 7.0.57 and JDK 7u76 on Windows. My setup has a login form calling the j_security servlet. The custom realm is called and authentication is successful, a custom principal is returned. Tomcat will then forward to the protected resource, and we catch the request in a RequestListener. The problem is, that request.getUserPrincipal() returns null. The debugger exposes, that the sessionwrapper returned by request.getSession(false) (instance of SessionWrapper, containing StandardSession) has a field "principal", that contains the principal returned from my realm. I have seen a discussion on the requirement to return a userprincipal on non protected requests in bugzilla, but the request here is calling for a protected resource. Any idea on why this can happen would be very helpful. Actually, I see it as a bug, that the request is not authenticated but still served. Mit freundlichen Grüßen Thomas Strauß Geschäftsführer Entwicklung SRS PaperDynamix® WE MAKE PAPER WORK T +49 6251 85 424 - 20 | M +49 174 2110912 SRS-Management GmbH | Berliner Ring 103 | D-64625 Bensheim Geschäftsführer: Detlev Homilius, Thomas Strauß HRB 25262 AG Darmstadt Fon +49 6251 85 424-0 | Fax +49 6251 85 424-14 Wir freuen uns auf einen Besuch in unserem Forum auf XING oder Facebook https://www.xing.com/net/prozessoptimierung/ http://www.facebook.com/srs.management<http://www.facebook.com/pages/SRS-Management-GmbH/155489571182317?sk=wall>
