Hi,
the problem is isolated in StandardHostValve Lines 165ff:
boolean errorAtStart = response.isError();
165: if (asyncAtStart || context.fireRequestInitEvent(request)) {
// Ask this Context to process this request
try {
if (!asyncAtStart || asyncDispatching) {
170: context.getPipeline().getFirst().invoke(request, response);
} else {
if (!errorAtStart) {
throw new
IllegalStateException(sm.getString("standardHost.asyncStateError"));
}
In line 165, the request is feed into the request listener (no authentication
set here).
In line 170, the pipeline is processed, including the authentication process.
The form based authentication is then setting the userPrincipal.
This is definitely different to earlier versions of the engine. The request
listener cannot be used to handle authentication any more. If this is against
or valid with the spec, I cannot tell for the moment. Yet, it is somewhat
strange, as the request is not fully initialized, when the request initialized
event is fired.
Should I copy this behaviour into bugzilla and open an issue? Should be
mentioned in the release notes, at least...
Mit freundlichen Grüßen
Thomas Strauß
Geschäftsführer Entwicklung
SRS PaperDynamix®
WE MAKE PAPER WORK
T +49 6251 85 424 - 20 | M +49 174 2110912
SRS-Management GmbH | Berliner Ring 103 | D-64625 Bensheim
Geschäftsführer: Detlev Homilius, Thomas Strauß HRB 25262 AG Darmstadt
Fon +49 6251 85 424-0 | Fax +49 6251 85 424-14
Wir freuen uns auf einen Besuch in unserem Forum auf XING oder Facebook
https://www.xing.com/net/prozessoptimierung/
http://www.facebook.com/srs.management
-----Ursprüngliche Nachricht-----
Von: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Gesendet: Montag, 26. Januar 2015 11:43
An: Tomcat Users List
Betreff: Re: request.getUserPrincipal() is null but StandardSession.principal
is set
2015-01-26 11:54 GMT+03:00 Thomas Strauß <t.stra...@srs-management.de>:
> Hi,
>
> we have an issue with later and latest Tomcat versions, that prevent us from
> upgrading to a version later than something like 7.0.22.
>
> We use FormBasedAuthentication with a custom realm.
>
> This is tested with Tomcat 7.0.57 and JDK 7u76 on Windows.
>
> My setup has a login form calling the j_security servlet. The custom realm is
> called and authentication is successful, a custom principal is returned.
>
> Tomcat will then forward to the protected resource, and we catch the request
> in a RequestListener.
>
> The problem is, that request.getUserPrincipal() returns null. The debugger
> exposes, that the sessionwrapper returned by request.getSession(false)
> (instance of SessionWrapper, containing StandardSession) has a field
> "principal", that contains the principal returned from my realm.
>
> I have seen a discussion on the requirement to return a userprincipal on non
> protected requests in bugzilla, but the request here is calling for a
> protected resource.
>
> Any idea on why this can happen would be very helpful. Actually, I see it as
> a bug, that the request is not authenticated but still served.
1. Source code = ?
I see that you have it here:
https://stackoverflow.com/questions/28147261/request-getuserprincipal-is-null-but-standardsession-principal-is-set
2. Stacktrace when RequestListener is invoked = ?
When the listener is called? Is it called after authenticator valve or before
it?
3. Try debugging through AuthenticatorBase.invoke()
https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
There is code that copies the principal from session into request [[[
if (cache) {
...
if (principal != null) {
if (log.isDebugEnabled())
log.debug("We have cached auth type " +
session.getAuthType() +
" for principal " +
session.getPrincipal());
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
}
]]]
4. This does not reproduce in the default configuration. There is a page in
examples webapp that uses FORM authentication.
http://localhost:8080/examples/jsp/security/protected/index.jsp
If you look into index.jsp it will display "No user principal could be
identified." when request.getUserPrincipla() is null. It displays the correct
principal name for me.
5. Is your principal a subclass of GenericPrincipal? How do you set it?
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
This message has been scanned for viruses and dangerous content by MailScanner,
and is believed to be clean.
