Hi.
I am currently testing/comparing two user authentication methods for
webapps, in a Windows NTLM context.
Despite my abysmal lack of knowledge in matters Java and Tomcat, I
notice a difference between the two, and I would like to ask here if it
matters, and if yes how.
Both authentication methods work as servlet filters. One is/was the
jCIFS HTTP NTLM filter, the other a commercial product which would
replace it for NTLMv2. I have asked the same question to the developer
of both but I'm asking again here, to get a confirmation or additional
observations.
In both cases below, the web user is authenticated from an HTTP NTLM
point of view, otherwise the call would not even reach the underlying
servlet.
In the case of the jCIFS filter, a servlet that is running "under cover
of" the filter, can obtain the authenticated user-id by a
request.getUserPrincipal().getName() call.
In the case of the other filter however, the previous call seems to
return null, and the way to obtain the authenticated user-id is via
request.getRemoteUser().
From a practical immediate and personal point of view, it matters
little to me, as I can adapt my servlet code to either of the above.
But my basic question is : what is the difference, and could that impact
other servlet code which I did not write ?
For example also, in the case where the user authentication would be
made at the level of a front-end Apache, connected to this Tomcat via
mod_jk, and the appropriate parameter has been set so that Tomcat
accepts the Apache authentication, would either one of the methods above
return a result different from the other one ?
For convenience, I copied below the Java API doc of both methods.
I see that there is a difference, but my knowledge is too scarce to
understand the possible implications.
Thanks.
--------------------------
*getUserPrincipal*
public java.security.Principal *getUserPrincipal*()
Returns a java.security.Principal object containing the name of the
current authenticated user. If the user has not been authenticated, the
method returns null.
*Returns:*
a java.security.Principal containing the name of the user making this
request; null if the user has not been authenticatedaw
*getRemoteUser*
public java.lang.String *getRemoteUser*()
Returns the login of the user making this request, if the user has been
authenticated, or null if the user has not been authenticated. Whether
the user name is sent with each subsequent request depends on the
browser and type of authentication. Same as the value of the CGI
variable REMOTE_USER.
*Returns:*
a String specifying the login of the user making this request, or null
if the user login is not known
-----------
Code of a small test servlet which runs under the "coverture" of Jespa's
or jCIFS's HTTP filter :
package starweb;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.Principal;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public final class DumpUser extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse
response)
throws IOException, ServletException {
// what I was doing with jCIFS HTTP filter
// Principal user = request.getUserPrincipal();
// String userName = (user == null ? "*null*" : user.getName());
// what I'm doing with the Jespa filter
String userName = request.getRemoteUser();
if (userName == null) {
userName = "*null*";
}
response.setContentType("text/plain");
PrintWriter writer = response.getWriter();
writer.println(userName);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
