[jira] Created: (WW-2121) I want to secure my web application using Container managed security by using Websphere Application Server6.1.the security credentials are not propagated to the Filter class.Where as the same works 100% fine in TOMCAT server.

[Balamurugan (JIRA)]

I want to secure my web application using Container managed security by using 
Websphere Application Server6.1.the security credentials are not propagated to 
the Filter class.Where as the same works 100% fine in TOMCAT server.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: WW-2121
                 URL: https://issues.apache.org/struts/browse/WW-2121
             Project: Struts 2
          Issue Type: Bug
         Environment: Websphere Application Server 6.1
Struts 2.0.9
Rational Application Developer 7
            Reporter: Balamurugan


Hi ,

I am newbie to Struts2. I have the following issue while configuring the 
container managed security in Struts2 with Websphere Application Server 6.1. 
..Need urgent assistance Please...

I don't know that this is the correct forum to post this query.If not kindly 
let me know the correct forum where i can post.

Issue:
--------
 I want to secure my web application using Container managed security by using 
Websphere Application Server6.1. Secured all the URLs by placing a security 
constraint and map the relevant users/groups in my web.xml.But the security 
credentials are not propagated to the Filter class.Where as the same works 100% 
fine in TOMCAT server.

After configuring all container managed security we were able to get the 
security credentials  like remoteUser in JSP.But when the form is submitted  to 
the action class by having the Filter as a controller we are not able to get 
the remoteUser by calling request.getRemoteUser() at the Action .
Wat we inferred is that the Userprinpical context in the request parameter is 
not available at the Filter.

Below are the entries which we have in web.xml
        <security-constraint>
                <display-name>
                secconst12</display-name>
                <web-resource-collection>
                        <web-resource-name>secweb1234</web-resource-name>
                        <url-pattern>*.action</url-pattern>
                        <url-pattern>/*</url-pattern>
                        <url-pattern>*</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>PUT</http-method>
                        <http-method>HEAD</http-method>
                        <http-method>TRACE</http-method>
                        <http-method>POST</http-method>
                        <http-method>DELETE</http-method>
                        <http-method>OPTIONS</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <description>
                        secAuthConst12</description>
                        <role-name>secrole12</role-name>
                </auth-constraint>
        </security-constraint>
        <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>DirRealm</realm-name>
        </login-config>
        <security-role>
                <role-name>secrole12</role-name>
        </security-role>


Below are the steps we tried  to get a basic idea.For that we wrote a sample 
Servlet and sample Filter and configured it in our web.xml as shown in below 
and tested the application..

Approach 1
----------------

1) Having a Servlet as a controller.(Submit the jsp form to a Servlet)
        1)we have the following entries in web.xml 
                <servlet>
                        <description></description>
                        <display-name>SampleServletController</display-name>
                        <servlet-name>SampleServletController</servlet-name>
                        
<servlet-class>com.xxx.xxx.xxx.SampleServletController</servlet-class>
                </servlet>
                <servlet-mapping>
                        <servlet-name>SampleServletController</servlet-name>
                        <url-pattern>*.action</url-pattern>
                </servlet-mapping>
        2) When we call the request.getRemoteUser() in the servlet's doPost 
method we can able to get the remoteUser name by calling 
request.getRemoteUser() method.

Output
----------
This approach works fine in both ApacheTomacat6.0.14 and Websphere Application 
Server6.1. (ie) we can able to get the remoteUser in servlet's doPost() method.
        


Approach 2
----------------

2) Having a Servlet Filter as a controller.(Submit the form to a Servlet 
Filter) - 
        1)we have the following entries in web.xml 
                <filter>
                        <description></description>
                        <display-name>SampleFilterController</display-name>
                        <filter-name>SampleFilterController</filter-name>
                        
<filter-class>com.xxx.xxx.xxx.SampleFilterController</filter-class>
                </filter>
                <filter-mapping>
                        <filter-name>SampleFilterController</filter-name>
                        <url-pattern>*.action</url-pattern>
                </filter-mapping>

Output
---------
        1) In Apache Tomcat 6.0.14 when we call the request.getRemoteUser() in 
the Filter's doFilter() method we got the remoteUser name.
        2) In Websphere Application Server 6.1 when we call the 
request.getRemoteUser() in the Filter's doFilter() method we got null.


The above scenarios clearly flags that the application works fine in TOMCAT and 
doesn't in the WebSphere Application Server when we have the Servlet Filter as 
controller. Please let us know what would be required to be done to make it 
work.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.