I looked over the patch I supplied yesterday and realized that this original line (String remoteUser = ajp.remoteUser().toString();) could cause a null pointer exception if the ajp.remoteUser() returns null. Since the original code checked for null, it is probably safer to check for null on ajp.remoteUser () before calling toString just in case the RemoteUser is supplied as null.
Please replace the patch I supplied yesterday with the following code to support this possibility. I've tested this updated version and it works as well. In org.apache.ajp.tomcat4.Ajp13Request.setAjpRequest Replace from line 115: //String remoteUser = ajp.remoteUser().toString(); //if ((remoteUser != null) && (! remoteUser.equals (""))) // { // setUserPrincipal(new Ajp13Principal(remoteUser)); // } // else // { // setUserPrincipal(null); // } Ajp13Principal theUserPrincipal = null; MessageBytes theRemoteUser = ajp.remoteUser (); if (theRemoteUser != null) { String theRemoteUserName = theRemoteUser.toString (); if (! theRemoteUserName.equals ("")) { theUserPrincipal = new Ajp13Principal (theRemoteUserName); } } setUserPrincipal(theUserPrincipal); Here is an explanation of the rational behind the patch: The request is providing and empty string for the remote user parameter rather than null. The unpatched code was setting the user principal to a non-null empty user instead of null. Subsequent code calling getUserPrincipal assumed that a user had already been authenticated when the non-null getUserPrincipal value was seen, and denied access to the empty user. The patched code treats a specified user of "" the same as an unspecified user header of null, and stores the user principal in the request to null when the supplied userid is empty or null, and to a valid Ajp13Principal when the userid is non-null, non-empty. Jonathan ____________________Reply Separator____________________ Subject: Fix for AJP13 Connector Authentication Bug !!! Author: "Tomcat Developers List" <[EMAIL PROTECTED]> Date: 2/14/2002 7:39 PM I've confirmed the fix for the AJP13 Connector / Authentication problem in 4.0.2. This solves high priority bugs 5647 and 6219. Please have one of the committers confirm the fix and check it in to cvs. The issue was reported in Bug 6219. I tested the following modification and it seems to resolve the problem. The problem is in org.apache.ajp.tomcat4.Ajp13Request.setAjpRequest The fix is below: Replace from line 115: // String remoteUser = ajp.remoteUser().toString(); // if(remoteUser != null) // setUserPrincipal(new Ajp13Principal(remoteUser)); String remoteUser = ajp.remoteUser().toString(); if ((remoteUser != null) && (! remoteUser.equals (""))) { setUserPrincipal(new Ajp13Principal(remoteUser)); } else { setUserPrincipal(null); } After making this modification, I am able to successfully serve the protected example url through the IIS connector and get properly challenged by the login screen and am able to login and logout as expected. http://localhost/examples/jsp/security/protected/index.jsp -Jonathan ************************************************************************ This email and any files transmitted with it are for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. This email message has been swept by a virus software product for the presence of computer viruses. ************************************************************************* -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> ************************************************************************ This email and any files transmitted with it are for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. This email message has been swept by a virus software product for the presence of computer viruses. ************************************************************************* -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>