Craig,
Thanks for the idea. It appears to work, mostly. I think I have done it
correctly for our authentication scheme.
I put protection on the web server on my servlet URL as well as the page URL
so that the authentication happens before the servlet is invoked and the
getRemoteUser() now appears to work. It still appears not all header
information is passed (authorization) as you alluded to below. I'm using
JRun for development work and am not quite sure if they pass it all.
Also, we have a home-built authentication product and we are suppose to
getHeader() information from this authentication page. It appears that the
String I'm suppose to look up is still missing even though my server
obj.conf file has this servlet URL protected.
Any ideas on this one?
Thanks,
Gary
> -----Original Message-----
> From: Craig R. McClanahan [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, April 21, 1999 10:00 AM
> To: [EMAIL PROTECTED]
> Subject: Re: getRemoteUser()
>
> Formanek Gary L wrote:
>
> > I want to get the username from the basic user authentication dialog
> that
> > pops up on a secured URL. I thought this would do it:
> >
> > log("Remote user = " + req.getRemoteUser().toUpperCase());
> >
> > However, it seems to return null. Does this not work? The user is
> > authenticated by the standard dialog box from the web server on the URL
> and
> > I would think this would get the name in the dialog box.
> >
>
> This works, but only if the URL of the servlet itself is configured to be
> in a
> protected area (at the web server level). For example, in Apache if your
> servlet path was /servlet/myservlet, you would have to include a
> <Location>
> directive for that path in the Apache configuration file. You cannot use
> a
> ".htaccess" file for this, because there is no "real" /servlet directory
> to put
> it in when you've told the server that /servlet calls are mapped to the
> servlet
> engine. Details for other web servers will vary.
>
> >
> > I have also tried:
> >
> > String enc = req.getHeader("Authorization");
> >
> > I did the routine with base64 encoding but it also seems to return null.
> Any
> > ideas here?
> >
>
> The "Authorization" header is where the servlet engine itself discovers
> the
> value to be returned by getRemoteUser() -- if this header is not included
> in
> the request (as discussed above), the value returned by getRemoteUser()
> will be
> null.
>
> I cannot speak for all servlet engines, but IMHO passing the
> "Authorization"
> header on to the servlet is a security risk (because it includes the
> password
> as well as the username). I would not be surprised to see servlet engines
> stripping it off from the set of headers they allow to be returned by
> request.getHeader().
>
> >
> > Thanks,
> >
> > Gary L. Formanek
> > Engineering Systems
> > Deere Power Systems Group
> > Phone (319) 292-5310
> > Fax (319) 292-8813
> >
>
> Craig McClanahan
>
> __________________________________________________________________________
> _
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
