RE: Strange Security Problem

Sat, 18 Oct 2003 09:16:54 -0700 

If you want the user name stored in the request (bad idea) it must be sent
in the form using a hidden field.

You should store it in the session. Only submitted form fields will be in
the request.



> -----Mensaje original-----
> De: Rustad, Aaron [mailto:[EMAIL PROTECTED] 
> Enviado el: s�bado, 18 de octubre de 2003 17:40
> Para: '[EMAIL PROTECTED]'
> Asunto: Strange Security Problem
> 
> 
> I am encountering a strange security problem when trying to 
> submit a form to an action. This JSP is as follows:
> 
> <%= request.getUserPrincipal().getName() %>
> <form action="/edm/ebb/upload.do" method="POST">
>  <table width="75%" border="1">
>   <tr>
>     <td><bean:message key="upload.from"/></td>
>     <td><input type="text" name="from"/></td>
>   </tr>
>   <tr>
>     <td><bean:message key="upload.to"/></td>
>     <td><input type="text" name="to"/></td>
>   </tr>
>   <tr>
>     <td><bean:message key="upload.version"/></td>
>     <td><input type="text" name="version"/></td>
>   </tr>    
>   <tr>
>     <td><bean:message key="upload.file"/></td>
>     <td><input type="file" name="input-data"></td>
>   </tr>
> </table>
> <input type="submit" value="Submit"/>
> </form>
> <html:link forward="ups">upload</html:link>
> 
> The strange thing is this:
> 
> When this page is loaded, and I am ligitimatly logged in, the 
> name of the UserPrincipal is displayed as it should be. 
> However, if I submit the form, the appropriate action class 
> is called, but when I invoke request.getUserPrincipal()...it 
> returns null. Notice the last line of the HTML, it has a link 
> that points to the same action class...when it is clicked, 
> the principal is propogated to action and it is NOT null.
> 
> Can anyone help me out with this? I would like the post to 
> work correctly.
> 
> Thanks!
> Aaron.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to