You are confusing two concepts. Setting clientAuth="true" on the Connector
causes Tomcat to require that the user identify themselves with a cert
before they can continue. Your servlet can then look at the cert (via
request.getAttribute("javax.servlet.request.X508Certificate");) and decide
what it wants to do with the information.
The request.getRemoteUser et. al. methods only return non-null if you are
accessing a page that is protected by a <security-constraint> in your
web.xml file. In addition, to use the cert to login with, you need to
specify CLIENT-CERT as the value of your auth-method in your login-config.
This will request a cert from the user to access a protected page, even if
clientAuth="false" on the Connector.
"Winter, G (Graeme)" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi,
>
> I should probably clarify this. I have hacked the Tomcat 5
> "RequestHeaderExample" servlet so that it prints out these values:
>
> request.getAuthType();
> request.getRemoteUser();
> request.getUserPrincipal();
>
> *but* they all print NULL. Even on the first "call" - no sessions involved
> (at least, I didn't *think* there re any sessions involved!) I have
> definately logged in, because Mozilla asked me if I would accept the
> server's certificate, and also asked me for the password to my private
> certificate store, and I set clientAuth="true" - so should be OK all
round.
>
> Am I looking in the wrong place? I'm looking at the request object for
info
> here...
>
> (probability > 0.9 this is the case)
>
> Cheers,
>
> Graeme
>
> -----Original Message-----
> From: Yansheng Lin [mailto:[EMAIL PROTECTED]
> Sent: 07 April 2004 21:26
> To: 'Tomcat Users List'
> Subject: RE: request.getUserPrincipal();
>
>
> Hi, how often do you invalidate your sessions? It's hard to imagine your
> application would expire a user's session right after he logs in. But
take
> a
> look at the request header to see if the subsequent session ids are the
same
> as
> the first one. Other than that, without more specific info on how you
> implemented the authentication, it's hard to figure out what's going on:).
>
> -Yan
>
>
> -----Original Message-----
> From: Winter, G (Graeme) [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 07, 2004 7:46 AM
> To: 'Tomcat Users List'
> Subject: request.getUserPrincipal();
>
>
> Hi All,
>
> I am trying to perform client authentication using certificates, and I
have
> made some progress - the certificates are now accepted as OK, which is
nice.
> Obviously I am using https too...
>
> However, the sting is that the methods
>
> request.getAuthType();
> request.getRemoteUser();
> request.getUserPrincipal();
>
> All return NULL, which is contrary to the documentation, since I know the
> user (i.e. me) has authenticated. clientAuth="true" in server.xml.
>
> Anyone else out there had this problem, and more to the point found a
> solution?
>
> Cheers,
>
> Graeme
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
