Should I report this as a bug? Or forward it to tomcat-dev?
Tomcat servlets cannot use Basic authentication if the request is proxied
through a redirecter. This is a fairly serious problem.
David
-----Original Message-----
From: Crane, David
Sent: Monday, September 24, 2001 2:43 PM
To: '[EMAIL PROTECTED]'
Subject: getRemoteUser Returns Null, Ignoring Authorization Header
The getRemoteUser method of the HttpServletRequest class is returning null.
The "Authorization" header does contain the correctly encoded user and
password for "Basic" authentication. Maybe there is a configuration setting
that is wrong?
We are using the NSAPI redirector that came with
jakarta-tomcat-3.2.3-src/src/native/netscape. The browser connects to the
iPlanet 4.1 SP5 server using HTTPS, and is challenged for the user name and
password. The NSAPI redirector sends the request over to Tomcat 3.2.3 using
HTTP (not HTTPS). In my Tomcat servlet, I can read and decode the
"Authorization" header, which looks correct. But it is not being
interpretted correctly by Tomcat's HttpServletRequest implementation, as you
can see below.
Here is some logging output from my servlet:
[DsemServlet] userLogin: null
[DsemServlet] Authentication type: null
[DsemServlet] Authorization header: Basic VDEzMk02NjM6eXXXXXXXXXX=
[DsemServlet] Decoded name and password: T132M663:not_gonna_give_this
[DsemServlet] Expected userLogin: T132M663
And here is the corresponding piece of code from the servlet's goGet method:
String userLogin = request.getRemoteUser();
cat.info("userLogin: " + userLogin);
if (userLogin == null)
{
cat.info("Authentication type: " + request.getAuthType());
String authorization = request.getHeader("Authorization");
cat.info("Authorization header: " + authorization);
BASE64Decoder dec = new sun.misc.BASE64Decoder();
String encoded = authorization.substring(6);
String decoded = new String(dec.decodeBuffer(encoded));
cat.info("Decoded name and password: " + decoded);
int pos = decoded.indexOf(":");
if (pos >= 0)
{
String expected = decoded.substring(0, pos);
cat.info("Expected userLogin: " + expected);
}
}
I am using the Tomcat 3.2.3 that came bundled with JBoss 2.4.1a. The
configuration files (such as server.xml) are the ones that came with the
bundle. I cannot find anything obviously wrong with them, but they are
quite long, and I don't know what to look for.
I did find questions in the mailing list archives that looked similar, but
they were mostly from last year, and had to do with form-based
authentication.
--
David Crane
Thomson Financial Municipals Group
