I'm not sure it's explicitly stated what the behavior will be for access to unprotected resources. I do know that it's different than how it used to work in Tomcat 4.0.6.
Case in point, if after you authenticate a user, you want to bring them to a page that will show them content based upon a particular role, it isn't possible if you return null for the principal. Brian seb_esp <[EMAIL PROTECTED]> wrote on 05/28/2003 05:04:10 PM: > That's the expected behavior. It's in Sun's Servlet spec., don't > remember exactly where... > > The user will be null if you are in an unprotected resource, EVEN if > your are authenticated. > > Regards, > > Brian K Bonner wrote: > > Hello, > > > > I'm seeing something wierd with 4.1.24. If I access an unprotected > > resource after I am authenticated, I receive null from getUserPrincipal(). > > I am using the Coyote Http 1.1 connector, although I've tried it with the > > old catalina Http 1.1 connector. > > > > Here's the test case: > > 1) access the unprotected servlet first you'll see "testing unprotected > > servlet. user is null" using either: > > http://localhost:8083/testing/unprotected or > > http://localhost:8080/testing/unprotected > > 2) access the protected servlet, you'll be challenged with the basic auth > > dialog and then see: "testing protected servlet. user is > > GenericPrincipal[tomcat]" using either: > > http://localhost:8083/testing/protected or > > http://localhost:8080/testing/protected > > 3) access the unprotected servlet, I still see: "testing unprotected > > servlet. user is null" access it the same as in #1 > > > > This should return the same as #2, but it doesn't. Can someone explain > > why?? and How can I workaround this problem?? I've been searching on the > > web, but www.mail-archive appears to be down. > > > > Brian > > > > > > > > Using Tomcat 4.1.24 standalone with the memory realm. > > > > Here's my abbreviated conf/tomcat-users.xml: > > <?xml version='1.0' encoding='utf-8'?> > > <tomcat-users> > > <role rolename="editor"/> > > <user username="tomcat" password="tomcat" roles="editor"/> > > </tomcat-users> > > > > The get methods of my two servlets (protected and unprotected) > > > > unprotected servlet's doGet: > > > > PrintWriter out = res.getWriter(); > > out.println("testing unprotected servlet"); > > out.print("user is "); > > Principal p = req.getUserPrincipal(); > > out.print(p); > > > > protected servlet's doGet: > > > > PrintWriter out = res.getWriter(); > > out.println("testing protected servlet"); > > out.print("user is "); > > Principal p = req.getUserPrincipal(); > > out.print(p); > > > > Here's my web.xml file: > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application > > 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"; > > > <web-app> > > <display-name>testing</display-name> > > <description>Test Unsecured Pages App</description> > > <servlet> > > <servlet-name>protected</servlet-name> > > <servlet-class>com.paraware.test.TestServlet</servlet-class> > > </servlet> > > <servlet> > > <servlet-name>unprotected</servlet-name> > > <servlet-class>com.paraware.test.TestServlet2</servlet-class> > > </servlet> > > <servlet-mapping> > > <servlet-name>protected</servlet-name> > > <url-pattern>/protected</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>unprotected</servlet-name> > > <url-pattern>/unprotected</url-pattern> > > </servlet-mapping> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Secure > > Servlets</web-resource-name> > > <description>Files secured for > > testing</description> > > <url-pattern>/protected</url-pattern> > > <http-method>GET</http-method> > > <http-method>POST</http-method> > > </web-resource-collection> > > <auth-constraint> > > <description>Editors</description> > > <role-name>editor</role-name> > > </auth-constraint> > > </security-constraint> > > <login-config> > > <auth-method>BASIC</auth-method> > > </login-config> > > <security-role> > > <description>Page Editors</description> > > <role-name>editor</role-name> > > </security-role> > > </web-app> > > > > > > > > And from the server.xml: > > > > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > > port="8080" minProcessors="5" maxProcessors="75" > > enableLookups="true" redirectPort="8443" > > acceptCount="100" debug="4" connectionTimeout="20000" > > useURIValidationHack="false" disableUploadTimeout="true" /> > > > > > > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > > port="8009" minProcessors="5" maxProcessors="75" > > enableLookups="true" redirectPort="8443" > > acceptCount="10" debug="0" connectionTimeout="0" > > useURIValidationHack="false" > > protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/> > > > > <Connector > > className="org.apache.catalina.connector.http.HttpConnector" > > port="8083" minProcessors="5" maxProcessors="75" > > enableLookups="true" redirectPort="8443" > > acceptCount="10" debug="0" /> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
