2015-01-26 11:54 GMT+03:00 Thomas Strauß <t.stra...@srs-management.de>: > Hi, > > we have an issue with later and latest Tomcat versions, that prevent us from > upgrading to a version later than something like 7.0.22. > > We use FormBasedAuthentication with a custom realm. > > This is tested with Tomcat 7.0.57 and JDK 7u76 on Windows. > > My setup has a login form calling the j_security servlet. The custom realm is > called and authentication is successful, a custom principal is returned. > > Tomcat will then forward to the protected resource, and we catch the request > in a RequestListener. > > The problem is, that request.getUserPrincipal() returns null. The debugger > exposes, that the sessionwrapper returned by request.getSession(false) > (instance of SessionWrapper, containing StandardSession) has a field > "principal", that contains the principal returned from my realm. > > I have seen a discussion on the requirement to return a userprincipal on non > protected requests in bugzilla, but the request here is calling for a > protected resource. > > Any idea on why this can happen would be very helpful. Actually, I see it as > a bug, that the request is not authenticated but still served.
1. Source code = ? I see that you have it here: https://stackoverflow.com/questions/28147261/request-getuserprincipal-is-null-but-standardsession-principal-is-set 2. Stacktrace when RequestListener is invoked = ? When the listener is called? Is it called after authenticator valve or before it? 3. Try debugging through AuthenticatorBase.invoke() https://wiki.apache.org/tomcat/FAQ/Developing#Debugging There is code that copies the principal from session into request [[[ if (cache) { ... if (principal != null) { if (log.isDebugEnabled()) log.debug("We have cached auth type " + session.getAuthType() + " for principal " + session.getPrincipal()); request.setAuthType(session.getAuthType()); request.setUserPrincipal(principal); } } } } ]]] 4. This does not reproduce in the default configuration. There is a page in examples webapp that uses FORM authentication. http://localhost:8080/examples/jsp/security/protected/index.jsp If you look into index.jsp it will display "No user principal could be identified." when request.getUserPrincipla() is null. It displays the correct principal name for me. 5. Is your principal a subclass of GenericPrincipal? How do you set it? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
