I posted this on the dev list but I must have placed it on the wrong list...

I am running IIS+jk_connect+Tomcat 7.0.59 but this issue was replicated on 
Tomcat 5.5.36. We are using a security filter from a 3rd party that is failing 
to engage while requests are sent over AJP via jk_connect. I was able to trace 
the issue to the 3rd party checking for previously authenticated principal via 
HttpServletRequest.getUserPrincipal(). Regular call via HTTP connector returns 
null. Call over jk_connect returns CoyotePrinciapal object but the getName() on 
it is "". The whole issue starts in the jk_isapi_plugin.c where 


This macro is defined as

#define GET_SERVER_VARIABLE_VALUE(name, place)              \
  do {                                                      \
    (place) = dup_server_value(private_data->lpEcb,         \
                               (name),                      \
                               &private_data->p);           \
  } while(0)

dup_server_value is

static char *dup_server_value(LPEXTENSION_CONTROL_BLOCK lpEcb,
                              const char *name, jk_pool_t *p)
    char buf[HDR_BUFFER_SIZE];
    char *dp;

    if (lpEcb->GetServerVariable(lpEcb->ConnID, (LPSTR)name, buf, &sz))
        return jk_pool_strdup(p, buf);

and "jk_pool_strdup" starts as

char *jk_pool_strdup(jk_pool_t *p, const char *s)
    char *rc = NULL;
   if (s && p) {
        size_t size = strlen(s);

        if (!size) {
            return "";

So essentially GetServerVariable(REMOTE_USER, buf, &sz) returns TRUE and sets 
buf[0]=0 and sz to 0 indicating no REMOTE_USER is present. However, this is 
converted to "" by jk_pool_strdup and sent over AJP to Tomcat as a remote_user 
with size of 0 bytes.

Since a remote_user field IS sent to Tomcat, it creates a CoyotePrincipal 
object with a principal name of empty string.

There is a problem somewhere: two requests over two connectors generate two 
different principal objects (null and empty CoyotePrincipal). If I'd to put a 
finger, I would say the issue is with the IIS connector converting empty 
REMOTE_USER value to "" instead of NULL and thus sending empty remote_user "" 
to Tomcat. But a case can be made for Tomcat's AJP processor to check if the 
incoming remote_user value is "" and not create a phoney CoyotePrincipal either

I'd like to raise an issue but I want to submit it into the correct component.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to