2012/3/29 Thomas Strauß <t.stra...@srs-management.de>: > Hi, > > we have a web application using the FormAuthentication with Tomcat 7.0.11. > > The application provides it’s own realm, that is valid for the whole server > (configured in server.xml). The realm is based on datasource realm. > > The application provides request listeners that rely on the > request.getPrincipal() method to obtain the logged on user. > > The request listener authenticates a service framework with the principal > from the request. > > Tomcat 7.0.11 as stated above works with this design. > > > In Tomcat 7.0.26 this approach fails, because the requestlistener can no > longer obtain the principal using request.getPrincipal(). The call returns > null. A webpage (jsp) called after the listener as target of the request can > obtain the principal from the request as expected. > > No configuration changes have been applied between 7.0.11 and 7.0.26. > > Additionally we have experimented with various valve options, but did not > succeed. > > We cannot explain this behavior and think it is a bug in Tomcat. > > Any help appreciated, as currently we cannot upgrade Tomcat due to this > issue. >
> In Tomcat 7.0.26 this approach fails, because the requestlistener can no > longer obtain the principal using request.getPrincipal(). Is there a security constraint on the resource that the user is accessing? (I.e. is user accessing a protected resource?) Look at configuration options for <Context>. See "preemptiveAuthentication" there. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org