73 messages in org.apache.tomcat.usersRe: Authentication and Filters| From | Sent On | Attachments |
|---|---|---|
| Kevin Wilson | Jan 7, 2003 8:47 am | |
| Jason Pyeron | Jan 7, 2003 9:08 am | |
| Turner, John | Jan 7, 2003 9:14 am | |
| Jason Pyeron | Jan 7, 2003 9:26 am | |
| Kevin Wilson | Jan 7, 2003 9:33 am | |
| Jason Pyeron | Jan 7, 2003 9:41 am | |
| Turner, John | Jan 7, 2003 10:00 am | |
| Rasputin | Jan 7, 2003 10:55 am | |
| Jason Pyeron | Jan 7, 2003 12:40 pm | |
| Jason Pyeron | Jan 7, 2003 12:47 pm | |
| Turner, John | Jan 7, 2003 12:58 pm | |
| neal | Jan 8, 2003 1:50 am | |
| Turner, John | Jan 8, 2003 7:15 am | |
| neal | Jan 8, 2003 12:54 pm | |
| neal | Jan 8, 2003 12:55 pm | |
| Turner, John | Jan 8, 2003 1:03 pm | |
| neal | Jan 8, 2003 1:34 pm | |
| Gary Gwin | Jan 8, 2003 2:34 pm | |
| neal | Jan 8, 2003 2:46 pm | |
| Turner, John | Jan 8, 2003 3:24 pm | |
| neal | Jan 8, 2003 3:44 pm | |
| Turner, John | Jan 8, 2003 3:51 pm | |
| neal | Jan 8, 2003 3:55 pm | |
| Turner, John | Jan 8, 2003 5:33 pm | |
| Craig R. McClanahan | Jan 8, 2003 6:06 pm | |
| neal | Jan 8, 2003 6:28 pm | |
| Noel J. Bergman | Jan 8, 2003 6:33 pm | |
| Turner, John | Jan 8, 2003 7:19 pm | |
| Turner, John | Jan 8, 2003 7:26 pm | |
| Craig R. McClanahan | Jan 8, 2003 7:35 pm | |
| neal | Jan 8, 2003 11:06 pm | |
| neal | Jan 8, 2003 11:11 pm | |
| neal | Jan 8, 2003 11:17 pm | |
| neal | Jan 8, 2003 11:21 pm | |
| Craig R. McClanahan | Jan 8, 2003 11:23 pm | |
| neal | Jan 8, 2003 11:37 pm | |
| Craig R. McClanahan | Jan 8, 2003 11:51 pm | |
| neal | Jan 9, 2003 12:03 am | |
| Noel J. Bergman | Jan 9, 2003 12:08 am | |
| Turner, John | Jan 9, 2003 2:31 am | |
| Ralph Einfeldt | Jan 9, 2003 2:41 am | |
| neal | Jan 9, 2003 3:51 am | |
| neal | Jan 9, 2003 3:53 am | |
| Turner, John | Jan 9, 2003 5:22 am | |
| Turner, John | Jan 9, 2003 5:33 am | |
| Craig R. McClanahan | Jan 9, 2003 10:01 am | |
| neal | Jan 9, 2003 10:02 am | |
| Turner, John | Jan 9, 2003 11:16 am | |
| neal | Jan 9, 2003 11:25 am | |
| Noel J. Bergman | Jan 9, 2003 11:43 am | |
| neal | Jan 9, 2003 11:47 am | |
| Turner, John | Jan 9, 2003 12:09 pm | |
| Turner, John | Jan 9, 2003 12:11 pm | |
| Noel J. Bergman | Jan 9, 2003 12:33 pm | |
| neal | Jan 9, 2003 1:41 pm | |
| Turner, John | Jan 9, 2003 1:45 pm | |
| Jon Eaves | Jan 9, 2003 2:58 pm | |
| neal | Jan 9, 2003 4:04 pm | |
| Jeffrey Winter | Jan 9, 2003 4:25 pm | |
| Craig R. McClanahan | Jan 9, 2003 5:43 pm | |
| Jeffrey Winter | Jan 9, 2003 6:10 pm | |
| Jeffrey Winter | Jan 9, 2003 6:11 pm | |
| Tim Funk | Jan 9, 2003 6:14 pm | |
| Craig R. McClanahan | Jan 9, 2003 7:08 pm | |
| Craig R. McClanahan | Jan 9, 2003 7:11 pm | |
| Tim Funk | Jan 10, 2003 4:29 am | |
| Jacob Hookom | Jan 10, 2003 6:36 am | |
| Cox, Charlie | Jan 10, 2003 6:47 am | |
| Tim Funk | Jan 10, 2003 6:52 am | |
| AAron nAAs | Jan 10, 2003 7:03 am | |
| Jacob Hookom | Jan 10, 2003 7:06 am | |
| Craig R. McClanahan | Jan 10, 2003 3:53 pm | |
| neal | Jan 19, 2003 10:10 pm |
| Subject: | Re: Authentication and Filters | |
|---|---|---|
| From: | Craig R. McClanahan (crai...@apache.org) | |
| Date: | Jan 9, 2003 5:43:12 pm | |
| List: | org.apache.tomcat.users | |
On Thu, 9 Jan 2003, Jeffrey Winter wrote:
Date: Thu, 9 Jan 2003 19:25:37 -0500 From: Jeffrey Winter <jeff...@attbi.com> Reply-To: Tomcat Users List <tomc...@jakarta.apache.org> To: Tomcat Users List <tomc...@jakarta.apache.org> Subject: Authentication and Filters
I am using a Filter to do some URL rewriting. In the filter, I accept a url like:
/user/x/resource/y [1]
and convert it to
/resource/y?user=x [2]
In the Filter, I create a RequestDispatcher using the new url, and then call forward().
The servlet setup to handle "/resource" is set up for Basic authentication in web.xml. It works fine when calling the resource directly, that is, using url [2]. The servlet is called and the authentication works.
However, when requesting through the filter using url [1] via POST (which is converted to [2]) the authentication appears to be unavailable to the servlet. That is, Tomcat is obviously authenticating correctly because it is getting to the servlet's doPost() method, but when I call
Principal principal = request.getUserPrincipal();
inside of doPost(), "principal" is equal to null.
It's as if the Filtering process is somehow clearing the Principal value out of the HttpServletRequest object even though it has been authenticated.
Oddly, this works fine with GET; the url rewriting is done correctly, and calling getUserPrincipal() returns a value that contains the username.
Am I doing something wrong? Is this a known bug or has any one else seen this problem?
A key rule to remember is that security constraints are applied *only* on the original URL requested by the client -- not on RequestDispatcher calls. I would bet you probably have "/resource/*" protected, but you'll likely want to protect "/user/*" as well.
Thanks.
Craig