Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 26330 invoked from network); 10 Jan 2003 01:44:03 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 10 Jan 2003 01:44:03 -0000 Received: (qmail 24924 invoked by uid 97); 10 Jan 2003 01:45:04 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 24895 invoked by uid 97); 10 Jan 2003 01:45:03 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 24881 invoked by uid 98); 10 Jan 2003 01:45:03 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Date: Thu, 9 Jan 2003 17:43:34 -0800 (PST) From: "Craig R. McClanahan" To: Tomcat Users List Subject: Re: Authentication and Filters In-Reply-To: <000c01c2b83e$cc3c1d10$bcac6041@winter> Message-ID: <20030109174118.B1680-100000@icarus.apache.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Thu, 9 Jan 2003, Jeffrey Winter wrote: > Date: Thu, 9 Jan 2003 19:25:37 -0500 > From: Jeffrey Winter > Reply-To: Tomcat Users List > To: Tomcat Users List > Subject: Authentication and Filters > > I am using a Filter to do some URL rewriting. In the > filter, I accept a url like: > > /user/x/resource/y [1] > > and convert it to > > /resource/y?user=x [2] > > In the Filter, I create a RequestDispatcher using the > new url, and then call forward(). > > The servlet setup to handle "/resource" is set up for > Basic authentication in web.xml. It works fine when > calling the resource directly, that is, using url [2]. > The servlet is called and the authentication works. > > However, when requesting through the filter using > url [1] via POST (which is converted to [2]) the > authentication appears to be unavailable to the > servlet. That is, Tomcat is obviously authenticating > correctly because it is getting to the servlet's > doPost() method, but when I call > > Principal principal = request.getUserPrincipal(); > > inside of doPost(), "principal" is equal to null. > > It's as if the Filtering process is somehow clearing > the Principal value out of the HttpServletRequest object > even though it has been authenticated. > > Oddly, this works fine with GET; the url rewriting is > done correctly, and calling getUserPrincipal() > returns a value that contains the username. > > Am I doing something wrong? Is this a known bug or has any > one else seen this problem? > A key rule to remember is that security constraints are applied *only* on the original URL requested by the client -- not on RequestDispatcher calls. I would bet you probably have "/resource/*" protected, but you'll likely want to protect "/user/*" as well. > Thanks. Craig -- To unsubscribe, e-mail: For additional commands, e-mail: