tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: request.getUserPrincipal();
Date Fri, 09 Apr 2004 05:18:36 GMT
You are confusing two concepts.  Setting clientAuth="true" on the Connector
causes Tomcat to require that the user identify themselves with a cert
before they can continue.  Your servlet can then look at the cert (via
request.getAttribute("javax.servlet.request.X508Certificate");) and decide
what it wants to do with the information.

The request.getRemoteUser et. al. methods only return non-null if you are
accessing a page that is protected by a <security-constraint> in your
web.xml file.  In addition, to use the cert to login with, you need to
specify CLIENT-CERT as the value of your auth-method in your login-config.
This will request a cert from the user to access a protected page, even if
clientAuth="false" on the Connector.

"Winter, G (Graeme)" <G.Winter@dl.ac.uk> wrote in message
news:81AA39EACEE8D511BB77000347C135DD0194D207@exchange08.dl.ac.uk...
> Hi,
>
> I should probably clarify this. I have hacked the Tomcat 5
> "RequestHeaderExample" servlet so that it prints out these values:
>
> request.getAuthType();
> request.getRemoteUser();
> request.getUserPrincipal();
>
> *but* they all print NULL. Even on the first "call" - no sessions involved
> (at least, I didn't *think* there re any sessions involved!) I have
> definately logged in, because Mozilla asked me if I would accept the
> server's certificate, and also asked me for the password to my private
> certificate store, and I set clientAuth="true" - so should be OK all
round.
>
> Am I looking in the wrong place? I'm looking at the request object for
info
> here...
>
> (probability > 0.9 this is the case)
>
> Cheers,
>
> Graeme
>
> -----Original Message-----
> From: Yansheng Lin [mailto:yansheng.lin@silvacom.com]
> Sent: 07 April 2004 21:26
> To: 'Tomcat Users List'
> Subject: RE: request.getUserPrincipal();
>
>
> Hi, how often do you invalidate your sessions?  It's hard to imagine your
> application would expire a user's session right after he logs in.  But
take
> a
> look at the request header to see if the subsequent session ids are the
same
> as
> the first one.  Other than that, without more specific info on how you
> implemented the authentication, it's hard to figure out what's going on:).
>
> -Yan
>
>
> -----Original Message-----
> From: Winter, G (Graeme) [mailto:G.Winter@dl.ac.uk]
> Sent: Wednesday, April 07, 2004 7:46 AM
> To: 'Tomcat Users List'
> Subject: request.getUserPrincipal();
>
>
> Hi All,
>
> I am trying to perform client authentication using certificates, and I
have
> made some progress - the certificates are now accepted as OK, which is
nice.
> Obviously I am using https too...
>
> However, the sting is that the methods
>
> request.getAuthType();
> request.getRemoteUser();
> request.getUserPrincipal();
>
> All return NULL, which is contrary to the documentation, since I know the
> user (i.e. me) has authenticated. clientAuth="true" in server.xml.
>
> Anyone else out there had this problem, and more to the point found a
> solution?
>
> Cheers,
>
> Graeme
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message