tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Thomas <>
Subject Re: Problem with security?
Date Fri, 10 Jun 2005 16:10:06 GMT
Hi Joe,

To summarize the point that all of these others folks were making;
Tomcat by itself has no way of interrogating the operating system of
the connecting machine or noticing through the information that it
gets from then browser that the user is a particular person. Tomcat
can only tell you for sure about the physical connection (IP, and
possibly hostname... either of which may be useful to me, but I'll get
there in a minute).

I don't have the tomcat source in front of me right now, but I'm
pretty sure that the getRemoteUser() method is a typical java 'getter'
method; the part of tomcat that manages sessions looks at the incoming
cookie and notices that this request is part of an existing, validated
session and does essentially 'setRemoteUser()'... nothing automagical
about it.

So, back to what you *can* do. So, you know their IP/host; you could
use this to query a windows domain controller, which would be able to
report which real user is logged onto which machine -- I believe
that's what Pete's suggestion was as well; seems like there's some
potential there. You can just trust the IP address or hostname (if
physical access to the computer is strong enough authentication for
you... it really shouldn't be though, because names/IPs can be

So, bottom line, you're gonna have to put some work in. If you *do*
find a solution that works, make sure to report it back to the list so
that everyone can benefit.


On 6/10/05, Gagnon, Joseph M  (US SSA) <> wrote:
> Did I not say that I'm new to this?
> I made no mention to whether or not I was trying to make it secure.
> This is only meant to be used within my company's intranet and my
> intention was to take the user account and then compare it with a set of
> registered users in the application's DB.
> I am beginning to see that at the very least I need to create some kind
> of mechanism (although I don't understand yet how to go about that, or
> how many different ways it can be done) to perform user authentication.
> If anyone can provide information on how to do this (keep in mind I'm
> new at this), please let me know.
> -----Original Message-----
> From: Robert Harper []
> Sent: Friday, June 10, 2005 10:59 AM
> To: 'Tomcat Users List'
> Subject: RE: Problem with security?
> I think you have missed the point that you cannot get user information
> unless the user authenticates. You don't want to have a user
> authenticate
> but you want to get user information. These are mutually exclusive
> tasks.
> If the user does not authenticate, you can only get the external IP
> address
> of the requestor. In order to get user information, you must have the
> user
> authenticate. You might have your users sent to a page that gathers the
> user
> ID and then store it in a cookie. You cannot count on the browser
> sending
> user information because the logged in user may and often is not the
> actual
> user.
> I don't know how you can call it secure if you don't require a key to
> open
> the door. You may be encrypted in your transfer over SSL but if you
> don't
> have the user log in, you are not secure.
> Robert S. Harper
> Information Access Technology, Inc.
> -----Original Message-----
> From: Gagnon, Joseph M (US SSA) []
> Sent: Friday, June 10, 2005 8:43 AM
> To: Tomcat Users List
> Subject: RE: Problem with security?
> I believe I've covered that all in my original message.  Read further.
> -----Original Message-----
> From: egan0019 []
> Sent: Friday, June 10, 2005 10:10 AM
> To: Tomcat Users List
> Subject: Re: Problem with security?
> Look into the ServletRequest interface.  That interface, which is
> extended
> in HttpServletRequest.  You can call the getRemoteAddr(),
> getRemoteHost(),
> etc. methods.  You receive null in your getRemoteUser because the user
> hasn't been 'authenticated' yet.
> On 10 Jun 2005, Gagnon, Joseph M  (US SSA) wrote:
> > Hello,
> >
> > I'm new to JSP development (and to dynamic web development as a whole)
> > so please bear with me.  I'm investigating using JSP/Java for a
> project
> > at my workplace.  My system (test server, if you will) is a PC running
> > Windows XP Pro and I am using Tomcat 5.5.9.
> >
> > I have a situation where I want to be able to provide user access to
> an
> > application by determining the identity of the requesting user,
> without
> > them having to go through a login procedure.  Specifically, what I've
> > been trying to do is call the request.getRemoteUser() method to ID the
> > requesting user.  When I do so, I keep getting null.  After reading in
> > the JSP and Java servlet specifications, I see that this call would
> > return null if the user is not authenticated.  Reading further, I get
> > the impression that by default, no authentication is needed to access
> [Robert Harper] [snip]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message