tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: HttpServletRequest.getUserPrincipal
Date Mon, 17 Nov 2008 19:27:51 GMT
Caldarale, Charles R wrote:
>> From: André Warnier []
>> Subject: HttpServletRequest.getUserPrincipal
>> To get the authenticated user-id from within a filter or a
>> servlet, one calls HttpServletRequest.getUserPrincipal.getName()
> or HttpServletRequest.getRemoteUser()
Are these *really* equivalent ?

The 1.5 specs for HttpServletRequest.getRemoteUser say :

Returns the login of the user making this request, if the user has been 
authenticated, or null if the user has not been authenticated. Whether 
the user name is sent with each subsequent request depends on the 
browser and type of authentication. Same as the value of the CGI 
variable REMOTE_USER.

It is the association with the CGI variable and with the browser sending 
or not a header that makes me have a doubt.  This CGI variable is 
usually set as per the HTTP Header "Authorization", which is only 
present in case of Basic or Digest authentication.
In the case of a Windows-based authentication, or a form-based 
authentication, this HTTP header would not be sent by the browser.

Another way to phrase my question would be : is getRemoteUser() merely a 
shortcut, under which happens a getUserPrincipal.getName(), or do those 
two use a different underlying source to provide a user name ?

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message