tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject of the different methods to get a user-id
Date Thu, 12 Feb 2009 13:12:45 GMT

I am currently testing/comparing two user authentication methods for 
webapps, in a Windows NTLM context.
Despite my abysmal lack of knowledge in matters Java and Tomcat, I 
notice a difference between the two, and I would like to ask here if it 
matters, and if yes how.
Both authentication methods work as servlet filters. One is/was the 
jCIFS HTTP NTLM filter, the other a commercial product which would 
replace it for NTLMv2. I have asked the same question to the developer 
of both but I'm asking again here, to get a confirmation or additional 

In both cases below, the web user is authenticated from an HTTP NTLM 
point of view, otherwise the call would not even reach the underlying 

In the case of the jCIFS filter, a servlet that is running "under cover 
of" the filter, can obtain the authenticated user-id by a 
request.getUserPrincipal().getName() call.

In the case of the other filter however, the previous call seems to 
return null, and the way to obtain the authenticated user-id is via 

 From a practical immediate and personal point of view, it matters 
little to me, as I can adapt my servlet code to either of the above.

But my basic question is : what is the difference, and could that impact 
other servlet code which I did not write ?

For example also, in the case where the user authentication would be 
made at the level of a front-end Apache, connected to this Tomcat via 
mod_jk, and the appropriate parameter has been set so that Tomcat 
accepts the Apache authentication, would either one of the methods above 
return a result different from the other one ?

For convenience, I copied below the Java API doc of both methods.
I see that there is a difference, but my knowledge is too scarce to 
understand the possible implications.




public *getUserPrincipal*()

Returns a object containing the name of the
current authenticated user. If the user has not been authenticated, the
method returns null.


a containing the name of the user making this
request; null if the user has not been authenticatedaw


public java.lang.String *getRemoteUser*()

Returns the login of the user making this request, if the user has been
authenticated, or null if the user has not been authenticated. Whether
the user name is sent with each subsequent request depends on the
browser and type of authentication. Same as the value of the CGI
variable REMOTE_USER.


a String specifying the login of the user making this request, or null
if the user login is not known


Code of a small test servlet which runs under the "coverture" of Jespa's 
or jCIFS's HTTP filter :

package starweb;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public final class DumpUser extends HttpServlet {
   public void doGet(HttpServletRequest request, HttpServletResponse
               throws IOException, ServletException {

// what I was doing with jCIFS HTTP filter
//	Principal user = request.getUserPrincipal();
// 	String userName = (user == null ? "*null*" : user.getName());

// what I'm doing with the Jespa filter
   String userName = request.getRemoteUser();
   if (userName == null) {
     userName = "*null*";

   PrintWriter writer = response.getWriter();


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message