tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Strauß <>
Subject FormAuthentication Valve changes fail with RequestListeners?
Date Thu, 29 Mar 2012 16:29:15 GMT


we have a web application using the FormAuthentication with Tomcat 7.0.11. 


The application provides it’s own realm, that is valid for the whole server
(configured in server.xml). The realm is based on datasource realm.


The application provides request listeners that rely on the
request.getPrincipal() method to obtain the logged on user. 


The request listener authenticates a service framework with the principal
from the request.


Tomcat 7.0.11 as stated above works with this design.


In Tomcat 7.0.26 this approach fails, because the requestlistener can no
longer obtain the principal using request.getPrincipal(). The call returns
null. A webpage (jsp) called after the listener as target of the request can
obtain the principal from the request as expected.


No configuration changes have been applied between 7.0.11 and 7.0.26.


Additionally we have experimented with various valve options, but did not


We cannot explain this behavior and think it is a bug in Tomcat. 


Any help appreciated, as currently we cannot upgrade Tomcat due to this


Kind regards,

Thomas Strauß

SRS PaperDynamix® 


SRS-Management GmbH 
Berliner Ring 93

64625 Bensheim 
T +49 6251 85 424 - 20 
F +49 6251 85 424 - 14
M +49 174 2110912





HRB 25262 AG Darmstadt
Geschäftsführer: Detlev Homilius, Thomas Strauß



View raw message