2 Replies Latest reply on May 20, 2014 12:18 PM by Luca Graf

    Principal is null for logged in user on unprotected resources

    Luca Graf Newbie



      i observed that the undertow implementation of HttpServletRequest.getUserPrincipal() returns null for a logged in user when an unprotected resource get accessed (at least when BASIC authentication is used).

      Is this the expected behaviour?


      Quote from the servlet-3.1 specification (13.10 Login and Logout):


      Being logged into an application during the processing of a request, corresponds

      precisely to there being a valid non-null caller identity associated with the request as

      may be determined by calling getRemoteUser or getUserPrincipal on the

      request. A null return value from either of these methods indicates that the caller is

      not logged into the application with respect to the processing of the request.



      I am not sure if i interpret this correctly ...

      But "logged into an application" and because their is no explicit mention of the protection state of a resource, their should be no difference between accessing a protected or unprotected resources?


      Thanks for your opinions!



      P.S. I am in the process of migrating an application from glassfish to wildfly. Glassfish has returned the caller identity for a logged in user also when an unprotected resource get accessed.