2 Replies Latest reply on May 20, 2014 12:18 PM by luc4

Principal is null for logged in user on unprotected resources

luc4 May 20, 2014 10:43 AM

Hi,

i observed that the undertow implementation of HttpServletRequest.getUserPrincipal() returns null for a logged in user when an unprotected resource get accessed (at least when BASIC authentication is used).

Is this the expected behaviour?

Quote from the servlet-3.1 specification (13.10 Login and Logout):

...

Being logged into an application during the processing of a request, corresponds

precisely to there being a valid non-null caller identity associated with the request as

may be determined by calling getRemoteUser or getUserPrincipal on the

request. A null return value from either of these methods indicates that the caller is

not logged into the application with respect to the processing of the request.

...

I am not sure if i interpret this correctly ...

But "logged into an application" and because their is no explicit mention of the protection state of a resource, their should be no difference between accessing a protected or unprotected resources?

Thanks for your opinions!

Luca

P.S. I am in the process of migrating an application from glassfish to wildfly. Glassfish has returned the caller identity for a logged in user also when an unprotected resource get accessed.

1. Re: Principal is null for logged in user on unprotected resources

jaikiran May 20, 2014 11:25 AM (in response to luc4)

Which version of WildFly are you testing this against? The latest is WildFly 8.1.0.CR2, you might want to try it against that if you haven't.
Actions
2. Re: Principal is null for logged in user on unprotected resources

luc4 May 20, 2014 12:18 PM (in response to jaikiran)

Sorry, forgot to mention.

Already tested against:
8.0.0.Final
8.1.0.CR2 (manually updated to undertow-1.0.11.Final)
Actions

Go to original post