7 Replies Latest reply on Dec 9, 2002 4:53 PM by Simon

    getUserPrincipal() returns null when on non-secured page

    Erwin Teseling Newbie

      I am using JBoss-2.4.4 and Tomcat-4.0.1 and I am having problems with checking the security-identity/roles.

      I am using form-based login (j_security_check) together with my custom login module. When I visit a protected page the login-form is presented to the user who can login succesful. I need to do some additional security checks, which I do in my servlets using getUserPrincipal() method which correctly returns the users identity.

      Now when I visit a page which is not protected (by declaring security-constraints in web.xml) then the getUserPrincipal() method suddenly returns NULL. I have tried all kinds of things, but with no success!!! IMHO I should still receive the correct identity, because the user hasn't changed!!! When I switch back to any protected page all works OK again like described above.

      I am not really sure what the problem is, but I really would appreciate to have some help on this!!! Is this an integration issue between JBoss/Tomcat or is this behaviour of Tomcat. I have asked the same question on the Tomcat list but nobody anwers.

      Regards,
      Erwin

        • 1. Re: getUserPrincipal() returns null when on non-secured page
          J. Wolfgang Kaltz Novice

          I think the behaviour is correct; if something is not in a security context, then it doesn't have an authenticated user, so there is no principal.
          If you have some user specific code in your page, then why aren't you defining it as protected ??

          • 3. Re: getUserPrincipal() returns null when on non-secured page
            Erwin Teseling Newbie

            My problem is mainly because I have to deal with additional security checks to be flexible.

            We use Struts and want to declare security access at Action level. If you declare your access with url-patterns (like actions/restricted/* and actions/unrestricted/*) this means that the jsp programmers must know what security level every-action should have. According to the J2EE spec controlling things like security settings should be a responsability of the deployer!?

            We use an extention of Struts that performs additional access control in the central controller servlet (MVC) based on a declarative configuration (in struts-config). Now I do NOT like the idea that I also have to define the protected actions in the web.xml, because double definitions (of any kind) leads to maintenance nightmares.

            This is why I would like to be able to check the users identity in any page (either protected or unprotected).

            Any ideas on who to work around this?!? I know at least some other appl. servers doing it this way (like Orion), but I need to achieve the same on jboss/tomcat!!!

            • 4. Re: getUserPrincipal() returns null when on non-secured page
              David Ward Newbie

              My personal opinion is that JBoss-Tomcat4 should work exactly like JBoss-Tomcat3 did (which would eradicate your problem)....

              However in the meantime the only thing I can suggest is that in your extension of the central controller servlet, shove the prinicipal name in the httpsession so you will have access to it in both protected and unprotected pages.

              The only thing this does not cover is how to check the roles of a user on non-protected pages (even if they're logged in).

              Of course, you could always go back to JBoss-Tomcat3, but that won't be a viable option for long (especially if you want to use the latest Servlet spec's API).

              • 5. Re: getUserPrincipal() returns null when on non-secured page
                Roland Chan Newbie

                Are there any plans to have this included in 3.1? I'd rather not add the kludgie session logic if possible.

                • 6. Re: getUserPrincipal() returns null when on non-secured page
                  jjr Newbie

                  second that.

                  Some think that this behaviour can be considered as a bug.
                  Here is a quote from Craig R. McClanahan on struts-user mailing list.

                  --- start quote ----
                  Whenever you have a page that is available to authenticated and
                  non-authenticated users, make it *not* protected by a security constraint.
                  Then, inside the page (or an Action, in Struts) you can tell whether the
                  user has logged on or not:

                  String username = request.getRemoteUser();
                  if (username == null) {
                  ... set up the unauthenticated user stuff ...
                  } else {
                  ... set up the personalized stuff for this user ...
                  }
                  --- end quote ---

                  and later in the same thread

                  --- start quote ---
                  If they don't return the right values on an unauthenticated page (after
                  the user has logged in, *please* report bugs to the vendor. That is a
                  bug.
                  --- end quote ---

                  • 7. Re: getUserPrincipal() returns null when on non-secured page
                    Simon Newbie

                    This definitely worked on Orion/OC4J & I seem to remember it worked in Jrun too. Gotta be a bug/oversight!

                    This problem is mentioned on a few threads; did anyone get a bug tracking number for this?

                    Several of my latest developments have had to have dirty hacks to get around this :(