1 Reply Latest reply on Jan 14, 2003 7:14 AM by Thomas Nagel

    User 'null' in Jetty

    Thomas Nagel Newbie


      I am trying to port an Struts - web app from Resin/Jboss 3.0.2 to JBoss 3.0.2 / Jetty (integrated).

      The app uses Form-based login to access a welcome page and then accesses several EJBs via some Struts Actions. Login is done via JBoss / JAAS login-conf, using two modules with 'sufficient' flag:

      <application-policy name = "blah-security">
      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      <module-option name="dsJndiName">java:/OracleDS</module-option>
      <module-option name="principalsQuery">SELECT ...</module-option>
      <module-option name="rolesQuery">SELECT ...</module-option>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "sufficient" />


      web.xml looks like this:

      Registered Admins

      <realm-name>Admin area</realm-name>
      <realm-name>Admin area</realm-name>


      Struts conf (example):

      - Login works (form based and basic)
      - JSPs display user / Principal correct if I use request.getRemoteUser / request.getPrincipal

      Every other access (EJBs, Struts Actions, Servlets) does not work

      Message (for Struts actions) :
      2003-01-08 15:36:12,099 DEBUG [org.apache.struts.action.RequestProcessor] User
      'null' does not have any required role, denying access

      Seems the user disapears.

      Any ideas?

        • 1. Re: User 'null' in Jetty
          Thomas Nagel Newbie

          Greg told me the following:

          -- quote start -------------------------------------------

          The problem is the spec. It does not make it clear what the status of the authentication methods should be when a security constraint is not passed.

          Authentication can be very expensive - specially if your
          Realm is remote. Thus just because there is an auth
          constraint on /secret/* does not mean that every
          request to /images/* should be authenticated - even if the
          browser is providing the credentials un-asked for.

          Containers differ on how they implement this. Tomcat always authenticates if the credentials are provided and avoids the expense by caching authentication. This is not a safe approach as authentication can be revoked in real time.

          Jetty implements this by only authenticating when a authentication constraint is passed.

          I [Greg] have a proposal in the JSR that getRemoteUser should always return the name - if known. But getAuthType(), isUserInRole and getUserPrincipal should only work if an auth constraint is passed.

          -- quote end -------------------------------------------