Re: Strange Security Problem
I think Carlos was the only individual that helped you out on this item... -M - Original Message - From: "Rustad, Aaron" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Saturday, October 18, 2003 12:55 PM Subject: RE: Strange Security Problem > OK, I figured it out. In my web.xml, I had defined a security constraint to > only apply to GET requests. Apparently (with Tomcat anyway), > request.getUserPrincipal() will always return null if the resource is not > part of security constraint. So, since GET was part of the constraint, > getPrincipal would return a valid object, POST returned NULL. > > Thanks for your help (if you intended to help)!~ > AR. > > -Original Message- > From: Rustad, Aaron > Sent: October 18, 2003 9:40 AM > To: '[EMAIL PROTECTED]' > Subject: Strange Security Problem > > > I am encountering a strange security problem when trying to submit a form to > an action. This JSP is as follows: > > <%= request.getUserPrincipal().getName() %> > > > > > > > > > > > > > > > > > > > > > > upload > > The strange thing is this: > > When this page is loaded, and I am ligitimatly logged in, the name of the > UserPrincipal is displayed as it should be. However, if I submit the form, > the appropriate action class is called, but when I invoke > request.getUserPrincipal()...it returns null. Notice the last line of the > HTML, it has a link that points to the same action class...when it is > clicked, the principal is propogated to action and it is NOT null. > > Can anyone help me out with this? I would like the post to work correctly. > > Thanks! > Aaron. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Strange Security Problem
OK, I figured it out. In my web.xml, I had defined a security constraint to only apply to GET requests. Apparently (with Tomcat anyway), request.getUserPrincipal() will always return null if the resource is not part of security constraint. So, since GET was part of the constraint, getPrincipal would return a valid object, POST returned NULL. Thanks for your help (if you intended to help)!~ AR. -Original Message- From: Rustad, Aaron Sent: October 18, 2003 9:40 AM To: '[EMAIL PROTECTED]' Subject: Strange Security Problem I am encountering a strange security problem when trying to submit a form to an action. This JSP is as follows: <%= request.getUserPrincipal().getName() %> upload The strange thing is this: When this page is loaded, and I am ligitimatly logged in, the name of the UserPrincipal is displayed as it should be. However, if I submit the form, the appropriate action class is called, but when I invoke request.getUserPrincipal()...it returns null. Notice the last line of the HTML, it has a link that points to the same action class...when it is clicked, the principal is propogated to action and it is NOT null. Can anyone help me out with this? I would like the post to work correctly. Thanks! Aaron. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Strange Security Problem
OK, I'm sorry, I was thinking in your own authentication schema. I didn't notice. > -Mensaje original- > De: Rustad, Aaron [mailto:[EMAIL PROTECTED] > Enviado el: sábado, 18 de octubre de 2003 18:20 > Para: 'Struts Users Mailing List' > Asunto: RE: Strange Security Problem > > > You are mistaken CarlosgetUserPrincipal() is part of the > Servlet Specfications...it should be the Application Server > that is fullfilling this request. > > AR. > > -Original Message- > From: Carlos Sánchez [mailto:[EMAIL PROTECTED] > Sent: October 18, 2003 10:20 AM > To: 'Struts Users Mailing List' > Subject: RE: Strange Security Problem > > > If you want the user name stored in the request (bad idea) it > must be sent in the form using a hidden field. > > You should store it in the session. Only submitted form > fields will be in the request. > > > > > -Mensaje original- > > De: Rustad, Aaron [mailto:[EMAIL PROTECTED] > > Enviado el: sábado, 18 de octubre de 2003 17:40 > > Para: '[EMAIL PROTECTED]' > > Asunto: Strange Security Problem > > > > > > I am encountering a strange security problem when trying to > > submit a form to an action. This JSP is as follows: > > > > <%= request.getUserPrincipal().getName() %> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > upload > > > > The strange thing is this: > > > > When this page is loaded, and I am ligitimatly logged in, the > > name of the UserPrincipal is displayed as it should be. > > However, if I submit the form, the appropriate action class > > is called, but when I invoke request.getUserPrincipal()...it > > returns null. Notice the last line of the HTML, it has a link > > that points to the same action class...when it is clicked, > > the principal is propogated to action and it is NOT null. > > > > Can anyone help me out with this? I would like the post to > > work correctly. > > > > Thanks! > > Aaron. > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Strange Security Problem
The real question is why would the principal be made available to the Action class when a GET request is issued, but not when POST is used. AR. -Original Message- From: Rustad, Aaron Sent: October 18, 2003 9:40 AM To: '[EMAIL PROTECTED]' Subject: Strange Security Problem I am encountering a strange security problem when trying to submit a form to an action. This JSP is as follows: <%= request.getUserPrincipal().getName() %> upload The strange thing is this: When this page is loaded, and I am ligitimatly logged in, the name of the UserPrincipal is displayed as it should be. However, if I submit the form, the appropriate action class is called, but when I invoke request.getUserPrincipal()...it returns null. Notice the last line of the HTML, it has a link that points to the same action class...when it is clicked, the principal is propogated to action and it is NOT null. Can anyone help me out with this? I would like the post to work correctly. Thanks! Aaron. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Strange Security Problem
You are mistaken CarlosgetUserPrincipal() is part of the Servlet Specfications...it should be the Application Server that is fullfilling this request. AR. -Original Message- From: Carlos Sánchez [mailto:[EMAIL PROTECTED] Sent: October 18, 2003 10:20 AM To: 'Struts Users Mailing List' Subject: RE: Strange Security Problem If you want the user name stored in the request (bad idea) it must be sent in the form using a hidden field. You should store it in the session. Only submitted form fields will be in the request. > -Mensaje original- > De: Rustad, Aaron [mailto:[EMAIL PROTECTED] > Enviado el: sábado, 18 de octubre de 2003 17:40 > Para: '[EMAIL PROTECTED]' > Asunto: Strange Security Problem > > > I am encountering a strange security problem when trying to > submit a form to an action. This JSP is as follows: > > <%= request.getUserPrincipal().getName() %> > > > > > > > > > > > > > > > > > > > > > > upload > > The strange thing is this: > > When this page is loaded, and I am ligitimatly logged in, the > name of the UserPrincipal is displayed as it should be. > However, if I submit the form, the appropriate action class > is called, but when I invoke request.getUserPrincipal()...it > returns null. Notice the last line of the HTML, it has a link > that points to the same action class...when it is clicked, > the principal is propogated to action and it is NOT null. > > Can anyone help me out with this? I would like the post to > work correctly. > > Thanks! > Aaron. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Strange Security Problem
If you want the user name stored in the request (bad idea) it must be sent in the form using a hidden field. You should store it in the session. Only submitted form fields will be in the request. > -Mensaje original- > De: Rustad, Aaron [mailto:[EMAIL PROTECTED] > Enviado el: sábado, 18 de octubre de 2003 17:40 > Para: '[EMAIL PROTECTED]' > Asunto: Strange Security Problem > > > I am encountering a strange security problem when trying to > submit a form to an action. This JSP is as follows: > > <%= request.getUserPrincipal().getName() %> > > > > > > > > > > > > > > > > > > > > > > upload > > The strange thing is this: > > When this page is loaded, and I am ligitimatly logged in, the > name of the UserPrincipal is displayed as it should be. > However, if I submit the form, the appropriate action class > is called, but when I invoke request.getUserPrincipal()...it > returns null. Notice the last line of the HTML, it has a link > that points to the same action class...when it is clicked, > the principal is propogated to action and it is NOT null. > > Can anyone help me out with this? I would like the post to > work correctly. > > Thanks! > Aaron. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]