Re: HttpServletRequest.login & remoteUser null
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nicolas, On 9/14/16 3:59 AM, nclemeur wrote: >>> Hello, >>> >>> I am using HttpServletRequest.login to authenticate users on an >>> ajax call. This is working fine and the relevant realm is >>> queried. However, on subsequent requests, I have quite often >>> the remote user being null despite having the correct JSESSION >>> cookie set from the login call. >>> >>> This is not happening always, but it is quite frequent. >>> Interestingly, if a set an attribute in the session, that >>> session and attributes are preserved in the subsequent >>> requests. >>> >>> Is there anything else that I should do to preserve >>> authentication information? It is very strange that this >>> process is working intermittently. As a workaround I am >>> wrapping the request and overrides the >>> getRemoteUser/getUserPrinciper/isUserInRole to get this >>> information from the information I am storing in the session, >>> but I would prefer to have this working without this workaround >>> (for example the AccessLogValve does not report the user >>> correctly when using that workaround). > >> Tomcat version? > >> What authentication, if any, do you have configured in web.xml? > >> Do you have any security constraints defined anywhere >> (annotations or in web.xml)? > > I was having this problem in tomcat 8.0.35. I did try to reproduce > it on a simpler setup on 8.0.37 and 8.5.5, but could not succeed... > > > I'll try integrate my tests in my main app to see if I can > reproduce it then. Any chance this is a problem with cookies using the HttpOnly flag? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX3AlEAAoJEBzwKT+lPKRYpkwQAKecA8dZTI1YWwBw5xH6PbE9 h8fhOLVjcRf7ako2XtSeGI2HZZBWxMcSIwkiv0Z8fxoL7B4AP9c9eZatKTbzEfUM SeFvYuDFG5oD/S87hQVEYcewL5A7IBld0ZgYcKOIclqqXNqSegaXtFxSheeIxsrL JkUJMJcdIPzq5CzDowuhBBhjwo34zq6dlBCi6wqxD3XM2gc5tMS/mTmTpW/i2WbW zrA5IqFMDdrA6Css2NLUecik6zF5KDrTUE3y5zVjAaLu6029CSTRhtmSD603pp6t EX8Sm+Zx6hwyz56NXMxzG1KP7fIDB8yf0XYM4K0FYqYfzJiqECmT6m1/y7IHhySz 05yE5BBQZKU9KeKG7aU7L9QcJP5CIU0LlrctC+XIhQAnlW/YHbczNkcrFhrPxNnW Ma/jpufpARrWTC6MhIYNL5cvkHaaTr8onIkAYlvM97u9VkgHXl/JMgKR+N0U9yi1 sa0q8hNZDSgqNf4TSmpINWOm0uz9rVUlRbI3177glynFZd1Gqb/ftBdie7czL6Dm oQiduww58+urFbJhhIVMjfK1kDZogHQ0f1/nYGeaei3tKnqmoJSmNQX2iONFBKEP ikWmMblKSUs5wVehO1oBfscVVh7V1crkpTVjq+adbeBltNMEWFgZ6aaeAGRjceog ns8hZBw+MmIfORsFjH9r =NnO3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HttpServletRequest.login & remoteUser null
>> Hello, >> >> I am using HttpServletRequest.login to authenticate users on an ajax >> call. >> This is working fine and the relevant realm is queried. However, on >> subsequent requests, I have quite often the remote user being null >> despite >> having the correct JSESSION cookie set from the login call. >> >> This is not happening always, but it is quite frequent. Interestingly, if >> a >> set an attribute in the session, that session and attributes are >> preserved >> in the subsequent requests. >> >> Is there anything else that I should do to preserve authentication >> information? It is very strange that this process is working >> intermittently. As a workaround I am wrapping the request and overrides >> the >> getRemoteUser/getUserPrinciper/isUserInRole to get this information from >> the information I am storing in the session, but I would prefer to have >> this working without this workaround (for example the AccessLogValve does >> not report the user correctly when using that workaround). > Tomcat version? > What authentication, if any, do you have configured in web.xml? > Do you have any security constraints defined anywhere (annotations or > in web.xml)? I was having this problem in tomcat 8.0.35. I did try to reproduce it on a simpler setup on 8.0.37 and 8.5.5, but could not succeed... I'll try integrate my tests in my main app to see if I can reproduce it then. Cheers Nicolas -- View this message in context: http://tomcat.10.x6.nabble.com/HttpServletRequest-login-remoteUser-null-tp5054934p5055008.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HttpServletRequest.login & remoteUser null
On 12/09/2016 00:45, Nicolas Clemeur wrote: > Hello, > > I am using HttpServletRequest.login to authenticate users on an ajax call. > This is working fine and the relevant realm is queried. However, on > subsequent requests, I have quite often the remote user being null despite > having the correct JSESSION cookie set from the login call. > > This is not happening always, but it is quite frequent. Interestingly, if a > set an attribute in the session, that session and attributes are preserved > in the subsequent requests. > > Is there anything else that I should do to preserve authentication > information? It is very strange that this process is working > intermittently. As a workaround I am wrapping the request and overrides the > getRemoteUser/getUserPrinciper/isUserInRole to get this information from > the information I am storing in the session, but I would prefer to have > this working without this workaround (for example the AccessLogValve does > not report the user correctly when using that workaround). Tomcat version? What authentication, if any, do you have configured in web.xml? Do you have any security constraints defined anywhere (annotations or in web.xml)? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HttpServletRequest.login & remoteUser null
Hello, I am using HttpServletRequest.login to authenticate users on an ajax call. This is working fine and the relevant realm is queried. However, on subsequent requests, I have quite often the remote user being null despite having the correct JSESSION cookie set from the login call. This is not happening always, but it is quite frequent. Interestingly, if a set an attribute in the session, that session and attributes are preserved in the subsequent requests. Is there anything else that I should do to preserve authentication information? It is very strange that this process is working intermittently. As a workaround I am wrapping the request and overrides the getRemoteUser/getUserPrinciper/isUserInRole to get this information from the information I am storing in the session, but I would prefer to have this working without this workaround (for example the AccessLogValve does not report the user correctly when using that workaround). Cheers Nicolas
