RE: Strange Security Problem

Sat, 18 Oct 2003 09:54:23 -0700 

OK, I figured it out. In my web.xml, I had defined a security constraint to
only apply to GET requests. Apparently (with Tomcat anyway),
request.getUserPrincipal() will always return null if the resource is not
part of security constraint. So, since GET was part of the constraint,
getPrincipal would return a valid object, POST returned NULL.

Thanks for your help (if you intended to help)!~
AR.

-----Original Message-----
From: Rustad, Aaron 
Sent: October 18, 2003 9:40 AM
To: '[EMAIL PROTECTED]'
Subject: Strange Security Problem


I am encountering a strange security problem when trying to submit a form to
an action. This JSP is as follows:

<%= request.getUserPrincipal().getName() %>
<form action="/edm/ebb/upload.do" method="POST">
 <table width="75%" border="1">
  <tr>
    <td><bean:message key="upload.from"/></td>
    <td><input type="text" name="from"/></td>
  </tr>
  <tr>
    <td><bean:message key="upload.to"/></td>
    <td><input type="text" name="to"/></td>
  </tr>
  <tr>
    <td><bean:message key="upload.version"/></td>
    <td><input type="text" name="version"/></td>
  </tr>    
  <tr>
    <td><bean:message key="upload.file"/></td>
    <td><input type="file" name="input-data"></td>
  </tr>
</table>
<input type="submit" value="Submit"/>
</form>
<html:link forward="ups">upload</html:link>

The strange thing is this:

When this page is loaded, and I am ligitimatly logged in, the name of the
UserPrincipal is displayed as it should be. However, if I submit the form,
the appropriate action class is called, but when I invoke
request.getUserPrincipal()...it returns null. Notice the last line of the
HTML, it has a link that points to the same action class...when it is
clicked, the principal is propogated to action and it is NOT null.

Can anyone help me out with this? I would like the post to work correctly.

Thanks!
Aaron.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to