-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
André Warnier wrote: > To get the authenticated user-id from within a filter or a servlet, one > calls HttpServletRequest.getUserPrincipal.getName() e.g. Technically, it's not the user id. It's just a name for the principal. For most authentication systems, it's the username of the user. > But where and more mysteriously how, does this Principal get set ? > I cannot find any setUserPrincipal() anywhere. This is an implementation detail. HttpServletRequest doesn't have a "setUserPrincipal" method because it would be somewhat dangerous to allow user code to change the principal during request processing. Of course, such rogue code is still very easy to write: wrap the request in your own wrapper and use the RequestDispatcher to call include() or forward() and boom: the user "is" someone else. If you dig down into the internals of Tomcat's source code, you'll find that the "coyote request" has these types of mutators in the class. If you take a look at securityfilter, there is a setUserPrincipal method, but it is not directly accessible because it's not part of the HttpServletRequest interface. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkhk1cACgkQ9CaO5/Lv0PCmSwCfeJc7C5YAPcrQJ2Q4mDrXFSbG bJUAoKYsMWBk7tsH10TvoWemX08P1pUi =chAc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
