Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » How to access user Principal without requiring authentication
How to access user Principal without requiring authentication [message #1061246] Thu, 30 May 2013 18:31 Go to next message
Mark Leone is currently offline Mark LeoneFriend
Messages: 69
Registered: April 2012
Member
I have a RAP app that runs in Tomcat with an SSL connector that requires client authentication. I'd like to access the user principal from the client cert, but I find that it's null unless I also implement an <auth-constraint> in the web.xml. For our application, we want to use the client cert for identification of the user, but we don't want to authenticate the user beyond requiring a valid cert.

Is there a way to get the user Principal without requiring authentication?

Here is my code which retrieves the user Principle:


RWT.requestThreadExec(new Runnable() {

        public void run() {
	        if (RWT.getRequest() != null) {
			RWT.getRequest().getUserPrincipal();
		}
	}
			
});


Here is a web.xml snippet which results in the Principal being null:

<security-constraint>
	<web-resource-collection>
		<web-resource-name>My App</web-resource-name>
		<url-pattern>/*</url-pattern>
	</web-resource-collection>
</security-constraint>

<login-config>
	<auth-method>CLIENT-CERT</auth-method>
	<realm-name>My Realm</realm-name>
</login-config>


If I add the following to the web.xml, the Principal is not null, but I'd like to avoid this:

<security-constraint>
         ...
        <auth-constraint>
	        <role-name>someRole</role-name>
        </auth-constraint>
</security-constraint>
<security-role>
       <role-name>secureconn</role-name>
</security-role>

Report message to a moderator

Re: How to access user Principal without requiring authentication [message #1061270 is a reply to message #1061246] Thu, 30 May 2013 21:19 Go to previous messageGo to next message
Mark Leone is currently offline Mark LeoneFriend
Messages: 69
Registered: April 2012
Member
The Principal is also null if I launch the app in the IDE with jetty configured for SSL.

Report message to a moderator

Re: How to access user Principal without requiring authentication [message #1070774 is a reply to message #1061270] Thu, 18 July 2013 16:28 Go to previous message
Mark Leone is currently offline Mark LeoneFriend
Messages: 69
Registered: April 2012
Member
It turns out that
RWT.getRequest().getAttribute("javax.servlet.request.X509Certificate")

Returns an X509Certificate array, containing the cert of the authenticated user, even if the user has not been authorized for a specific role. This is the behavior I expected from
 HttpServletRequest#getuserPrincipal()
so this is an acceptable workaround.

Report message to a moderator

Previous Topic:Toolbar height
Next Topic:RAP Client Scripting extension
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Oct 17 13:22:28 GMT 2021

Powered by FUDForum. Page generated in 0.01850 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly