PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

Sunday, September 4, 2022

[FIXED] How the request.getRemoteUser() works and the remote username value is stored?

 September 04, 2022     authentication, httprequest, java, servlets, tomcat     No comments   

Issue

I have Tomcat authentication (form authentication) in my application. After successful authentication, I am able to get the username from the request.getRemoteUser() method in my servlet.

Where I can find request.getRemoteUser() code? How does this work? Where has the RemoteUser has been set and stored? Since HTTP requests are stateless and execute independently, how this giving the username in all subsequent requests?


Solution

In order to deal with authentication, every context in Tomcat has a Valve that extends AuthenticatorBase, that:

  1. tries to authenticate the user using the data in the HttpServletRequest,
  2. checks the authorization requirements for the URL,
  3. if authentication is required, but absent, sends an appropriate response to the browser, asking for authentication. This usually means a 401 response with a WWW-Authenticate header for most authentication methods or a 302 redirect to the login page for form authentication.
  4. if authentication is present, but the access is not authorized, it sends a 403 response.
  5. otherwise calls Request#setUserPrincipal and proceeds with the next valve.

For the details check the AuthenticatorBase#invoke method.

Most authentication methods are based on the Authorization header sent by the browser (the form authenticator uses request parameters).

If a session is present (e.g. you called HttpServletRequest#getSession), the authenticated user will be cached in the session and subsequent requests will not need to authenticate any more. You can force session creation using the alwaysUseSession attribute on the authenticator valves (cf. documentation). The server can recognize the presence of a previously established session through many methods:

  1. A JSESSIONID Cookie header in the request,
  2. A jsessionid path parameter in the URL,
  3. If you use TLS, the TLS session can be also be used to detect the appropriate HTTP session.


Answered By - Piotr P. Karwasz
Answer Checked By - Willingham (PHPFixing Volunteer)
  • Share This:  
  •  Facebook
  •  Twitter
  •  Stumble
  •  Digg
Newer Post Older Post Home

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
Comments
Atom
Comments

Copyright © PHPFixing