[thelist] LOGON_USER in JSP

Ken Schaefer ken at adOpenStatic.com
Tue Feb 10 06:07:07 CST 2004 

I don't know much about Tomcat.

However, the FAQ on the tomcat mentions this:
http://jakarta.apache.org/tomcat/faq/windows.html#ntlm
(this is adding NTLM support, which is a Microsoft HTTP authentication
mechanism which is now quite old). I believe Microsoft added this because
Basic authentication (which is an RFC standard) is completely insecure
(username/password transmitted in clear text) unless you run your site over
SSL (which isn't always feasible). Newer versions of IE support Kerberos and
Digest authentication now. I'm not sure what support Tomcat has for these
(or whether you need to do anything extra to get that working)

Note: the actual mechanism for getting the user to provide a
username/password is a HTTP standard. So you can lookup the RFCs about this
(they are in the HTTP v1.1 specification). There is no automatic way to get
the current logged on user (since the user is prompted to supply
username/password). All you can get is the username/password they choose to
supply in the dialogue box. That gets sent as part of the HTTP request, and
I'm sure Java must have some method of exposing the elements of the incoming
HTTP request. Someone mentioned HttpServletRequest

Cheers
Ken

----- Original Message ----- 
From: <david.landy at somerfield.co.uk>
To: <thelist at lists.evolt.org>
Sent: Tuesday, February 10, 2004 10:28 PM
Subject: RE: [thelist] LOGON_USER in JSP


Thanks, Ken. I never realised it was so complex.

Does anyone know of any software that would do this kind of invisible
authentication on Tomcat/WinNT?

David


David Landy, IT Consultant
Business Intelligence
Somerfield/KwikSave
+44 (0) 117-301-8977
david.landy at somerfield.co.uk <mailto:david.landy at somerfield.co.uk>


-----Original Message-----
From: Ken Schaefer [mailto:ken at adOpenStatic.com]
Sent: Tuesday, 10 February 2004 11:21
To: thelist at lists.evolt.org
Subject: Re: [thelist] LOGON_USER in JSP


Not exactly.

- Browser requests page.
- Webserver denies access + sends back acceptable authentication mechanisms
- Browser picks a mechanism, prompts user to supply username/password (IE
does not do this if the site is in the "trusted sites" or "intranet"
security zones - by default it automatically sends the username/password of
the currently logged on user)
- Browser sends username/password (or hash, or digest) as part of a new HTTP
request
- If your page is ASP, then ASP provides an intrinsic object that gives you
access to the HTTP headers of the request sent by the browser
(Request.ServerVariables). Other server-side technologies provide the same
access to the HTTP request.

So, the username (and possibly the password) are passed in the HTTP headers
from the client to the server. There is no "magic" Windows-native technology
that makes the server somehow aware of who's logged into the client machine.

Cheers
Ken

Microsoft MVP - Windows Server (IIS)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: <david.landy at somerfield.co.uk>
Subject: RE: [thelist] LOGON_USER in JSP


Yes, it's Windows-native. It picks up the already-logged-on windows user and
passes it as a system variable to ASP, which is handy, as the user doesn't
have to log in again.

I've looked at all the HTTP headers and cookies (I think - see below), and
sadly no user information is passed... there is an environment variable with
the logged-on user but given that getenv() is deprecated I'm beginning to
think that - sadly - there really *is* no way of doing this in JSP, and I'll
have to ask the user to log in again, and keep my own tables of user id's
and logins.

Any ideas, anyone? Suggestions very welcome.

David

Code:

Cookie[] cookies = request.getCookies();
for (int n = 0; n < cookies.length; n++)
{
    Cookie cookie = cookies[n];
    out.print("Cookie: " + cookie.getName() + ":'");
    out.println(cookie.getValue() + "'<br>");
}

Enumeration headers = request.getHeaderNames();
while (headers.hasMoreElements()) {
    String header=(String)headers.nextElement();
    out.print("Header: " + header + ":'");
    out.println(request.getHeader(header) + "'<br>");
}


Output:

Cookie: JSESSIONID:'65C45F3D82FFBCF525C97772E8EE4E46'
Header: accept:'*/*'
Header: referer:'http://localhost/'
Header: accept-language:'en-gb'
Header: accept-encoding:'gzip, deflate'
Header: user-agent:'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)'
Header: host:'localhost:8080'
Header: connection:'Keep-Alive'
Header: cache-control:'no-cache'
Header: cookie:'JSESSIONID=65C45F3D82FFBCF525C97772E8EE4E46'



David Landy, IT Consultant
Business Intelligence
Somerfield/KwikSave
+44 (0) 117-301-8977
david.landy at somerfield.co.uk <mailto:david.landy at somerfield.co.uk>


-----Original Message-----
From: Hassan Schroeder [mailto:hassan at webtuitive.com]
Sent: Monday, 09 February 2004 15:46
To: thelist at lists.evolt.org
Subject: Re: [thelist] LOGON_USER in JSP


david.landy at somerfield.co.uk wrote:

> Thanks Hassan. I've tried using request.getRemoteUser() in my JSP script
but
> it returns null.

Oops, belated realization -- is the "LOGON_USER" you mentioned in
your original mail from some Windows-native authentication? Because
getRemoteUser() being non-null depends on your having authenticated
with Tomcat's own methods.

So how does the LOGON_USER value work in an IE/ASP environment? Is
it passed in an HTTP header? through a cookie? If either, you can
access those, using methods of HttpServletRequest.

-- 
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

-- 
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

If you are not the intended recipient of this e-mail, please preserve the
confidentiality of it and advise the sender immediately of any error in
transmission. Any disclosure, copying, distribution or action taken, or
omitted to be taken, by an unauthorised recipient in reliance upon the
contents of this e-mail is prohibited. Somerfield cannot accept liability
for any damage which you may sustain as a result of software viruses so
please carry out your own virus checks before opening an attachment. In
replying to this e-mail you are granting the right for that reply to be
forwarded to any other individual within the business and also to be read by
others. Any views expressed by an individual within this message do not
necessarily reflect the views of Somerfield.  Somerfield reserves the right
to intercept, monitor and record communications for lawful business
purposes.
-- 
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

More information about the thelist mailing list