[thelist] LOGON_USER in JSP

Ken Schaefer ken at adOpenStatic.com
Tue Feb 10 05:21:26 CST 2004

Not exactly.

- Browser requests page.
- Webserver denies access + sends back acceptable authentication mechanisms
- Browser picks a mechanism, prompts user to supply username/password (IE
does not do this if the site is in the "trusted sites" or "intranet"
security zones - by default it automatically sends the username/password of
the currently logged on user)
- Browser sends username/password (or hash, or digest) as part of a new HTTP
- If your page is ASP, then ASP provides an intrinsic object that gives you
access to the HTTP headers of the request sent by the browser
(Request.ServerVariables). Other server-side technologies provide the same
access to the HTTP request.

So, the username (and possibly the password) are passed in the HTTP headers
from the client to the server. There is no "magic" Windows-native technology
that makes the server somehow aware of who's logged into the client machine.


Microsoft MVP - Windows Server (IIS)

From: <david.landy at somerfield.co.uk>
Subject: RE: [thelist] LOGON_USER in JSP

Yes, it's Windows-native. It picks up the already-logged-on windows user and
passes it as a system variable to ASP, which is handy, as the user doesn't
have to log in again.

I've looked at all the HTTP headers and cookies (I think - see below), and
sadly no user information is passed... there is an environment variable with
the logged-on user but given that getenv() is deprecated I'm beginning to
think that - sadly - there really *is* no way of doing this in JSP, and I'll
have to ask the user to log in again, and keep my own tables of user id's
and logins.

Any ideas, anyone? Suggestions very welcome.



Cookie[] cookies = request.getCookies();
for (int n = 0; n < cookies.length; n++)
    Cookie cookie = cookies[n];
    out.print("Cookie: " + cookie.getName() + ":'");
    out.println(cookie.getValue() + "'<br>");

Enumeration headers = request.getHeaderNames();
while (headers.hasMoreElements()) {
    String header=(String)headers.nextElement();
    out.print("Header: " + header + ":'");
    out.println(request.getHeader(header) + "'<br>");


Cookie: JSESSIONID:'65C45F3D82FFBCF525C97772E8EE4E46'
Header: accept:'*/*'
Header: referer:'http://localhost/'
Header: accept-language:'en-gb'
Header: accept-encoding:'gzip, deflate'
Header: user-agent:'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)'
Header: host:'localhost:8080'
Header: connection:'Keep-Alive'
Header: cache-control:'no-cache'
Header: cookie:'JSESSIONID=65C45F3D82FFBCF525C97772E8EE4E46'

David Landy, IT Consultant
Business Intelligence
+44 (0) 117-301-8977
david.landy at somerfield.co.uk <mailto:david.landy at somerfield.co.uk>

-----Original Message-----
From: Hassan Schroeder [mailto:hassan at webtuitive.com]
Sent: Monday, 09 February 2004 15:46
To: thelist at lists.evolt.org
Subject: Re: [thelist] LOGON_USER in JSP

david.landy at somerfield.co.uk wrote:

> Thanks Hassan. I've tried using request.getRemoteUser() in my JSP script
> it returns null.

Oops, belated realization -- is the "LOGON_USER" you mentioned in
your original mail from some Windows-native authentication? Because
getRemoteUser() being non-null depends on your having authenticated
with Tomcat's own methods.

So how does the LOGON_USER value work in an IE/ASP environment? Is
it passed in an HTTP header? through a cookie? If either, you can
access those, using methods of HttpServletRequest.

Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

More information about the thelist mailing list