[thelist] LOGON_USER in JSP

david.landy at somerfield.co.uk david.landy at somerfield.co.uk
Tue Feb 10 05:28:32 CST 2004

Thanks, Ken. I never realised it was so complex.

Does anyone know of any software that would do this kind of invisible
authentication on Tomcat/WinNT?


David Landy, IT Consultant
Business Intelligence
+44 (0) 117-301-8977
david.landy at somerfield.co.uk <mailto:david.landy at somerfield.co.uk>    

-----Original Message-----
From: Ken Schaefer [mailto:ken at adOpenStatic.com]
Sent: Tuesday, 10 February 2004 11:21
To: thelist at lists.evolt.org
Subject: Re: [thelist] LOGON_USER in JSP

Not exactly.

- Browser requests page.
- Webserver denies access + sends back acceptable authentication mechanisms
- Browser picks a mechanism, prompts user to supply username/password (IE
does not do this if the site is in the "trusted sites" or "intranet"
security zones - by default it automatically sends the username/password of
the currently logged on user)
- Browser sends username/password (or hash, or digest) as part of a new HTTP
- If your page is ASP, then ASP provides an intrinsic object that gives you
access to the HTTP headers of the request sent by the browser
(Request.ServerVariables). Other server-side technologies provide the same
access to the HTTP request.

So, the username (and possibly the password) are passed in the HTTP headers
from the client to the server. There is no "magic" Windows-native technology
that makes the server somehow aware of who's logged into the client machine.


Microsoft MVP - Windows Server (IIS)

From: <david.landy at somerfield.co.uk>
Subject: RE: [thelist] LOGON_USER in JSP

Yes, it's Windows-native. It picks up the already-logged-on windows user and
passes it as a system variable to ASP, which is handy, as the user doesn't
have to log in again.

I've looked at all the HTTP headers and cookies (I think - see below), and
sadly no user information is passed... there is an environment variable with
the logged-on user but given that getenv() is deprecated I'm beginning to
think that - sadly - there really *is* no way of doing this in JSP, and I'll
have to ask the user to log in again, and keep my own tables of user id's
and logins.

Any ideas, anyone? Suggestions very welcome.



Cookie[] cookies = request.getCookies();
for (int n = 0; n < cookies.length; n++)
    Cookie cookie = cookies[n];
    out.print("Cookie: " + cookie.getName() + ":'");
    out.println(cookie.getValue() + "'<br>");

Enumeration headers = request.getHeaderNames();
while (headers.hasMoreElements()) {
    String header=(String)headers.nextElement();
    out.print("Header: " + header + ":'");
    out.println(request.getHeader(header) + "'<br>");


Cookie: JSESSIONID:'65C45F3D82FFBCF525C97772E8EE4E46'
Header: accept:'*/*'
Header: referer:'http://localhost/'
Header: accept-language:'en-gb'
Header: accept-encoding:'gzip, deflate'
Header: user-agent:'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)'
Header: host:'localhost:8080'
Header: connection:'Keep-Alive'
Header: cache-control:'no-cache'
Header: cookie:'JSESSIONID=65C45F3D82FFBCF525C97772E8EE4E46'

David Landy, IT Consultant
Business Intelligence
+44 (0) 117-301-8977
david.landy at somerfield.co.uk <mailto:david.landy at somerfield.co.uk>

-----Original Message-----
From: Hassan Schroeder [mailto:hassan at webtuitive.com]
Sent: Monday, 09 February 2004 15:46
To: thelist at lists.evolt.org
Subject: Re: [thelist] LOGON_USER in JSP

david.landy at somerfield.co.uk wrote:

> Thanks Hassan. I've tried using request.getRemoteUser() in my JSP script
> it returns null.

Oops, belated realization -- is the "LOGON_USER" you mentioned in
your original mail from some Windows-native authentication? Because
getRemoteUser() being non-null depends on your having authenticated
with Tomcat's own methods.

So how does the LOGON_USER value work in an IE/ASP environment? Is
it passed in an HTTP header? through a cookie? If either, you can
access those, using methods of HttpServletRequest.

Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

* * Please support the community that supports you.  * *

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 
If you are not the intended recipient of this e-mail, please preserve the
confidentiality of it and advise the sender immediately of any error in
transmission. Any disclosure, copying, distribution or action taken, or
omitted to be taken, by an unauthorised recipient in reliance upon the
contents of this e-mail is prohibited. Somerfield cannot accept liability
for any damage which you may sustain as a result of software viruses so
please carry out your own virus checks before opening an attachment. In
replying to this e-mail you are granting the right for that reply to be
forwarded to any other individual within the business and also to be read by
others. Any views expressed by an individual within this message do not
necessarily reflect the views of Somerfield.  Somerfield reserves the right
to intercept, monitor and record communications for lawful business

More information about the thelist mailing list