Bug 1008041 - Issue with org.apache.catalina.connector.Connector.Request.getRemoteuser
Issue with org.apache.catalina.connector.Connector.Request.getRemoteuser
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: DR1
: EAP 6.4.0
Assigned To: Rémy Maucherat
Michael Cada
Depends On: 1138672
  Show dependency treegraph
Reported: 2013-09-13 18:36 EDT by claudianus
Modified: 2018-05-31 17:39 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Build: CSProcessor Builder Version 1.12 Build Name: 19233, Administration and Configuration Guide-6.1-1 Build Date: 05-09-2013 10:36:48 Topic ID: 8863-458833 [Specified]
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description claudianus 2013-09-13 18:36:18 EDT
Title: Issue with getRemoteUser() on org.apache.catalina.connector.Connector.Request when a session principal is set

Describe the issue:
In EAP 6.1 one of the certificateUsers Module options is principalClass where one can define their own principal class to be used with web requests. When this is done the expectation is that this principal object will be used by jbossweb in the org.apache.catalina.connector.Request when a call is made to get user principal or to get other information related to that user principal. This works as expected when the getPrincipal() call is made on the request object. 
However, when a call to getRemoteUser() is made on that same request object the session principal that was added using the principalClass module option is not used. This should technically works similar to the call to getPrincipal().

Suggestions for improvement:
Basically this should behave similar to the call to getPrincipall(), which uses the session principal if one is set instead of the generic principal. So basically on lines 2231 - 2239 in the org.apache.catalina.connector.Request instead of using userPrincipal.getName(), a local principal should be set using doGetUserPrincipal(), which will return the right principal (session principal if one is set or instance userprincipal if no session principal is set).

Note that I am referencing the source of the apache catina jar contained in the jboss web located under jboss-eap-6.1/modules/system/layers/base/org/jboss/as/web/main within the jbossweb-7.2.0.Final.jar

Additional information:
Also I would expect that whenever a session principal is set (i.e. the principal object is overwritten using the principalClass module option when defining a security domain e.g. CertificateUsers module options) that all values retrieved from the org.apache.catalina.connector.Request object that are retrieved from the principal object should be derived from the overwritten principal (session principal) if one is set instead of using the generic principal.
Comment 2 John Doyle 2013-09-23 13:11:59 EDT
Too low level for me to know if what's described is a defect or not and if the proposed solution is the right solution.  I'll let Remy or Jean Frederic comment.  if it's confirmed by them I have not problem approving it for the next release.
Comment 5 Ondrej Lukas 2014-08-13 03:13:08 EDT
Status updated. Issue still exists in EAP 6.3.0.
Comment 6 Rémy Maucherat 2014-09-04 12:22:06 EDT
r2503 in web.
Comment 7 Kabir Khan 2014-09-08 07:56:53 EDT
Fixed by component upgrade to JBoss Web 7.5.0.Beta1: https://bugzilla.redhat.com/show_bug.cgi?id=1138672
Comment 8 Ondrej Lukas 2014-09-19 08:30:29 EDT
Verified in EAP 6.4.0.DR1.1

Note You need to log in before you can comment on or make changes to this bug.