Red Hat Bugzilla – Bug 1008041
Issue with org.apache.catalina.connector.Connector.Request.getRemoteuser
Last modified: 2017-10-09 20:24:43 EDT
Title: Issue with getRemoteUser() on org.apache.catalina.connector.Connector.Request when a session principal is set
Describe the issue:
In EAP 6.1 one of the certificateUsers Module options is principalClass where one can define their own principal class to be used with web requests. When this is done the expectation is that this principal object will be used by jbossweb in the org.apache.catalina.connector.Request when a call is made to get user principal or to get other information related to that user principal. This works as expected when the getPrincipal() call is made on the request object.
However, when a call to getRemoteUser() is made on that same request object the session principal that was added using the principalClass module option is not used. This should technically works similar to the call to getPrincipal().
Suggestions for improvement:
Basically this should behave similar to the call to getPrincipall(), which uses the session principal if one is set instead of the generic principal. So basically on lines 2231 - 2239 in the org.apache.catalina.connector.Request instead of using userPrincipal.getName(), a local principal should be set using doGetUserPrincipal(), which will return the right principal (session principal if one is set or instance userprincipal if no session principal is set).
Note that I am referencing the source of the apache catina jar contained in the jboss web located under jboss-eap-6.1/modules/system/layers/base/org/jboss/as/web/main within the jbossweb-7.2.0.Final.jar
Also I would expect that whenever a session principal is set (i.e. the principal object is overwritten using the principalClass module option when defining a security domain e.g. CertificateUsers module options) that all values retrieved from the org.apache.catalina.connector.Request object that are retrieved from the principal object should be derived from the overwritten principal (session principal) if one is set instead of using the generic principal.
Too low level for me to know if what's described is a defect or not and if the proposed solution is the right solution. I'll let Remy or Jean Frederic comment. if it's confirmed by them I have not problem approving it for the next release.
Status updated. Issue still exists in EAP 6.3.0.
r2503 in web.
Fixed by component upgrade to JBoss Web 7.5.0.Beta1: https://bugzilla.redhat.com/show_bug.cgi?id=1138672
Verified in EAP 6.4.0.DR1.1