8

I'm trying to get windows authentification to work with a 3rd party application developped with GWT. I'm hosting the app with tomcat, on a windows server. I access the site through an IIS proxy (installed following the tomcat's documentation).

If i modify a .jsp of the webapp to display "<%= request.getRemoteUser() %>" , I get the username i'm hopping for, my windows account.

But the webapp authenticate me with the account I installed the Tomcat windows service with on the server.

In the (decompiled) source code of the webapp, i see a call to the exact same "request.getRemoteUser()" , so I wonder where can be the difference.

Here are the decompiled classes : 

import javax.servlet.http.HttpServletRequest;

public class RemoteUserLoginProvider
  extends BaseRequestLoginProvider
{
  public String extractLoginFromRequest(HttpServletRequest request)
  {
    return request.getRemoteUser();
  }
}

And : 

import com.google.inject.Inject;
import com.google.inject.Provider; 
import javax.servlet.http.HttpServletRequest;

public abstract class BaseRequestLoginProvider
  implements Provider<String>
{
  @Inject
  private Provider<HttpServletRequest> requestProvider;

  public abstract String extractLoginFromRequest(HttpServletRequest paramHttpServletRequest);

  public String get()
  {
    HttpServletRequest request = (HttpServletRequest)this.requestProvider.get();
    String userlogin = extractLoginFromRequest(request);

    return userlogin;
  }
}

Could my problem be linked to this bug on google's guice : https://github.com/google/guice/issues/780 ?

If so, is there any work around ?

Laloutre
  • 173
  • 2
  • 11
  • I rephrased my question here : http://stackoverflow.com/questions/38664679/request-getremoteuser-returns-a-different-login-in-jsp-than-in-a-servlet-filt , after additional testing to rule out the possibility that the problem was with guice/gwt. – Laloutre Jul 30 '16 at 22:59

2 Answers2

0

HttpServletRequest.getRemoteUser() normally just returns the same value as the CGI REMOTE_USER variable, which is the username from HTTP Basic Authentication. It sounds like you want it to be a different value, which means something is modifying the HttpServletRequest object. Most likely this is accomplished by a Servlet Filter.

If that Guice bug is the culprit, it's easy enough to work around: simply ensure that GuiceFilter is installed after whatever Filter is authenticating the request and modifying the HttpServletRequest object.

As a general rule of thumb, I don't think modifying the request like that is a good idea, precisely because it's so hard to debug when something goes wrong. If instead you had a @RequestScoped provider that extracted the value(s) you want out of the request and did whatever authentication you need, you could consume the user information by dependency injection instead. Or, more generally: always prefer to create new (preferably immutable) values rather than mutating existing objects -- it makes the control flow much easier to reason about.

Daniel Pryden
  • 59,486
  • 16
  • 97
  • 135
0

request.getRemoteUser() returns the name of the user is derived from the authorization header sent by the client before the user name is mapped to a Windows account. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name.

IIS server variables

Chema
  • 2,748
  • 2
  • 13
  • 24
Zia
  • 195
  • 1
  • 8
  • If you did not find the above solution helpful, you may also go through this article. https://blogs.oracle.com/wssfc/handling-proxy-server-authentication-requests-in-java – Zia Jun 27 '20 at 11:10