In certain cases the user principal is overwritten and set to null. Especially in cases of parallel request when for instance using tiles.
Created attachment 19903 [details] Patches Request.java fixing user principal bug
I have no idea what you are talking about. For starters, "parallel request" is usually not a valid use case.
Ok, maybe I was not using the correct wording. I was hoping the patch would be self explanatory. Let me explain our case. We use struts tiles. In some of the tiles (included jsps) we request the user principal. However sometimes when the user is logged in, in the tiles getUserPrincipal() returns null. This patch fixes that problem.
I don't see how this patch could fix the bug you are seeing. Neither subject nor the session attribute Globals.SUBJECT_ATTR plays any part in getUserPrincipal(). Are you using a security manager? If you are, do you see the problem if you don't use one? I suspect that you have two requests in a session, the first authenticates the user and the second calls getUserPrincipal(). If the call in the second request is made to getUserPrincipal() before the first request completes then it will return null. Without a test case that demonstrates a valid user principal value being overwritten with null or an explanation of *how* the patch fixes the issue, this issue is going to get resolved as invalid.
My apologies, it's the Subject.getSubject() that returns null and consequently there's no Principal either. Yes, we use a security manager. Trying to run the application without the security manager would be a challenging one, because it heavily depends on it and basically doesn't work without it. With regards to the two requests in one session, your assumption is probably correct as struts-tiles does just that (multiple requests in one session). However I would assume that once the user is logged in this situation of order of requests should not matter anymore as the subject has already been set and available to every request from then on. Yet, still some requests retrieve null even though the user has been logged in for quite a while. I will try to produce a small isolated test case. However time is not in abundance for me, it might take a bit of time to produce one.
Can you clarify? Is getUserPrincipal() returning null or are you accessing the subject directly? If accessing the subject directly, how are you doing this?
Subject.getSubject(AccessController.getContext())
I have been over the code several times and just can't see how the subject could be null. Whilst a test case would be ideal, could you provide a stacktrace for when the subject is null. Also, how repeatable is this for you? If it is repeatable, any further information on circumstances would be very helpful.
I am marking this as WONTFIX since: - there are no obvious code paths that could explain this - no reasoning has been provided for why the patch works and I can't see one - there has been no response to the request for further info for many months I suspect tile and/or the app is doing something odd. If you, or anyone else, still see this issue and you have new information that sheds some light feel free to re-open this issue and add the new info.