Bug 42037 - User principal not always set correctly
Summary: User principal not always set correctly
Status: RESOLVED WONTFIX
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.16
Hardware: All All
: P2 major (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2007-04-03 13:22 UTC by Allan Schweitz
Modified: 2008-03-01 09:49 UTC (History)
0 users



Attachments
Patches Request.java fixing user principal bug (854 bytes, patch)
2007-04-03 13:24 UTC, Allan Schweitz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Allan Schweitz 2007-04-03 13:22:53 UTC
In certain cases the user principal is overwritten and set to null. Especially
in cases of parallel request when for instance using tiles.
Comment 1 Allan Schweitz 2007-04-03 13:24:15 UTC
Created attachment 19903 [details]
Patches Request.java fixing user principal bug
Comment 2 Remy Maucherat 2007-04-03 13:41:14 UTC
I have no idea what you are talking about. For starters, "parallel request" is
usually not a valid use case.
Comment 3 Allan Schweitz 2007-04-03 14:00:55 UTC
Ok, maybe I was not using the correct wording. I was hoping the patch would be
self explanatory. Let me explain our case. We use struts tiles. In some of the
tiles (included jsps) we request the user principal. However sometimes when the
user is logged in, in the tiles getUserPrincipal() returns null. This patch
fixes that problem.
Comment 4 Mark Thomas 2007-04-15 12:17:13 UTC
I don't see how this patch could fix the bug you are seeing. Neither subject nor
the session attribute Globals.SUBJECT_ATTR plays any part in getUserPrincipal().
Are you using a security manager? If you are, do you see the problem if you
don't use one?

I suspect that you have two requests in a session, the first authenticates the
user and the second calls getUserPrincipal(). If the call in the second request
is made to getUserPrincipal() before the first request completes then it will
return null.

Without a test case that demonstrates a valid user principal value being
overwritten with null or an explanation of *how* the patch fixes the issue, this
issue is going to get resolved as invalid.
Comment 5 Allan Schweitz 2007-04-17 13:39:59 UTC
My apologies, it's the Subject.getSubject() that returns null and consequently
there's no Principal either.

Yes, we use a security manager. Trying to run the application without the
security manager would be a challenging one, because it heavily depends on it
and basically doesn't work without it.

With regards to the two requests in one session, your assumption is probably
correct as struts-tiles does just that (multiple requests in one session).
However I would assume that once the user is logged in this situation of order
of requests should not matter anymore as the subject has already been set and
available to every request from then on. Yet, still some requests retrieve null
even though the user has been logged in for quite a while.

I will try to produce a small isolated test case. However time is not in
abundance for me, it might take a bit of time to produce one.
Comment 6 Mark Thomas 2007-04-17 17:09:59 UTC
Can you clarify? Is getUserPrincipal() returning null or are you accessing the
subject directly? If accessing the subject directly, how are you doing this?
Comment 7 Allan Schweitz 2007-05-02 02:59:44 UTC
Subject.getSubject(AccessController.getContext())
Comment 8 Mark Thomas 2007-05-30 18:41:22 UTC
I have been over the code several times and just can't see how the subject could
be null. Whilst a test case would be ideal, could you provide a stacktrace for
when the subject is null.

Also, how repeatable is this for you? If it is repeatable, any further
information on circumstances would be very helpful.
Comment 9 Mark Thomas 2008-03-01 09:49:05 UTC
I am marking this as WONTFIX since:
- there are no obvious code paths that could explain this
- no reasoning has been provided for why the patch works and I can't see one
- there has been no response to the request for further info for many months

I suspect tile and/or the app is doing something odd.

If you, or anyone else, still see this issue and you have new information that sheds some light feel free to re-open this issue and add the new info.