Incorrect output received from getRemoteUser()
 Technote (FAQ)
 
Problem
getRemoteUser() returns null even though user is authenticated (entered valid userid and password at the browser). Subsequent role checks will fail (eg. the isUserInRole() method).

This behavior only occurs when HTTP request is sent to the IBM HTTP Server rather than the HTTP Transport Handler.
 
 
Solution
The following element structure must be present in the deployment descriptor (web.xml in the WAR file) for the Web application that is calling getRemoteUser():

<security-constraint>
<web-resource-collection>catalog</web-resource-collection>
<url-pattern>/catalog/*</url-pattern>
</security-constraint>
The URL specified in the <url-pattern> element must match the request.
Without the above structure, the Web container does not attempt to authenticate the request. The userid that he Web container runs the request under is considered unauthenticated and subsequent role checks (eg. isUserInRole() method) will fail.

Note: The WebAuth.UnauthenticatedUserSurrogate property in thewebcontainer.conf file specifies the SAF UserID in which unauthenticated clients are to execute. This must contain a valid SAF UserID.

In WSAD (or a similar development tool) or the AAT, add a <security constraint> along with a <web-resource-collection> and <url-pattern> that matches the application.

Related Information
  • WebSphere Application Server V4.0..1 for z//OS and OS/390: Assembling JAVA2 Platform,Enterprise Edition(J2EE) Applications, SA22-7836
  • z/OS WebSphere and Security Handbook, SG24-6846 (Redbook)


Additional remarks

Request was authenticated in the IBM HTTP Server (Protect directives or Userid %%CLIENT%% in httpd.conf file) rather than in the Web container.
Internal Use Only:
The Information in this field is for internal use only and is not to be shared with customers. This information will not be published to the Internet.
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 4.0.1
Software edition:
Reference #: 1165298
IBM Group: Software Group
Modified date: Apr 5, 2004