aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes getRemoteUser Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "getRemoteUser" Watch "getRemoteUser" New topic
Author

getRemoteUser

Ram Dhan Yadav K
Ranch Hand

Joined: Aug 13, 2001
Posts: 321
Hi,
Servlet doc says:
public java.lang.String getRemoteUser()
Returns the login of the user making this request, if the user has been authenticated, or null if the user has not been authenticated. Whether the user name is sent with each subsequent request depends on the browser and type of authentication.
What is this authentication means? Any idea how this exactly takes palce. I would be happy if somebody can give a detailed explanation how this works exactly?
thanks,
Ramdhan YK


Ram Dhan Yadav (SCJP, SCWCD, SCJA-I, IBM EC(483))
"We are what we repeatedly do. Excellence, then, is not an act, but a habit."
Ram Dhan Yadav K
Ranch Hand

Joined: Aug 13, 2001
Posts: 321
Hello Ranchers,
Seems like no takers for this?
Ramdhan Yadav K
Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040
Some discussion re this was in the thread. While I still have to figure it out, basically it means if the remote user has logged-in to our app. server then that remoteUserName will be returned by the method.
Currently I can't spend much time, but will try to get an example asap.
and BTW, what do you expect posting a qstn on Friday @ 5:00 pm..huh!!!
- satya


Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81
Axel Janssen
Ranch Hand

Joined: Jan 08, 2001
Posts: 2164
If u have wrox Jsp Prof. 2nd edition, in chapter 16 there is some information about securitity. But I have not read yet.
Unfortunately at the moment I don't have time. Will post some info later.
Axel
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2370

Ramdhan, i have given a brief description with code in the following thread that i use in the network of my office (the bottom-most one)....
http://www.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=18&t=000629


Ashik Uzzaman
Senior Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.
Axel Janssen
Ranch Hand

Joined: Jan 08, 2001
Posts: 2164
Muhammad:
This is bartender-style.
Thank you
Axel
Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2370

O Axel, i wish i could be....
Axel Janssen
Ranch Hand

Joined: Jan 08, 2001
Posts: 2164
if there would be an election for SCWCD - Forum, you could count on my vote.
Printed out war-file explanation and this authentification thread.
Axel
Ram Dhan Yadav K
Ranch Hand

Joined: Aug 13, 2001
Posts: 321
Hi Guys,
Well, good to find a lot of activity about this topic. Now, after referring to the URL given by Ashik , we have four types of authentication.
(a) HTTP basic authentication,
(b) HTTP digest authentication,
(c) HTTP client or client-cert authentication(through SSL/HTTPS) and
(d) Form-based authentication.
In (a), we have to configure some Realm like LDAP realm for authentication and the webbrowser will automatically prompt you for log in and once you provide the login password, the webserver will provide a mechanism to store the user details in a cookie or some session sort of thing.
In (b), i am not sure how it works exactly.
In (c), the authentication is done using certificate and then i am not sure how server manages the client identity.
In (d), using form based authentication, programatic authentication, or in some server proprietary from specified by Ashik for Tomcat.
Now, my question is how is the method "getRemoteUser()" going to get the client details in all the above cases. In case (a), i can imagine as it is taken care by webserver, but how does the "getRemoteUser()" method get the information in rest of cases.
Am i thinking is stupid way?
Axel Janssen
Ranch Hand

Joined: Jan 08, 2001
Posts: 2164
Ram,
Server gets getRemoteUserName() from a header line of browser request (Authentification: action of browser-user). Server compares these values with some server-ressource if user is authorisized to access (Authorization).
None of these authentification methods is java-specific. Its HTTP or HTTPS. Form based authentification works - I think - with some tricks on the server. Many Web-Servers have a form-based authentification feature. Even LotusDomino.
The Request.getRemoteUserName() just encapsulates this information send by the browser in a convenien object-oriented way.
here is the sequence for Basic Authentification:
- browser requests a protected ressource
- server responds with 401 (unauthorized) response to chalenge authentification of user
Part of 401 response is "WWW-Authenticate" header, such as WWW-Authenticate: Basic realm="MyRealm"
- Browser reacts by popping up dialog asking to input user name/password. Browser typically caches user-id and password in memory (lost when browser is closed) after the first prompt for a particular realm in a session. So user is not prompted again on subsequent requests.
- upon submission, browser takes these values and Base64 encodes Username:password string and sends it to server along with an authorization header, for example Authorization: Basic WLAERJWRGFKLJS (its encrypted). HE SENDS HIS NAME.
- if username:password is valid for resource HTTP 200 code is returned along with the resource.
- For ressources below the requested path, the browser automatically sends the Authorization header without prompting the user (according to my concept of realm concept).
HTTP Digest Authentification
Seems to functions quite similar, although not very good explained in JSP2.
Server sends random string (called nonce) to browser.
Browser sends authentification username-password as one way hash (MD-5) of username, password, URL, HTTP method. Server creates checksum.
Supported at the moment only in IE5.X. Support for mechanism is NOT mandatory for containers. Perhabs you will find more information on Microsoft sites, if u are interested (please post if you find any results).
Form based authentification
you can deduce from Ashiks post. Quite the same.
HTTPS
later.
Axel
[ January 21, 2002: Message edited by: Axel Janssen ]
Ram Dhan Yadav K
Ranch Hand

Joined: Aug 13, 2001
Posts: 321
Hi Axel,
Thanks for the explanation. I have been going to through MS&JSP's Declarative Security and Programatic security, still not completed as i am more sleepy these days as i started physical work out also . Well determined to complete the chapters to day and will getback with more information.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: getRemoteUser