I use WebSphere Application Server and a form based authentication for user login to my Web Application.
In order to check authorization of the user i need to use filter for JSP pages and Servlets. For now I can insert the username into session object and in my filter i check the authorization with the username in the session.
I want to do it by using the HttpServletRequest getRemoteUser() or getUserPrincipal() methods, but Filter interface's doFilter() method takes ServletRequest object as parameter, and ServletRequest object doesnot have getRemoteUser() and getUserPrincipal() methods when i cast ServletRequest to HttpServletRequest, methods return empty values.
I also tried to take the Caller Subject from current thread but user seems unauthenticated in Filter.
I'm not sure if it is the same in the current version of WAS, but the last time I used it, you could only get the UserPrinciple if the user was logged in and the resource was secured. I'm not entirelky sure how this would apply to Filters, but I'm guessing if the filter wasn't fired by a protected resource you won't see anything.
but there is a problem about trying that, i dont know how to secure the filter. it seems that it would be secured in application's policy file.
I m using WSAD to develop applications when i add a filter (e.g myFilter) it adds also itself to URL Mappings of that filter as /myFilter, i added the /myFilter pattern to my secure resources but it is same as before. user seems unauthenticated again.