Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cu-dev] TCK - context-related behavior of HttpServletRequest.getUserPrincipal()
  • From: Nathan Rauh <nathan.rauh@xxxxxxxxxx>
  • Date: Tue, 19 Apr 2022 19:18:45 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=us.ibm.com; dmarc=pass action=none header.from=us.ibm.com; dkim=pass header.d=us.ibm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eFzlWdSBeW66qZTksI6uxAoHnSW5KPXoYDhy6DvntmE=; b=MjnHYmD7rfOsSgrKvmBvuiYMHr0CT5/OgeqHhlfbuSiomm8Lmo6QKa25um3qKT4JPWzEInz08lO3HdoEwGMWUItnnVy2fGHAlx7h0RDdE8VGHHtOuiFkkRP1pAv7i16RewNjwtD11ZT+ccT8RvOdRAcGxPF1f8XAJgKtf7us8G1O3TNjg7HcyFJhCqDTVLjJMsxj/zLLW82Rk4uKhz0k+LWpbnh/rjSz3uXBYtiIJX1afykGAb+DQJf/rqTjPRl3lUnvtDrbVVC7x9InQZyxuzLb92/4lO2qd3LzL+ZVw2WrhJB9gkrXdOsxwXby87gb3koLfonKEiUzGZkPcft9YQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fbTD8YT5xvxqP5eiNrxY4cSoTNROpqc2+dPg3HAfK7lzv2OUIc9gEUWf5c8RdjtWYTnQmXp77J5i/9H87OIi08SohwG+LsyBdhdk1BdXaFdROubDkdl0BuAf+DdKrfNKu/32gbuM7KRgB9i2NPjFVk6np57BZFTaJavYh2E6injubXPKjKKtyMuXfMajshHBZ0KjUag9WFMB9oyMDmH9wmoZUGBKpHuOTfAFjEsflLjMS2Bmeb01P2ge3yyv3hkyF0OVUxO67szaOWVHQfh+/mOoBy+PKcgMnWMRMnmEncw/X/uPoS+AQd2oJ7FLx7HYmarIDLiGhl/9URyAE2iTvA==
  • Delivered-to: cu-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/cu-dev/>
  • List-help: <mailto:cu-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/cu-dev>, <mailto:cu-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/cu-dev>, <mailto:cu-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHYVBxRDTT6fuOlLE68Dbc0YAEzraz3SImA
  • Thread-topic: [EXTERNAL] [cu-dev] TCK - context-related behavior of HttpServletRequest.getUserPrincipal()

Looking over the JavaDoc for getUserPrincipal, it isn’t clear to me which behavior is correct (caching or not caching).

In one place it says, “Returns a java.security.Principal object containing the name of the current authenticated user” and in another place states, “Returns: a java.security.Principal containing the name of the user making this request”.  The former sounds like there should be no caching because it says current user, and the latter sounds like caching because it’s tied to the requesting user, not current user.

 

This lack of clarity is in the Servlet spec, and it is not the place of the Concurrency TCK to interpret and force a particular behavior for Servlet.  I’ll get a pull created to disable those two tests.  Thanks for spotting this!

 

 

From: cu-dev <cu-dev-bounces@xxxxxxxxxxx> on behalf of Petr Aubrecht <aubrecht@xxxxxxxxxxxx>
Reply-To: cu developer discussions <cu-dev@xxxxxxxxxxx>
Date: Tuesday, April 19, 2022 at 1:36 PM
To: cu developer discussions <cu-dev@xxxxxxxxxxx>
Subject: [EXTERNAL] [cu-dev] TCK - context-related behavior of HttpServletRequest.getUserPrincipal()

 

Hello again, I'm trying to go through the remaining context-related issues. One of them is the security behavior, test ContextPropagationTests.testSecurityUnchangedContext. The key piece of code is this: ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Hello again,

I'm trying to go through the remaining context-related issues.

One of them is the security behavior, test ContextPropagationTests.testSecurityUnchangedContext. The key piece of code is this:

ManagedExecutorService executor = InitialContext.doLookup("java:app/concurrent/executor2");
 
CompletableFuture<String> future = executor.supplyAsync(() -> {
 
    // Security Context should not be available for calls on a new thread
 
    return request.getUserPrincipal() == null ? "null" : request.getUserPrincipal().getName();
 
});
 

 

The executor is configured with context, which has attribute unchanged = SECURITY.

The request variable is shared from the calling function, and the security is stored directly in the request object. Then it fails, as the getUserPrincipal() returns the remembered value, not the contextual.

 

My question: is it required, that request.getUserPrincipal() calls the contextual value and it must not cache it?

Is it something new in the current version of Servlet API? I haven't found anything related in Servlet API 6.0.

 

The same problem is with testSecurityClearedContext (cleared security).

Thank you

Petr

Back to the top