Reputation: 6170
jax-rs (jersey) cannot see REMOTE_USER header in javax.servlet.Filter
I'm using jax-rs (jersey) to create a website / web-service that other users can access, and I have come to the point where adding authentication / authorization is a necessity; so that I can use the security annotations, I have implemented a javax.servlet.Filter whose url-pattern is */.
Apache is running in front of my tomcat instance, verifying credentials and passing the REMOTE_USER header to my web-service so I can determine what resources a user has access to. My problem is that regardless of what request object I look at, I see no REMOTE_USER header; I've also tried injecting the Request with the @Context param, but to no avail.
Please help me.
web.xml:
<web-app ...>
<display-name>ws</display-name>
<filter>
<filter-name>REST Service</filter-name>
<filter-class>com.sun.jersey.spi.container.servlet.ServletContainer</filter-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>base.resources</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.JSPTemplatesBasePath</param-name>
<param-value>WEB-INF/views</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.WebPageContentRegex</param-name>
<param-value>/(js|css|(WEB-INF/views))/.*</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
</filter>
<filter>
<filter-name>auth-filter</filter-name>
<filter-class>base.auth.AuthFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>auth-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>REST Service</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
filter.java:
public void doFilter(ServletRequest req, ServletResponse response, FilterChain next) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpSession session = request.getSession();
AuthUser userPrincipal = null;
Object sessionUser = session.getAttribute("user");
if(sessionUser != null) userPrincipal = (AuthUser) sessionUser;
else userPrincipal = new AuthUser();
// load in the user principal
Enumeration eheaders = req.getAttributeNames();
while(eheaders.hasMoreElements()){
System.out.println(eheaders.nextElement().toString());
}
String user = (String) req.getAttribute("REMOTE_USER");
...
Upvotes: 0
Views: 1334
Answers (1)
Reputation: 7989
HttpServletRequest.getAttribute() and getAttributeNames() has nothing to do with HTTP headers. Try getHeaderNames() and getHeaders()
Also instead of adding a servlet filter, you may consider adding a Jersey filter - see http://jersey.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/api/container/filter/package-summary.html
Upvotes: 1
Related Questions
- JAX-RS Authentication Filter is not triggered via @Secured annotation
- Setting a Authorization Header in Filter
- Jersey filter does not give header values
- How to add dynamic authorization to JAX-RS service?
- JAX-RS Access-Control-Allow-Origin header not present, but it was added in ResponseFilter
- How to read authorization header in JAX-RS service
- How to configure Tomcat for request.getHeader("remote_user")?
- How to Read the JSON Payload in a JAX-RS Filter
- Java: User Authenticate Using Jersey Jax-RS with Spring Security
- JAX-RS and Spring Security - obtaining authenticated user