Issue with a principal and remote_user

Thu, 16 Apr 2015 12:29:28 -0700 

I am facing an issue with authentication. Please forgive me if I am posting 
this in the wrong place.

I am running IIS+jk_connect+Tomcat 7.0.59 but this issue was replicated on 
Tomcat 5.5.36. We are using a security filter from a 3rd party that is failing 
to engage while requests are sent over AJP via jk_connect. I was able to trace 
the issue to the 3rd party checking for previously authenticated principal via 
HttpServletRequest.getUserPrincipal(). Regular call via HTTP connector returns 
null. Call over jk_connect returns CoyotePrinciapal object but the getName() on 
it is "". The whole issue starts in the jk_isapi_plugin.c where

GET_SERVER_VARIABLE_VALUE("REMOTE_USER", s->remote_user);

This macro is defined as

#define GET_SERVER_VARIABLE_VALUE(name, place)              \
  do {                                                      \
    (place) = dup_server_value(private_data->lpEcb,         \
                               (name),                      \
                               &private_data->p);           \
  } while(0)

dup_server_value is

static char *dup_server_value(LPEXTENSION_CONTROL_BLOCK lpEcb,
                              const char *name, jk_pool_t *p)
{    DWORD sz = HDR_BUFFER_SIZE;
    char buf[HDR_BUFFER_SIZE];
    char *dp;

    if (lpEcb->GetServerVariable(lpEcb->ConnID, (LPSTR)name, buf, &sz))
        return jk_pool_strdup(p, buf);

and "jk_pool_strdup" starts as

char *jk_pool_strdup(jk_pool_t *p, const char *s)
{
    char *rc = NULL;
   if (s && p) {
        size_t size = strlen(s);

        if (!size) {
            return "";
        }

So essentially GetServerVariable(REMOTE_USER, buf, &sz) returns TRUE and sets 
buf[0]=0 and sz to 0 indicating no REMOTE_USER is present. However, this is 
converted to "" by jk_pool_strdup and sent over AJP to Tomcat as a remote_user 
with size of 0 bytes.


Since a remote_user field IS sent to Tomcat, it creates a CoyotePrincipal 
object with a principal name of empty string.

There is a problem somewhere: two requests over two connectors generate two 
different principal objects (null and empty CoyotePrincipal). If I'd to put a 
finger, I would say the issue is with the IIS connector converting empty 
REMOTE_USER value to "" instead of NULL.

Can someone with knowledge confirm? I'd like to raise an issue but I want to 
submit it into the correct component.

George

Reply via email to