request.getRemoteUser() is returning null

Document ID : KB000023271
Last Modified Date : 14/02/2018
Show Technical Document Details

 

Issue:

The REMOTE_USER HTTP header value is set to null as user accessed the protected resources from backend Weblogic server. Web Agent is installed on the frontend SunOne webserver.

Siteminder response is invoked accordingly but the header dump page shows REMOTE_USER HTTP header is associated with null value.

 

== Settings ==

ACO parameters:

  • SetRemoteUser = Yes
  • RemoteUserVar = REMOTE_USER

 

Web Agent response attribute type -- WebAgent-HTTP-Header-Variable associate it with an OnAuthAccept rule.

 

Environment:

Webserver: SunOne 6.1 with Weblogic 9.2 SP2 plugin

Webagent: 6QMR5 HF21

 

Cause:

Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.

 

Workaround:

Start Weblogic with the following run time argument:

-Dweblogic.http.enableRemoteUserHeader=true

 

Important Note: Please be informed that by enabling this feature, the system would be vulnerable to the REMOTE_USER HTTP header spoofing.