Something in the CGI scope?

But let me check and see if CommandBox can set that

I've just never messed with it and no one has ever asked for it, lol

Hmm, looking in Lucee's cgi scope code,

remote_user

is set, but I don't see it setting

auth_user

unless it's part of the request attributes

remote user comes from

HTTPServletRequest.getRemoteUser()

can

GSSAPIAuthenticationMechanism

be tapped into at runtime?

thanks for looking into it!

I'm not positive if Adobe gets auth_user from the same place Lucee gets cgi remote user

The undertow http servlet request impl gets it from the name of the actual authenticated Principle in the security context

Which, of course, when using basic auth or client cert auth, is set every request

Undertow's source code doesn't allow the

RemoteUserAttribute

to be written, only read so setting it in a server rule won't work

So you may need to override it at the CF level

Lucee allows the CGI scope to be written directly to, but I don't think Adobe is that cool

The typical method in CFML to override arbitrary keys in the CGI scope differs per engine but in Adobe, you can set request attributes

The question then becomes whether Adobe looks there before or after checking with the servlet.

IF it will work, it would work like so

getPageContext().getRequest().setAttribute( 'AUTH_USER', 'my-value' ) );0

☝️ Note this is case sensitive on the key names

I know that will work for random strings that aren't common in the CGI scope, but when it comes to

AUTH_USER

, that's one that adobe has specific code for, so you'd have to test to see if Adobe checks the request attributes first or last

And the other way you can shoehorn stuff into the CGI scope which works for Adobe and Lucee is an HTTP request header, but again I doubt they are checked first as that would be a security issue

If that code above doesn't work, you'll likely just need to encapsulate your

getAuthUser()

method so the cgi scope is only touched there and then you can swap out the mechanism to get the value on dev inside that method to mock it.

Now, that said-- it is possible for CommandBox to force-override Undertow's behavior here, but it would take me writing some java code to override some stuff. Could be handy to add it in just for testing purposes, but not sure if it's worth it.

onrequeststart?

Just to do a quick test, add it on request start and then dump out the cgi variable right below it

Also, related ticket. I guess I put this one in, lol https://luceeserver.atlassian.net/browse/LDEV-4126

Lucee is awesome some times, and then really easy stuff like this just rots in their backlog, lol

I put the code in the ticket. Someone literally just had to copy and paste it!! 😆

Would be interesting to poke at undertow's auth mechanism for it

I just don't know much about it

i'm trying to introduce commandbox to this client