Home/ Questions/Q 8825155
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T06:48:42+00:00

I’m using Shiro (v1.2.1) as security framework, it works perfectly, but in access log

  • 0

I’m using Shiro (v1.2.1) as security framework, it works perfectly, but in access log for Tomcat (v7.0.32) you cannot get remote user in logging when authenticated user access any resource. for my sample web application I used default configuration provided in Shiro SVN example repo. 


127.0.0.1 - - [13/Nov/2012:08:22:55 +0200] "POST /pacs/login.jsp HTTP/1.1" 302 - // User here not logged
127.0.0.1 - - [13/Nov/2012:08:22:55 +0200] "GET /pacs/ HTTP/1.1" 200 821 // Here user is accessing protected page, so we got permission.

Is there any way this could be solved?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m not sure if this is THE official solution, but it is a solution which works for me:

    for the AccessLogValve pattern, use

    %u - Remote user that was authenticated (if any), else '-'

    this will print the “guessed user name”. If you ask google how tomcat will guess the user name, you’ll find something like this:

    For the user name, the manager uses the Session.getPrincipal() if available; 
if not, it tries the following Session attribute names:
  Login
  User
  userName
  UserName
  Utilisateur
using the given case, lower case, and upper case.  Failing that, it searches for
attributes that are instances of java.security.Principal or
javax.security.auth.Subject.

    In my case, I just modified the login code to write the user object to the session. Tomcat will invoke a .toString() on this object in order to print the “guessed user name”.

    If the result from .toString() is not what you want, you can also try to use

    %{xxx}s xxx is an attribute in the HttpSession

    in your AccessLogValve configuration in order to print another attribute from your session.

    hope that helps.

    • 0