Monitoring plugin doesn't log remote user

Description

Hi,

We are testing the monitoring plugin in GeoServer 2.8.3 and noticed that the user executing the request (RemoteUser) was never logged.
We noticed this behaviour with users from the default XML service and with users from LDAP (using LDAP authentication provider).

We've investigated this a bit further.
Both users from the XML service as users from LDAP implement org.springframework.security.core.userdetails.UserDetails.

In MonitorFilter (https://github.com/geoserver/geoserver/blob/2.8.3/src/extension/monitor/core/src/main/java/org/geoserver/monitor/MonitorFilter.java) however the remote user is only set when auth.getPrincipal() is an instance of org.springframework.security.core.userdetails.User, which is not the case:

if (SecurityContextHolder.getContext() != null
&& SecurityContextHolder.getContext().getAuthentication() != null) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth.getPrincipal() != null && auth.getPrincipal() instanceof User) {
data.setRemoteUser(((User)auth.getPrincipal()).getUsername());
}
}

Changing this code to check whether auth.getPrincipal() is an instance of org.springframework.security.core.userdetails.UserDetails and casting to this class instead would probably solve the issue.

Best regards,
Tim.

Environment

None

Status

Assignee

Nuno Oliveira

Reporter

Tim Vander Borght

Triage

None

Fix versions

Affects versions

Components

Priority

Medium
Configure