Java GlassFish JCIFS access logging NULL-AUTH-USER

If you are using JCIFS for java web application SSO authentication in GlassFish you will not get usernames logged in the access log.

I posted this at: http://forums.java.net/jive/thread.jspa?messageID=358412 but this solution took 7 hours to develop and should help some other people so I am reposting it here.

I ran into the same problem. We are using jcifs.http.NtlmHttpFilter for authentication. The access logs show NULL-AUTH-USER. I saw your solution, copying the remoteUser into request scope in every application and logging using %attribute.%. We have around 20 web apps though. So this did not seem like a reliable solution. I considered modifying jcifs source but jcifs is a library in every webapp currently, so all would need to be modified. I found that JCIFS puts the username in a session attribute called NtlmHttpAuth. Glassfish doesn't have any documented method to log session variables. So I searched through the glassfish source code for any undocumented features. No session logging.

I found that with adding one line of code to glassfish I could make JCIFS authenticated user access logging work.

I added:

if (user == null && hreq.getSession(false) != null && hreq.getSession(false).getAttribute("NtlmHttpAuth") != null) { user =
hreq.getSession(false).getAttribute("NtlmHttpAuth").toString(); }

in com\sun\enterprise\web\accesslog\DefaultAccessLogFormatterImpl.java appendAuthUserName method (line 388).

I compiled it and put it in:
C:\Sun\AppServer\lib\appserv-rt.jar

We are running Sun GlassFish Enterprise Server v2.1 (9.1.1). I only compiled and added that one java file to appserv-rt.jar. I used source from:
GlassFish Project - v2.1 FinalBuild (also known as v2.1 b60e Promoted Build).

This isn't the best way to patch glassfish but it is working.