Identifying Users

Plumbr can identify the users of your application from incoming HTTP traffic, using either specific HTTP headers or linking a dedicated cookie with the value extracted from a specific HTTPSession attribute in the server-side.

In case the HTTP headers are used, distinguishing and identifying users is based purely on the value of a particular HTTP header value. All Plumbr needs to be aware in such cases is which HTTP header will contain the required information.

In case HTTP headers are not used, Plumbr falls back to using cookies. In such case, the identity of a user is extracted from a specific HTTP session attribute. The captured identity is linked to the cookies Plumbr planted on the browser (see the Distinguishing Users section for more on cookies). In such a way all requests using a particular cookie are linked to the identity captured.

By default, Plumbr is supporting the following frameworks for identity capturing:

  • JWT Bearer tokens. If your application passes the identity of the user in the HTTP request headers using JWT Bearer tokens, Plumbr will use the value of the subject extracted from the token as the identity of the user.
  • Spring Security. If the application monitored by Plumbr is using the authentication built into the Spring Security library, Plumbr will extract the user’s identity from springframework.security.core.userdetails.UserDetails#getUsername()
  • Java Authentication and Authorization Service (JAAS). If the application Plumbr is monitoring is storing the Principal instances in the HTTP Session then Plumbr will extract the identity from java.security.Principal#getName().

Supporting these frameworks means that for ~45% of the applications Plumbr is able to identify the users without any additional configuration. In case Plumbr has not been able to detect the identity, you can help Plumbr to locate the identity yourself via Identity Detection Rule menu. How to achieve this is explained in the following chapter.