Am 18.09.2012 15:47, schrieb André Warnier: > André Warnier wrote: >> Philip Kahle wrote: >>> Hi all, >>> >>> I am trying to set up a Java Web Application using Servlets and JSPs in >>> Tomcat 7. User authentication should be done on a central Shibboleth >>> Identity Provider. >>> I have already configured Apache including mod_ssl, mod_proxy_ajp and >>> the shib2 module following these instructions: >>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall >>> >>> The redirect to the central login page works and, after entering my >>> credentials, the session is correctly created by the identity provider >>> and I am forwarded to my webapp. >>> >>> At this point I should have different attributes in my session, such as >>> the user's email address, name and so on. >>> But these are stored in the coyoteRequest attributes, which I can >>> observe while debugging in Eclipse. As the coyoteRequest is a protected >>> field of org.apache.catalina.connector.Request which again is a >>> field of >>> the RequestFacade I can not get any of these values. >>> What I get is ONE of the attributes in the REMOTE_USER field >>> (compare 2. >>> in the instructions above). >>> By setting "ShibUseHeaders On" in apache I get all of the attributes in >>> the request headers, but this is not recommended for security reasons. >>> >> >> Why ? That is a generic recommendation, but it does not apply if : >> - all the requests to Tomcat go through httpd first >> - the link between httpd and Tomcat is "secure" (not accessible by >> anyone) >> >> If e.g. httpd and Tomcat live on the same host, and you configure the >> Tomcat AJP Connector to only accept requests from localhost, then it >> would be ok to pass private information through headers. >> >> Simplify your life if possible. >> >> >>> Is there any way to access the coyoteRequest in a servlet or at least >>> configure tomcat to transfer more attributes to the servletRequest? >>> >> >> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a >> bunch of things from Apache httpd to Tomcat (including Apache httpd's >> "variables" e.g.). I do not know mod_proxy_ajp well enough to >> confirm that this is possible with it also, but I would imagine so. >> > Addendum : sorry, that was not a direct answer to your question. > The direct answer is that HttpServletRequest (and ServletRequest) > already provide a bunch of methods to access request attributes. See > http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html. > These are part of the specification, so you do not need to configure > anything at the Tomcat level for that. > As long as the request already contains attributes of course. > > Still talking about mod_jk, basically anything you set in Apache httpd > using "SetEnv" for example, gets passed to Tomcat as a request > attribute, through the AJP protocol. > Someone else would need to confirm if this is also the case using > mod_proxy_ajp.
Thanks for your answer! I already studied the methods exposed by HttpServletRequest (and ServletRequest from within a filter) but neither these objects nor the attached session objects directly include these attributes. Only the (invisible) coyoteRequest object inside does so. I will further investigate the mod_env approach though. As Tomcat and httpd indeed remain on the same host and both the exceptions you named apply, I will just stick to the header approach for now. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
