On 18/09/2012 17:13, Philip Kahle wrote: > Am 18.09.2012 15:47, schrieb André Warnier: >> André Warnier wrote: >>> Philip Kahle wrote: >>>> Hi all, >>>> >>>> I am trying to set up a Java Web Application using Servlets and JSPs in >>>> Tomcat 7. User authentication should be done on a central Shibboleth >>>> Identity Provider. >>>> I have already configured Apache including mod_ssl, mod_proxy_ajp and >>>> the shib2 module following these instructions: >>>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall >>>> >>>> The redirect to the central login page works and, after entering my >>>> credentials, the session is correctly created by the identity provider >>>> and I am forwarded to my webapp. >>>> >>>> At this point I should have different attributes in my session, such as >>>> the user's email address, name and so on. >>>> But these are stored in the coyoteRequest attributes, which I can >>>> observe while debugging in Eclipse. As the coyoteRequest is a protected >>>> field of org.apache.catalina.connector.Request which again is a >>>> field of >>>> the RequestFacade I can not get any of these values. >>>> What I get is ONE of the attributes in the REMOTE_USER field >>>> (compare 2. >>>> in the instructions above). >>>> By setting "ShibUseHeaders On" in apache I get all of the attributes in >>>> the request headers, but this is not recommended for security reasons. >>>> >>> >>> Why ? That is a generic recommendation, but it does not apply if : >>> - all the requests to Tomcat go through httpd first >>> - the link between httpd and Tomcat is "secure" (not accessible by >>> anyone) >>> >>> If e.g. httpd and Tomcat live on the same host, and you configure the >>> Tomcat AJP Connector to only accept requests from localhost, then it >>> would be ok to pass private information through headers. >>> >>> Simplify your life if possible. >>> >>> >>>> Is there any way to access the coyoteRequest in a servlet or at least >>>> configure tomcat to transfer more attributes to the servletRequest? >>>> >>> >>> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a >>> bunch of things from Apache httpd to Tomcat (including Apache httpd's >>> "variables" e.g.). I do not know mod_proxy_ajp well enough to >>> confirm that this is possible with it also, but I would imagine so. >>> >> Addendum : sorry, that was not a direct answer to your question. >> The direct answer is that HttpServletRequest (and ServletRequest) >> already provide a bunch of methods to access request attributes. See >> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html. >> These are part of the specification, so you do not need to configure >> anything at the Tomcat level for that. >> As long as the request already contains attributes of course. >> >> Still talking about mod_jk, basically anything you set in Apache httpd >> using "SetEnv" for example, gets passed to Tomcat as a request >> attribute, through the AJP protocol. >> Someone else would need to confirm if this is also the case using >> mod_proxy_ajp. > > Thanks for your answer! > I already studied the methods exposed by HttpServletRequest (and > ServletRequest from within a filter) but neither these objects nor the > attached session objects directly include these attributes. Only the > (invisible) coyoteRequest object inside does so. > > I will further investigate the mod_env approach though. > As Tomcat and httpd indeed remain on the same host and both the > exceptions you named apply, I will just stick to the header approach for > now.
A Valve will probably get you what you need but it is Tomcat specific. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
