On 07.10.2019 23:24, Magosányi Árpád wrote:
On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:
Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?
Yes, I did, however adding it back did not improve the situation.
Ok. I just mentioned that, because it is one piece of the puzzle, and you might have
forgotten it.
What this piece really does is :
- IF the front-end Apache httpd authenticates the HTTP request which it later passes on to
tomcat
- IF the protocol used between Apache httpd and tomcat is AJP
- IF the AJP Connector in tomcat has the attribute set as above
- THEN tomcat will retrieve the user-id of the httpd-authenticated user, and save it
internally as the tomcat-authenticated user-id for this request
So now you have the two last IF's answered positively.
What about the first IF ?
Info : in the default format of the Apache httpd access log, it will show the
authenticated user (if any) for each request, for example like this :
127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET
/starwebtt-internal/esearch...
(where "THEUSER" is the httpd-authenticated user)
while if the request is not authenticated by httpd, it will show a "-" instead of the
user-id, like this :
127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...
(and, of course, if httpd has not authenticated the request which it later passes on to
tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot retrieve
this user-id, and thus the request, at the tomcat level, is not authenticated).
Next comes the question of how the tomcat application retrieves this user-id, from tomcat
itself. I suppose that this would be a question for the developers of the
"com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your configuration below.
(if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses some other
method, then you are out of luck for this front-end/back-end combination)(or you may need
to do something additional at the front-end httpd level).
My server.xml now:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="-1" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
and my web.xml until mime mappings:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
<filter>
<filter-name>KKAuthorizationFilter</filter-name>
<filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>KKAuthorizationFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org