On 07.10.2019 23:24, Magosányi Árpád wrote:
On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:

Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?


Yes, I did, however adding it back did not improve the situation.

Ok. I just mentioned that, because it is one piece of the puzzle, and you might have forgotten it.
What this piece really does is :
- IF the front-end Apache httpd authenticates the HTTP request which it later passes on to tomcat
- IF the protocol used between Apache httpd and tomcat is AJP
- IF the AJP Connector in tomcat has the attribute set as above
- THEN tomcat will retrieve the user-id of the httpd-authenticated user, and save it internally as the tomcat-authenticated user-id for this request

So now you have the two last IF's answered positively.
What about the first IF ?

Info : in the default format of the Apache httpd access log, it will show the authenticated user (if any) for each request, for example like this :

127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET 
/starwebtt-internal/esearch...
(where "THEUSER" is the httpd-authenticated user)

while if the request is not authenticated by httpd, it will show a "-" instead of the user-id, like this :
127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...

(and, of course, if httpd has not authenticated the request which it later passes on to tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot retrieve this user-id, and thus the request, at the tomcat level, is not authenticated).


Next comes the question of how the tomcat application retrieves this user-id, from tomcat itself. I suppose that this would be a question for the developers of the "com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your configuration below. (if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses some other method, then you are out of luck for this front-end/back-end combination)(or you may need to do something additional at the front-end httpd level).



My server.xml now:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="-1" shutdown="SHUTDOWN">
   <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
   <Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
   <Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
   <Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
   <Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

   <GlobalNamingResources>
     <Resource name="UserDatabase" auth="Container"
               type="org.apache.catalina.UserDatabase"
               description="User database that can be updated and saved"
               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
               pathname="conf/tomcat-users.xml" />
   </GlobalNamingResources>

   <Service name="Catalina">

     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>


     <Engine name="Catalina" defaultHost="localhost">

       <Realm className="org.apache.catalina.realm.LockOutRealm">
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                resourceName="UserDatabase"/>
       </Realm>

       <Host name="localhost"  appBase="webapps"
             unpackWARs="true" autoDeploy="true">

         <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
                prefix="localhost_access_log" suffix=".txt"
                pattern="%h %l %u %t &quot;%r&quot; %s %b" />

       </Host>
     </Engine>
   </Service>
</Server>

and my web.xml until mime mappings:

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                       http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd";
   version="4.0">


     <servlet>
         <servlet-name>default</servlet-name>

<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
         <init-param>
             <param-name>debug</param-name>
             <param-value>0</param-value>
         </init-param>
         <init-param>
             <param-name>listings</param-name>
             <param-value>false</param-value>
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>


     <servlet>
         <servlet-name>jsp</servlet-name>
         <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
         <init-param>
             <param-name>fork</param-name>
             <param-value>false</param-value>
         </init-param>
         <init-param>
             <param-name>xpoweredBy</param-name>
             <param-value>false</param-value>
         </init-param>
         <load-on-startup>3</load-on-startup>
     </servlet>


     <servlet-mapping>
         <servlet-name>default</servlet-name>
         <url-pattern>/</url-pattern>
     </servlet-mapping>

     <servlet-mapping>
         <servlet-name>jsp</servlet-name>
         <url-pattern>*.jsp</url-pattern>
         <url-pattern>*.jspx</url-pattern>
     </servlet-mapping>

   <filter>
     <filter-name>KKAuthorizationFilter</filter-name>

<filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
   </filter>

   <filter-mapping>
     <filter-name>KKAuthorizationFilter</filter-name>
     <url-pattern>/*</url-pattern>
     <dispatcher>REQUEST</dispatcher>
   </filter-mapping>

     <session-config>
         <session-timeout>30</session-timeout>
     </session-config>








---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to