---- "André Warnier" <a...@ice-sa.com> wrote: > oh...@cox.net wrote: > > ---- oh...@cox.net wrote: > >> ---- "André Warnier" <a...@ice-sa.com> wrote: > >>> oh...@cox.net wrote: > >>> ... > >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" > >>>> tomcatAuthentication="false" /> > >>>> > >>> That is correct. The "false" means that Tomcat will not do it's own > >>> authentication, and > >>> will instead rely on the authenticated user-id passed by the front-end > >>> server. > >>> > >>> Now could you also show us the section of your Apache front-end > >>> configuration, containing > >>> the directives which forward the requests to Tomcat ? > >>> (proxy or rewrite stanzas) > >>> > >>> Note: the fact that the Apache/Tomcat connector (the one at the Apache > >>> level) passes the > >>> authenticated user-id to Tomcat along with the proxied request, depends > >>> on the fact that > >>> within Apache (more precisely within the internal Apache "request > >>> record"), the request is > >>> really authenticated (*). > >>> I am saying this because in an earlier post, you mentioned that you were > >>> using a > >>> third-party authentication package at the Apache httpd level. > >>> It is unlikely, but possible, that this authentication package would use > >>> its own logic, > >>> and never "populate" the internal Apache request record with this user-id > >>> (**). > >>> In such a case, the automatic forwarding of the user-id by the > >>> Apache-level connector > >>> module (mod_proxy_ajp or mod_jk) would of course not work, because they > >>> check the internal > >>> Apache request record, and have no knowledge of another user-id source. > >>> > >>> > >>> (*) in Tomcat terms, the equivalent of populating the userPrincipal object > >>> (**) for example, it may act as a filter, and rely on each request always > >>> containing a > >>> cookie which "authenticates" the request, and do its own access control > >>> independently of > >>> Apache httpd itself > >>> > >> > >> Andre, > >> > >> Sure. Here's the section from httpd.conf. This is testing where I > >> purposely insert a "REMOTE_USER" HTTP header into the request being > >> proxied. As I said, I have a sniffer on the line, and I can see the > >> REMOTE_USER header, but still, when I get to my test JSP hosted on the > >> Tomcat, getUserPrincipal() is returning null (don't mind the hostname in > >> the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, > >> and WebLogic is shutdown there). > >> > >> > >> # Proxy to Tomcat on weblogic1 machine, using AJP > >> <Location /samplesajp> > >> RequestHeader set "REMOTE_USER" "222222229test111111111111" > >> ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp > >> ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp > >> </Location> > >> > >> Jim > >> > >> > > > > Hi, > > > > BTW, I asked about this earlier, but is it possible to turn on some > > debugging on the Tomcat side, that might help diagnose why the AJP > > connector is not working the expected way? I'm not that familiar with > > Tomcat or AJP logging, but I've only been able to set logging in > > logging.properties so that there's either almost no logging or it generated > > a ton of logging (but not stuff on AJP connection/processing) :(... > > > Sorry, dunno. Logging is not my favorite area in Tomcat.. > > Also, to tell the truth, I do not know exactly /how/ the Apache user-id is > passed to > Tomcat. I strongly suspect that the "REMOTE_USER" HTTP header may not be it, > and that it > may be via what Tomcat calls "request attributes", and Apache calls > "environment > variables" (but not in the usual shell sense). But I don't know how this > particular one > may be named. > Since you seem better at Java that I am, you may be able to find it in the > Tomcat AJP > Connector code somewhere. I would start looking for "request attribute" > rather than "header". > > This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html > seems to hint at ditto, and even mentions a request attribute named > "remote_user" (lowercase). > > Maybe you could try to set this "environment variable" in Apache, and see > where it leads you ? > In this page : > http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule > it shows how to do that (but there it calls them "server variables"). > The terminology is not very consistent.. > > > >
Hi, Ok, I'll take a look at those. FYI, I have debug level on the Apache side, and there is some stuff there, which I think confirms that I am indeed including REMOTE_USER in the requests to Tomcat/AJP: [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(44): proxy: AJP: canonicalising URL //weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1412): [client 192.168.0.7] proxy: ajp: found worker ajp://weblogic1.whatever.com:8009/samplesajp for ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug] mod_proxy.c(819): Running scheme ajp handler (attempt 0) [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_http.c(1683): proxy: HTTP: declining URL ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(520): proxy: AJP: serving URL ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1790): proxy: AJP: retrying the worker for (weblogic1.whatever.com) [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1796): proxy: AJP: worker for (weblogic1.whatever.com) has been marked for retry [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1852): proxy: AJP: has acquired connection for (weblogic1.whatever.com) [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1913): proxy: connecting ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp to weblogic1.whatever.com:8009 [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(2012): proxy: connected /samplesajp/ssoAMTomcatTest.jsp to weblogic1.whatever.com:8009 [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(2169): proxy: AJP: fam 2 socket created to connect to weblogic1.whatever.com [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(218): Into ajp_marshal_into_msgb [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[0] [Host] = [apache1.whatever.com] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[1] [User-Agent] = [Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[2] [Accept] = [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[3] [Accept-Language] = [en-us,en;q=0.5] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[4] [Accept-Encoding] = [gzip, deflate] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[5] [Accept-Charset] = [ISO-8859-1,utf-8;q=0.7,*;q=0.7] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[6] [Connection] = [keep-alive] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[11] [REMOTE_USER] = [222222229test111111111111] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[12] [Max-Forwards] = [10] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(424): ajp_marshal_into_msgb: Done [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(201): proxy: APR_BUCKET_IS_EOS [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(206): proxy: data to read (max 8186 at 4) [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(221): proxy: got 0 bytes of data [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(646): ajp_read_header: ajp_ilink_received 04 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(656): ajp_parse_type: got 04 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(485): ajp_unmarshal_response: status = 200 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(496): ajp_unmarshal_response: Number of headers is = 3 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(558): ajp_unmarshal_response: Header[0] [Set-Cookie] = [JSESSIONID=887932DFF778B68B9BA3A43C85E8A4F2; Path=/samplesajp; Secure] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(558): ajp_unmarshal_response: Header[1] [Content-Type] = [text/html;charset=ISO-8859-1] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(568): ajp_unmarshal_response: ap_set_content_type done [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(558): ajp_unmarshal_response: Header[2] [Content-Length] = [1132] [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(646): ajp_read_header: ajp_ilink_received 03 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(656): ajp_parse_type: got 03 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(646): ajp_read_header: ajp_ilink_received 05 [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(656): ajp_parse_type: got 05 [Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(439): proxy: got response from 192.168.0.211:8009 (weblogic1.whatever.com) [Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1870): proxy: AJP: has released connection for (weblogic1.whatever.com) As you can see, there is a REMOTE_USER header: [Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[11] [REMOTE_USER] = [222222229test111111111111] Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
