---- Rainer Jung <rainer.j...@kippdata.de> wrote: > On 02.12.2011 17:49, André Warnier wrote: > > oh...@cox.net wrote: > >> ---- oh...@cox.net wrote: > >>> ---- "André Warnier" <a...@ice-sa.com> wrote: > >>>> oh...@cox.net wrote: > >>>> ... > >>>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" > >>>>> tomcatAuthentication="false" /> > >>>>> > >>>> That is correct. The "false" means that Tomcat will not do it's own > >>>> authentication, and will instead rely on the authenticated user-id > >>>> passed by the front-end server. > >>>> > >>>> Now could you also show us the section of your Apache front-end > >>>> configuration, containing the directives which forward the requests > >>>> to Tomcat ? > >>>> (proxy or rewrite stanzas) > >>>> > >>>> Note: the fact that the Apache/Tomcat connector (the one at the > >>>> Apache level) passes the authenticated user-id to Tomcat along with > >>>> the proxied request, depends on the fact that within Apache (more > >>>> precisely within the internal Apache "request record"), the request > >>>> is really authenticated (*). > >>>> I am saying this because in an earlier post, you mentioned that you > >>>> were using a third-party authentication package at the Apache httpd > >>>> level. > >>>> It is unlikely, but possible, that this authentication package would > >>>> use its own logic, and never "populate" the internal Apache request > >>>> record with this user-id (**). > >>>> In such a case, the automatic forwarding of the user-id by the > >>>> Apache-level connector module (mod_proxy_ajp or mod_jk) would of > >>>> course not work, because they check the internal Apache request > >>>> record, and have no knowledge of another user-id source. > >>>> > >>>> > >>>> (*) in Tomcat terms, the equivalent of populating the userPrincipal > >>>> object > >>>> (**) for example, it may act as a filter, and rely on each request > >>>> always containing a cookie which "authenticates" the request, and do > >>>> its own access control independently of Apache httpd itself > >>>> > >>> > >>> Andre, > >>> > >>> Sure. Here's the section from httpd.conf. This is testing where I > >>> purposely insert a "REMOTE_USER" HTTP header into the request being > >>> proxied. As I said, I have a sniffer on the line, and I can see the > >>> REMOTE_USER header, but still, when I get to my test JSP hosted on > >>> the Tomcat, getUserPrincipal() is returning null (don't mind the > >>> hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on > >>> that machine, and WebLogic is shutdown there). > >>> > >>> > >>> # Proxy to Tomcat on weblogic1 machine, using AJP > >>> <Location /samplesajp> > >>> RequestHeader set "REMOTE_USER" "222222229test111111111111" > >>> ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp > >>> ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp > >>> </Location> > >>> > >>> Jim > >>> > >>> > >> > >> Hi, > >> > >> BTW, I asked about this earlier, but is it possible to turn on some > >> debugging on the Tomcat side, that might help diagnose why the AJP > >> connector is not working the expected way? I'm not that familiar with > >> Tomcat or AJP logging, but I've only been able to set logging in > >> logging.properties so that there's either almost no logging or it > >> generated a ton of logging (but not stuff on AJP > >> connection/processing) :(... > >> > > Sorry, dunno. Logging is not my favorite area in Tomcat.. > > > > Also, to tell the truth, I do not know exactly /how/ the Apache user-id > > is passed to Tomcat. I strongly suspect that the "REMOTE_USER" HTTP > > header may not be it, and that it may be via what Tomcat calls "request > > attributes", and Apache calls "environment variables" (but not in the > > usual shell sense). But I don't know how this particular one may be named. > > Since you seem better at Java that I am, you may be able to find it in > > the Tomcat AJP Connector code somewhere. I would start looking for > > "request attribute" rather than "header". > > > > This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html > > seems to hint at ditto, and even mentions a request attribute named > > "remote_user" (lowercase). > > > > Maybe you could try to set this "environment variable" in Apache, and > > see where it leads you ? > > In this page : > > http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule > > it shows how to do that (but there it calls them "server variables"). > > The terminology is not very consistent.. > > Although this thread has moved forward towards the role topic, I want to > give some infos about the user forwarding by mod_jk. Some of it was > already present in previous posts. > > 1) In order to let Tomcat accept the user, you need to set > tomcatAuthentication to "false" > > 2) mod_jk will always forward the user as detected by the > following logic: > - the user as authenticated by Apache > - if this doesn't exist it will forward the value of > an Apache environment variable. The default name of the > variable is "JK_REMOTE_USER", but it can be changed using > the configuration directive "JkRemoteUserIndicator" > > 3) The user ID will *not* be forwarded in the form of a request header > > 4) The forwarded user id is logged in the JK log file on level debug > as the "user" field in the line: > > Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d > auth=%s user=%s laddr=%s raddr=%s uri=%s > > 5) There is no need to use JkEnvVar > > 6) When not using a real Apache authentication, you can instead > set the Apache environment variable JK_REMOTE_USER > e.g. via mod_setenvif or the E= syntax of mod_rewrite. > If you change the name of the env var using JkRemoteUserIndicator > use the variable name given there instead. > > 7) The Apache authenticated user can be logged in the Apache AccessLog > using "%u". Any environment variable XXX can be logged using > %{XXX}e. > > 8) The user can be logged in the Tomcat AccessLog using %u. > > 9) The user is returned by request.getRemoteUser() on the Tomcat side. > > Regards, > > Rainer >
Hi Rainier, Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator. I'm kind of well along the way with my valve, but I still have mod_jk for one proxy section, so I'll give those a try. Thanks again, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
