Re: Re: Anybody can help me?Thank you!
Hi,you can read message in attachment. 1. and the error message mean ' 2011-12-02 07:45:52,654 [catalina-exec-7] ERROR [net.bwda.framework.web.indexpage.IndexpagesAction.ssoLogin(IndexpagesAction.java:357)] - 单点登录失败(translate: sso login failed)URL:http://10.33.211.35/ngcrm//login.action?sessionId=753221userCode=19500324passwd=9519082businessType=5loginIp=1931feeb8738626ee32e20ac87243336 ClientAbortException: java.net.SocketException: 打破的管道(translate:broken pipe.) 2. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? first why running? ps -afe|grep java i can see the pid is still there. second why not running? i use IE6 browser ,and i can't receive the response message when i request the url. 孙文 江苏保旺达软件技术有限公司 地址: 南京市浦口高新技术开发区中国南京留学人员创业园10F Email: sun...@bwda.net steven.sinclair...@gmail.com Mobile: 139 5188 5586 From: Christopher Schultz Date: 2011-12-03 00:52 To: Tomcat Users List Subject: Re: Anybody can help me?Thank you! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 孙文, On 12/2/11 11:20 AM, 孙文 wrote: I use tomcat 7.0.22,when i use getResponse().sendRedirect(url) in action(Struts2 ),i watch tomcat log ,record this in following picture. [java.net.SocketException] why? It could be many things: the error message itself is in Chinese, and it's in an image so there's no way for me to plug it into Google Translate to see what it actually says. My guess is that the client disconnected before you were able to send the redirect, and so there's nowhere for the data to go -- that would be a case where this exception is entirely expected and shouldn't be considered a problem. and sometimes tomcat is not in service.but cpu \ memory and tomcat thread is normal in solaris. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? By the way, you have code after your sendRedirect call that might affect the response -- that's probably a bad idea. Generally, you want sendRedirect to be the last thing your code does before returning from the doGet (or functionally-equivalent) method. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZAmUACgkQ9CaO5/Lv0PDfjACffipobj44hK2dJOcivFMO/ecL QPgAnAzLzhtFy8orswVBguQFi/xDrVCA =zYHj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Anybody can help me?Thank you!
On 12/3/2011 8:57 AM, ?? wrote: Hi,you can read message in attachment. 1. and the error message mean ' 2011-12-02 07:45:52,654 [catalina-exec- 7] ERROR [net.bwda.framework.web.indexpage.IndexpagesAction.ssoLogin(IndexpagesAction.java:357)] - ? ?(translate: sso login failed)URL:http://10.33.211.35/ngcrm//login.action?sessionId=753221userCode=19500324passwd=9519082businessType=5loginIp=1931feeb8738626ee32e20ac87243336 http://10.33.211.35/ngcrm//login.action?sessionId=753221userCode=19500324passwd=9519082businessType=5loginIp=1931feeb8738626ee32e20ac87243336 ClientAbortException: java.net.SocketException: ?(translate:broken pipe.) 2. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? first why running? ps -afe|grep java i can see the pid is still there. second why not running? i use IE6 browser ,and i can't receive the response message when i request the url. Given those two, it's likely that tomcat is running, but your app is not, or is failing in some way when you connect to it. D ?? ? ??:??? 10F Email: sun...@bwda.net mailto:sun...@bwda.net steven.sinclair...@gmail.com mailto:steven.sinclair...@gmail.com Mobile: 139 5188 5586 *From:* Christopher Schultz mailto:ch...@christopherschultz.net *Date:* 2011-12-03 00:52 *To:* Tomcat Users List mailto:users@tomcat.apache.org *Subject:* Re: Anybody can help me?Thank you! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ??, On 12/2/11 11:20 AM, ?? wrote: I use tomcat 7.0.22,when i use getResponse().sendRedirect(url) in action(Struts2 ),i watch tomcat log ,record this in following picture. [java.net.SocketException] why? It could be many things: the error message itself is in Chinese, and it's in an image so there's no way for me to plug it into Google Translate to see what it actually says. My guess is that the client disconnected before you were able to send the redirect, and so there's nowhere for the data to go -- that would be a case where this exception is entirely expected and shouldn't be considered a problem. and sometimes tomcat is not in service.but cpu \ memory and tomcat thread is normal in solaris. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? By the way, you have code after your sendRedirect call that might affect the response -- that's probably a bad idea. Generally, you want sendRedirect to be the last thing your code does before returning from the doGet (or functionally-equivalent) method. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZAmUACgkQ9CaO5/Lv0PDfjACffipobj44hK2dJOcivFMO/ecL QPgAnAzLzhtFy8orswVBguQFi/xDrVCA =zYHj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
回复:Re: Anybody can help me?Thank you!
i hit a similar problem.i use IE broswer access an url that can't found corresponding controller handle e.g normal url /list/women/all if access /list/women,can raise clientabortexception 中断的连接 zhh5...@163.com --邮件发自网易手机邮-- 以下是引用原文 发件人:David Kerber dcker...@verizon.net 发送时间:2011-12-03 22:22 主题:Re: Anybody can help me?Thank you! 收件人:Tomcat Users List users@tomcat.apache.org On 12/3/2011 8:57 AM, ?? wrote: Hi,you can read message in attachment. 1. and the error message mean ' 2011-12-02 07:45:52,654 [catalina-exec- 7] ERROR [net.bwda.framework.web.indexpage.IndexpagesAction.ssoLogin(IndexpagesAction.java:357)] - ? ?(translate: sso login failed)URL:http://10.33.211.35/ngcrm//login.action?sessionId=753221userCode=19500324passwd=9519082businessType=5loginIp=1931feeb8738626ee32e20ac87243336 http://10.33.211.35/ngcrm//login.action?sessionId=753221userCode=19500324passwd=9519082businessType=5loginIp=1931feeb8738626ee32e20ac87243336 ClientAbortException: java.net.SocketException: ?(translate:broken pipe.) 2. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? first why running? ps -afe|grep java i can see the pid is still there. second why not running? i use IE6 browser ,and i can't receive the response message when i request the url. Given those two, it's likely that tomcat is running, but your app is not, or is failing in some way when you connect to it. D ?? ? ??:??? 10F Email: sun...@bwda.net mailto:sun...@bwda.net steven.sinclair...@gmail.com mailto:steven.sinclair...@gmail.com Mobile: 139 5188 5586 *From:* Christopher Schultz mailto:ch...@christopherschultz.net *Date:* 2011-12-03 00:52 *To:* Tomcat Users List mailto:users@tomcat.apache.org *Subject:* Re: Anybody can help me?Thank you! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ??, On 12/2/11 11:20 AM, ?? wrote: I use tomcat 7.0.22,when i use getResponse().sendRedirect(url) in action(Struts2 ),i watch tomcat log ,record this in following picture. [java.net.SocketException] why? It could be many things: the error message itself is in Chinese, and it's in an image so there's no way for me to plug it into Google Translate to see what it actually says. My guess is that the client disconnected before you were able to send the redirect, and so there's nowhere for the data to go -- that would be a case where this exception is entirely expected and shouldn't be considered a problem. and sometimes tomcat is not in service.but cpu \ memory and tomcat thread is normal in solaris. So, you're saying that Tomcat isn't running but it is somehow still running? Can you be more specific? Why do you think it's running? Why do you think it's not running? By the way, you have code after your sendRedirect call that might affect the response -- that's probably a bad idea. Generally, you want sendRedirect to be the last thing your code does before returning from the doGet (or functionally-equivalent) method. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ZAmUACgkQ9CaO5/Lv0PDfjACffipobj44hK2dJOcivFMO/ecL QPgAnAzLzhtFy8orswVBguQFi/xDrVCA =zYHj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Logging and HTTP Header question
Pid wrote: There are Tomcat professors? I'd say that they fit right in with pet food tasters, dog walkers and chicken sexers, no ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still not logging me into the Tomcat :(... I don't want to post the entire jk.log, so can someone point me to what to look for in there, maybe? Ok, so let's now continue on the mod_jk track, since you've got that part running. What you are looking for, is an AJP request attribute named remote_user (lowercase), in the packets which mod_jk sends to Tomcat. I don't know if that would be in the log, nor if there is any way to coerce mod_jk into putting it in the log. But since your Tomcat is not authenticating, chances are that it isn't there. So let's try to cheat, and force it to be there. In your Apache configuration, add this line : JkEnvVar remote_user blablabla and let's see what happens. (and after that, we'll try mod_rewrite or a combination) Andre, I had already tried including a JkEnvVar as you suggested in my httpd.conf, in order to try to hard-code getting SOMETHING to show up, but no joy :(... I've also tried a bunch of other variants: JkEnvVar REMOTE_USER also: JkEnvVar remote_user foobar also: JkEnvVar AJP_REMOTE_USER foobar Nothing works :(... This is really getting discouraging :(. It almost seems to me like that 'tomcatAuthentication' functionality doesn't even exist at all. I've searched the jk.log for multiple things, attr, remo, etc., and find nothing relevant/significant at all in there... Do not get discouraged. I can guarantee that the tomcatAuthentication=false works, when the Apache front-end really does authenticate the user. I use this all the time. (Just not with the same SSO mechanism as you). I also know that JkEnvVar does work in general for setting request attributes at the Apache level, and have them passed to Tomcat by mod_jk, because I also us that regularly. (And there exists a similar functionality in mod_proxy_ajp). What may not work in the trials above, is that specifically this remote_user request attribute may be overwritten by mod_jk or mod_proxy_ajp, even when you have set it explicitly in Apache. After all, this feature is designed to do one thing : examine the request record of Apache for an authenticated user-id, and if one is set, pass it along to Tomcat over the AJP channel. If mod_jk/mod_proxy_ajp do not find such a user-id in the request record, they may just /clear/ the remote_user attribute, thus voiding our attempts at cheating. To verify this is relatively simple. Create the following Location section in Apache : Location /sampleajp AuthType Basic AuthName toTomcat AuthUserFile /some-path/passwords Require user testuser SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) Location Note: the SetHandler and SetEnv lines above, in that Location, are equivalent to saying : JkMount /sampleajp/* tomcatA Then follow the instructions here to create the password file and the user testuser in it : http://httpd.apache.org/docs/2.2/howto/auth.html section : Getting it working If you try to access such a URL /sampleajp/*, the browser will popup a bssic auth dialog and force you to login. This will result in the request being duly authenticated for Apache, which /will/ result in the Apache user-id being passed to Tomcat. Then, once you have verified (in Tomcat) that it is so, have another look at the mod_jk logfile, to see if then you spot the attribute being passed. (You will know that it is passed, but it may still not show up the logs). If all of that works, then we know that in order for your scheme to work, you must somehow force the user-id obtained by your SSO system, to be also set in the Apache request record. Which should be a solvable problem. And if not, then you still have your Valve.. Andre, I haven't tried your full suggestion yet, but I removed all of the OAM SSO stuff out of my Apache httpd.conf, just to see what happens, but even after that, still am not getting logged into Tomcat, so it may be as you suggest, that mod_jk tries to get the userid from somewhere deep inside of Apache. So, I will try adding what you suggested, to get authenticated with just the Apache, and then see what happens, and will post back. If that works, we can go from there. Thanks for following up with this! Jim Hi Andre, I configured the Location as you suggested, and guess what? It WORKS! That was good, BUT, recall that I had removed the OAM stuff from the Apache .conf earlier. So, after confirming that, without the OAM stuff, and with your suggested Location, that it worked, I then went and uncommented the OAM stuff, i.e., added back
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim Hi, Sorry for the top-post :(... Here're the sniffs from the tests that I did: a) Working (OAM disabled, Location per Andre): 12 34 02 AB 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.« HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 09 A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 00 0F 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept -Languag 0110 65 00 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 e...en-u s,en;q=0 0120 2E 35 00 00 0F 41 63 63 65 70 74 2D 45 6E 63 6F .5...Acc ept-Enco 0130 64 69 6E 67 00 00 0D 67 7A 69 70 2C 20 64 65 66 ding...g zip, def 0140 6C 61 74 65 00 00 0E 41 63 63 65 70 74 2D 43 68 late...A ccept-Ch 0150 61 72 73 65 74 00 00 1E 49 53 4F 2D 38 38 35 39 arset... ISO-8859 0160 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8 ;q=0.7,* 0170 3B 71 3D 30 2E 37 00 A0 06 00 0A 6B 65 65 70 2D ;q=0.7. ...keep- 0180 61 6C 69 76 65 00 A0 05 00 1A 42 61 73 69 63 20 alive. . ..Basic 0190 64 47 56 7A 64 48 56 7A 5A 58 49 36 59 6D 56 7A dGVzdHVz ZXI6YmVz 01A0 64 44 46 69 00 A0 08 00 01 30 00 03 00 08 74 65 dDFi. .. .0te 01B0 73 74 75 73 65 72 00 04 00 05 42 61 73 69 63 00 stuser.. ..Basic. 01C0 08 00 12 44 48 45 2D 52 53 41 2D 41 45 53 32 35 ...DHE-R SA-AES25 Yes, this is probably it. Refer to this to know what you are looking for : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html The sections Request Packet Structure, then Headers and Attributes. We are seeing a HTTP header like this : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== but since the Authorization header is a common one, the name of the header has been replaced by a code (0xA005). That looks like the last header, and then starts the attributes part, where we seem to have indeed these two : ?remote_user0x03 ?auth_type 0x04 (auth_type is Basic here, because that is what is configured in the Apache AuthType directive.) So now disable the Basic Auth, and put the OAM auth instead, and let's see what happens. If with OAM, we cannot find the remote_user attribute in the packet trace, then it must mean that OAM is /not/ really authenticating the user as far as Apache is concerned. (Meaning, it does not set the user-id where Apache would expect it, it does its own thing somehow; but maybe in the configuration of OAM, there exists a parameter to tell OAM to do it right ?). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Anybody can help me?Thank you!
On 03/12/2011 13:57, 孙文 wrote: Hi,you can read message in attachment. The list strips attachments. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim Hi, Sorry for the top-post :(... Here're the sniffs from the tests that I did: a) Working (OAM disabled, Location per Andre): 12 34 02 AB 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.« HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 09 A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 00 0F 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept -Languag 0110 65 00 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 e...en-u s,en;q=0 0120 2E 35 00 00 0F 41 63 63 65 70 74 2D 45 6E 63 6F .5...Acc ept-Enco 0130 64 69 6E 67 00 00 0D 67 7A 69 70 2C 20 64 65 66 ding...g zip, def 0140 6C 61 74 65 00 00 0E 41 63 63 65 70 74 2D 43 68 late...A ccept-Ch 0150 61 72 73 65 74 00 00 1E 49 53 4F 2D 38 38 35 39 arset... ISO-8859 0160 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8 ;q=0.7,* 0170 3B 71 3D 30 2E 37 00 A0 06 00 0A 6B 65 65 70 2D ;q=0.7. ...keep- 0180 61 6C 69 76 65 00 A0 05 00 1A 42 61 73 69 63 20 alive. . ..Basic 0190 64 47 56 7A 64 48 56 7A 5A 58 49 36 59 6D 56 7A dGVzdHVz ZXI6YmVz 01A0 64 44 46 69 00 A0 08 00 01 30 00 03 00 08 74 65 dDFi. .. .0te 01B0 73 74 75 73 65 72 00 04 00 05 42 61 73 69 63 00 stuser.. ..Basic. 01C0 08 00 12 44 48 45 2D 52 53 41 2D 41 45 53 32 35 ...DHE-R SA-AES25 Yes, this is probably it. Refer to this to know what you are looking for : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html The sections Request Packet Structure, then Headers and Attributes. We are seeing a HTTP header like this : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== but since the Authorization header is a common one, the name of the header has been replaced by a code (0xA005). That looks like the last header, and then starts the attributes part, where we seem to have indeed these two : ?remote_user0x03 ?auth_type0x04 (auth_type is Basic here, because that is what is configured in the Apache AuthType directive.) So now disable the Basic Auth, and put the OAM auth instead, and let's see what happens. If with OAM, we cannot find the remote_user attribute in the packet trace, then it must mean that OAM is /not/ really authenticating the user as far as Apache is concerned. (Meaning, it does not set the user-id where Apache would expect it, it does its own thing somehow; but maybe in the configuration of OAM, there exists a parameter to tell OAM to do it right ?). Addendum: I browsed a bit on the web, and found some OAM documentation. According to this : http://docs.oracle.com/cd/E15217_01/doc.1014/e12493/apch2ihs.htm#CHDFEJCC (and if I am using the correct documentation) you should be able to do this : Location /sampleajp # AuthType Basic # AuthName toTomcat # AuthUserFile /some-path/passwords # Require user testuser # leave these as they are : SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) # add the OAM stuff here : AuthType Oblix require valid-user /Location Also, according to that, OAM /should/ set the user-id in Apache. Otherwise the require valid-user would not work. require
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim Hi, Sorry for the top-post :(... Here're the sniffs from the tests that I did: a) Working (OAM disabled, Location per Andre): 12 34 02 AB 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.« HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 09 A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 00 0F 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept -Languag 0110 65 00 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 e...en-u s,en;q=0 0120 2E 35 00 00 0F 41 63 63 65 70 74 2D 45 6E 63 6F .5...Acc ept-Enco 0130 64 69 6E 67 00 00 0D 67 7A 69 70 2C 20 64 65 66 ding...g zip, def 0140 6C 61 74 65 00 00 0E 41 63 63 65 70 74 2D 43 68 late...A ccept-Ch 0150 61 72 73 65 74 00 00 1E 49 53 4F 2D 38 38 35 39 arset... ISO-8859 0160 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8 ;q=0.7,* 0170 3B 71 3D 30 2E 37 00 A0 06 00 0A 6B 65 65 70 2D ;q=0.7. ...keep- 0180 61 6C 69 76 65 00 A0 05 00 1A 42 61 73 69 63 20 alive. . ..Basic 0190 64 47 56 7A 64 48 56 7A 5A 58 49 36 59 6D 56 7A dGVzdHVz ZXI6YmVz 01A0 64 44 46 69 00 A0 08 00 01 30 00 03 00 08 74 65 dDFi. .. .0te 01B0 73 74 75 73 65 72 00 04 00 05 42 61 73 69 63 00 stuser.. ..Basic. 01C0 08 00 12 44 48 45 2D 52 53 41 2D 41 45 53 32 35 ...DHE-R SA-AES25 Yes, this is probably it. Refer to this to know what you are looking for : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html The sections Request Packet Structure, then Headers and Attributes. We are seeing a HTTP header like this : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== but since the Authorization header is a common one, the name of the header has been replaced by a code (0xA005). That looks like the last header, and then starts the attributes part, where we seem to have indeed these two : ?remote_user0x03 ?auth_type0x04 (auth_type is Basic here, because that is what is configured in the Apache AuthType directive.) So now disable the Basic Auth, and put the OAM auth instead, and let's see what happens. If with OAM, we cannot find the remote_user attribute in the packet trace, then it must mean that OAM is /not/ really authenticating the user as far as Apache is concerned. (Meaning, it does not set the user-id where Apache would expect it, it does its own thing somehow; but maybe in the configuration of OAM, there exists a parameter to tell OAM to do it right ?). Addendum: I browsed a bit on the web, and found some OAM documentation. According to this : http://docs.oracle.com/cd/E15217_01/doc.1014/e12493/apch2ihs.htm#CHDFEJCC (and if I am using the correct documentation) you should be able to do this : Location /sampleajp # AuthType Basic # AuthName toTomcat # AuthUserFile /some-path/passwords # Require user testuser # leave these as they are : SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim Hi, Sorry for the top-post :(... Here're the sniffs from the tests that I did: a) Working (OAM disabled, Location per Andre): 12 34 02 AB 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.« HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 09 A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 00 0F 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept -Languag 0110 65 00 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 e...en-u s,en;q=0 0120 2E 35 00 00 0F 41 63 63 65 70 74 2D 45 6E 63 6F .5...Acc ept-Enco 0130 64 69 6E 67 00 00 0D 67 7A 69 70 2C 20 64 65 66 ding...g zip, def 0140 6C 61 74 65 00 00 0E 41 63 63 65 70 74 2D 43 68 late...A ccept-Ch 0150 61 72 73 65 74 00 00 1E 49 53 4F 2D 38 38 35 39 arset... ISO-8859 0160 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8 ;q=0.7,* 0170 3B 71 3D 30 2E 37 00 A0 06 00 0A 6B 65 65 70 2D ;q=0.7. ...keep- 0180 61 6C 69 76 65 00 A0 05 00 1A 42 61 73 69 63 20 alive. . ..Basic 0190 64 47 56 7A 64 48 56 7A 5A 58 49 36 59 6D 56 7A dGVzdHVz ZXI6YmVz 01A0 64 44 46 69 00 A0 08 00 01 30 00 03 00 08 74 65 dDFi. .. .0te 01B0 73 74 75 73 65 72 00 04 00 05 42 61 73 69 63 00 stuser.. ..Basic. 01C0 08 00 12 44 48 45 2D 52 53 41 2D 41 45 53 32 35 ...DHE-R SA-AES25 Yes, this is probably it. Refer to this to know what you are looking for : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html The sections Request Packet Structure, then Headers and Attributes. We are seeing a HTTP header like this : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== but since the Authorization header is a common one, the name of the header has been replaced by a code (0xA005). That looks like the last header, and then starts the attributes part, where we seem to have indeed these two : ?remote_user0x03 ?auth_type0x04 (auth_type is Basic here, because that is what is configured in the Apache AuthType directive.) So now disable the Basic Auth, and put the OAM auth instead, and let's see what happens. If with OAM, we cannot find the remote_user attribute in the packet trace, then it must mean that OAM is /not/ really authenticating the user as far as Apache is concerned. (Meaning, it does not set the user-id where Apache would expect it, it does its own thing somehow; but maybe in the configuration of OAM, there exists a parameter to tell OAM to do it right ?). Addendum: I browsed a bit on the web, and found some OAM documentation. According to this : http://docs.oracle.com/cd/E15217_01/doc.1014/e12493/apch2ihs.htm#CHDFEJCC (and if I am using the correct documentation) you should be able to do this : Location /sampleajp # AuthType Basic # AuthName toTomcat # AuthUserFile
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the latter sniff, I can see the userID (testuser), whereas in the former, that same area in the hex dump is basically just null-terminated strings. So, it appears like, when the OAM stuff and the ajp: stuff is in the Apache .conf, as you were guessing, the userID isn't making it into the Apache-to-Tomcat/AJP connection at all. Jim Hi, Sorry for the top-post :(... Here're the sniffs from the tests that I did: a) Working (OAM disabled, Location per Andre): 12 34 02 AB 02 02 00 08 48 54 54 50 2F 31 2E 31 .4.« HTTP/1.1 0010 00 00 1F 2F 73 61 6D 70 6C 65 73 61 6A 70 2F 73 .../samp lesajp/s 0020 73 6F 41 4D 54 6F 6D 63 61 74 54 65 73 74 2E 6A soAMTomc atTest.j 0030 73 70 00 00 0B 31 39 32 2E 31 36 38 2E 30 2E 37 sp...192 .168.0.7 0040 00 FF FF 00 14 61 70 61 63 68 65 31 2E 77 68 61 .ÿÿ..apa che1.wha 0050 74 65 76 65 72 2E 63 6F 6D 00 01 BB 01 00 09 A0 tever.co m..»... 0060 0B 00 14 61 70 61 63 68 65 31 2E 77 68 61 74 65 ...apach e1.whate 0070 76 65 72 2E 63 6F 6D 00 A0 0E 00 3F 4D 6F 7A 69 ver.com. ..?Mozi 0080 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows 0090 20 4E 54 20 36 2E 31 3B 20 72 76 3A 38 2E 30 29NT 6.1; rv:8.0) 00A0 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20Gecko/2 0100101 00B0 46 69 72 65 66 6F 78 2F 38 2E 30 00 A0 01 00 3F Firefox/ 8.0. ..? 00C0 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 text/htm l,applic 00D0 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C ation/xh tml+xml, 00E0 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B applicat ion/xml; 00F0 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 q=0.9,*/ *;q=0.8. 0100 00 0F 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept -Languag 0110 65 00 00 0E 65 6E 2D 75 73 2C 65 6E 3B 71 3D 30 e...en-u s,en;q=0 0120 2E 35 00 00 0F 41 63 63 65 70 74 2D 45 6E 63 6F .5...Acc ept-Enco 0130 64 69 6E 67 00 00 0D 67 7A 69 70 2C 20 64 65 66 ding...g zip, def 0140 6C 61 74 65 00 00 0E 41 63 63 65 70 74 2D 43 68 late...A ccept-Ch 0150 61 72 73 65 74 00 00 1E 49 53 4F 2D 38 38 35 39 arset... ISO-8859 0160 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8 ;q=0.7,* 0170 3B 71 3D 30 2E 37 00 A0 06 00 0A 6B 65 65 70 2D ;q=0.7. ...keep- 0180 61 6C 69 76 65 00 A0 05 00 1A 42 61 73 69 63 20 alive. . ..Basic 0190 64 47 56 7A 64 48 56 7A 5A 58 49 36 59 6D 56 7A dGVzdHVz ZXI6YmVz 01A0 64 44 46 69 00 A0 08 00 01 30 00 03 00 08 74 65 dDFi. .. .0te 01B0 73 74 75 73 65 72 00 04 00 05 42 61 73 69 63 00 stuser.. ..Basic. 01C0 08 00 12 44 48 45 2D 52 53 41 2D 41 45 53 32 35 ...DHE-R SA-AES25 Yes, this is probably it. Refer to this to know what you are looking for : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html The sections Request Packet Structure, then Headers and Attributes. We are seeing a HTTP header like this : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== but since the Authorization header is a common one, the name of the header has been replaced by a code (0xA005). That looks like the last header, and then starts the attributes part, where we seem to have indeed these two : ?remote_user0x03 ?auth_type0x04 (auth_type is Basic here, because that is what is configured in the Apache AuthType directive.) So now disable the Basic Auth, and put the OAM auth instead, and let's see what happens. If with OAM, we cannot find the remote_user attribute in the packet trace, then it must mean that OAM is /not/ really authenticating the user as far as Apache is concerned. (Meaning, it does not set the user-id where Apache would expect it, it does its own thing somehow; but maybe in the configuration of OAM, there exists a parameter to tell OAM to do it right ?). Addendum: I browsed a bit on the web, and found some OAM documentation. According to this : http://docs.oracle.com/cd/E15217_01/doc.1014/e12493/apch2ihs.htm#CHDFEJCC (and if I am using the correct documentation) you should be able to do this : Location /sampleajp # AuthType Basic # AuthName toTomcat # AuthUserFile /some-path/passwords # Require user testuser # leave these as they are : SetHandler jakarta-servlet SetEnv JK_WORKER_NAME tomcatA (- or whatever name your worker has) # add the OAM stuff here : AuthType Oblix require valid-user /Location Also, according to that, OAM
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. We don't mind the competition here. Keeps us on our toes. Just kidding. What I meant to ask (me being the not-so-Java specialist see) was, since Weblogic is a servlet engine, and Tomcat is a servlet engine, both ought to abide by the servlet spec and such, so isn't the Weblogic-oriented module usable with Tomcat ? Or is this too much of a rosy view of the world ? Anyway, the only other thing that comes to mind is, since you seem to be an OAM customer, can you not ask the OAM support people if OAM sets the internal Apache user-id or not ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. We don't mind the competition here. Keeps us on our toes. Just kidding. What I meant to ask (me being the not-so-Java specialist see) was, since Weblogic is a servlet engine, and Tomcat is a servlet engine, both ought to abide by the servlet spec and such, so isn't the Weblogic-oriented module usable with Tomcat ? Or is this too much of a rosy view of the world ? Anyway, the only other thing that comes to mind is, since you seem to be an OAM customer, can you not ask the OAM support people if OAM sets the internal Apache user-id or not ? Hi, I'll answer the last question first: We have asked, but they don't support integration with Tomcat out-of-the-box. That was why I've been looking into it for our organization. Re. your 1st question, yes, WebLogic is J2EE, but the integration that Oracle has with WebLogic is based on providers that leverage the (old) WebLogic/BEA security framework, which is/was proprietary to WebLogic, so those providers are not compatible with or usable with anything other than WebLogic. The situation is similar to Tomcat and valves I guess, i.e., Tomcat is J2EE compliant (for JSPs, servlets, etc., but valves are proprietary'' to Tomcat. Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. We don't mind the competition here. Keeps us on our toes. Just kidding. What I meant to ask (me being the not-so-Java specialist see) was, since Weblogic is a servlet engine, and Tomcat is a servlet engine, both ought to abide by the servlet spec and such, so isn't the Weblogic-oriented module usable with Tomcat ? Or is this too much of a rosy view of the world ? Anyway, the only other thing that comes to mind is, since you seem to be an OAM customer, can you not ask the OAM support people if OAM sets the internal Apache user-id or not ? Hi, I'll answer the last question first: We have asked, but they don't support integration with Tomcat out-of-the-box. That was why I've been looking into it for our organization. Ok. But the question here is different : you are not asking if they support Tomcat. What you are asking is if OAM can set the Apache internal user-id, once the user is authenticated by OAM. The situation is the same as if you had to support, say, some legacy Apache-based application, and this Apache-based application needs the user-id, and it normally gets it from Apache. For example, imagine that your organisation has some pre-existing content-management system based on Apache and Perl. Now you purchase OAM as a global SSO mechanism, and you want to use OAM to authenticate the users for your content-management application. For that, the easiest way is for OAM to just set the Apache user-id, because then you don't have to change anything to your existing application. Re. your 1st question, yes, WebLogic is J2EE, but the integration that Oracle has with WebLogic is based on providers that leverage the (old) WebLogic/BEA security framework, which is/was proprietary to WebLogic, so those providers are not compatible with or usable with anything other than WebLogic. The situation is similar to Tomcat and valves I guess, i.e., Tomcat is J2EE compliant (for JSPs, servlets, etc., but valves are proprietary'' to Tomcat. Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. We don't mind the competition here. Keeps us on our toes. Just kidding. What I meant to ask (me being the not-so-Java specialist see) was, since Weblogic is a servlet engine, and Tomcat is a servlet engine, both ought to abide by the servlet spec and such, so isn't the Weblogic-oriented module usable with Tomcat ? Or is this too much of a rosy view of the world ? Anyway, the only other thing that comes to mind is, since you seem to be an OAM customer, can you not ask the OAM support people if OAM sets the internal Apache user-id or not ? Hi, I'll answer the last question first: We have asked, but they don't support integration with Tomcat out-of-the-box. That was why I've been looking into it for our organization. Ok. But the question here is different : you are not asking if they support Tomcat. What you are asking is if OAM can set the Apache internal user-id, once the user is authenticated by OAM. The situation is the same as if you had to support, say, some legacy Apache-based application, and this Apache-based application needs the user-id, and it normally gets it from Apache. For example, imagine that your organisation has some pre-existing content-management system based on Apache and Perl. Now you purchase OAM as a global SSO mechanism, and you want to use OAM to authenticate the users for your content-management application. For that, the easiest way is for OAM to just set the Apache user-id, because then you don't have to change anything to your existing application. Hi, I didn't say anything about it before, but I've been, in parallel with our discussion, mucking around both the OAM innards and the Apache source code, as best I can, trying to find out why that internal remote_user string (it is, I believe, only internal to Apache), to see why it isn't being set. Notice also that I said remote_user string, rather than remote_user variable. The reason is that, in looking through the Apache source code, I haven't (yet) been able to find a variable like that. Rather, it looks like the Apache code just dumps the string representing the user into some buffer that its building to send out via AJP protocol. On the OAM side, I haven't been able to find any configuration tweaks that would make their webagent populate (or not populate) whatever data structure inside of Apache either. I may or may not decide to try to bug Oracle about why their webagent doesn't do appear to do that. Probably not though, as in the past, it's hard to find someone who knows their stuff well enough to answer such an esoteric question. Plus, the valve seems to work at the moment. Having said that, and having started to work more with my valve code, I do have a more on-topic question for you and for the list, in general. To recall, my test Tomcat is pretty much vanilla, including the default realm that uses the tomcat-users.xml. Earlier, you and Chuck said that when my valve code asserts a user into Tomcat (e.g., via the setUserPrincipal()), that that asserted user didn't have to even be in the Tomcat realm. I'm finding that that part does work as we've discussed, but the question that I have is what roles in Tomcat would that user have (in Tomcat)? In my testing, and as I've mucked around with my valve code, I found that I could assert not only a user, but it looks like I can also assert that user's roles in Tomcat. And, I can even assert roles that don't exist in the realm!! In other words, suppose my valve gets a request with a userID of foobar. Then, it appears that my valve code can not only assert the foobar user into Tomcat, but can also assert that the foobar user has roles foobarRole1 and foobarRole2, EVEN when those roles don't exist/aren't defined in the Tomcat realm. Is this correct? If it is, I may have a problem. Let me explain: My original
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. We don't mind the competition here. Keeps us on our toes. Just kidding. What I meant to ask (me being the not-so-Java specialist see) was, since Weblogic is a servlet engine, and Tomcat is a servlet engine, both ought to abide by the servlet spec and such, so isn't the Weblogic-oriented module usable with Tomcat ? Or is this too much of a rosy view of the world ? Anyway, the only other thing that comes to mind is, since you seem to be an OAM customer, can you not ask the OAM support people if OAM sets the internal Apache user-id or not ? Hi, I'll answer the last question first: We have asked, but they don't support integration with Tomcat out-of-the-box. That was why I've been looking into it for our organization. Ok. But the question here is different : you are not asking if they support Tomcat. What you are asking is if OAM can set the Apache internal user-id, once the user is authenticated by OAM. The situation is the same as if you had to support, say, some legacy Apache-based application, and this Apache-based application needs the user-id, and it normally gets it from Apache. For example, imagine that your organisation has some pre-existing content-management system based on Apache and Perl. Now you purchase OAM as a global SSO mechanism, and you want to use OAM to authenticate the users for your content-management application. For that, the easiest way is for OAM to just set the Apache user-id, because then you don't have to change anything to your existing application. Hi, I didn't say anything about it before, but I've been, in parallel with our discussion, mucking around both the OAM innards and the Apache source code, as best I can, trying to find out why that internal remote_user string (it is, I believe, only internal to Apache), to see why it isn't being set. Notice also that I said remote_user string, rather than remote_user variable. The reason is that, in looking through the Apache source code, I haven't (yet) been able to find a variable like that. Rather, it looks like the Apache code just dumps the string representing the user into some buffer that its building to send out via AJP protocol. On the OAM side, I haven't been able to find any configuration tweaks that would make their webagent populate (or not populate) whatever data structure inside of Apache either. I may or may not decide to try to bug Oracle about why their webagent doesn't do appear to do that. Probably not though, as in the past, it's hard to find someone who knows their stuff well enough to answer such an esoteric question. Plus, the valve seems to work at the moment. Having said that, and having started to work more with my valve code, I do have a more on-topic question for you and for the list, in general. To recall, my test Tomcat is pretty much vanilla, including the default realm that uses the tomcat-users.xml. Earlier, you and Chuck said that when my valve code asserts a user into Tomcat (e.g., via the setUserPrincipal()), that that asserted user didn't have to even be in the Tomcat realm. I'm finding that that part does work as we've discussed, but the question that I have is what roles in Tomcat would that user have (in Tomcat)? In my testing, and as I've mucked around with my valve code, I found that I could assert not only a user, but it looks like I can also assert that user's roles in Tomcat. And, I can even assert roles that don't exist in the realm!! In other words, suppose my valve gets a request with a userID of foobar. Then, it appears that my valve code can not only assert the foobar user into Tomcat, but can also assert that the foobar user has roles foobarRole1 and foobarRole2, EVEN when those
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using that ? It seems like they should have one, but, unfortunately, they don't. Mmm. Browsing the documentation, I seem to remember seeing something about Weblogic, no ? Is that not usable ? (As an aside, send your messages only to the list. I get all messages to the list anyway, so if you send them to me too, I get them twice). Hi, Sorry about the emails. Yes, they do support integrating with WebLogic, and we do use that for other cases, but that's probably a bit off-topic here. We don't mind the competition here. Keeps us on our toes. Just kidding. What I meant to ask (me being the not-so-Java specialist see) was, since Weblogic is a servlet engine, and Tomcat is a servlet engine, both ought to abide by the servlet spec and such, so isn't the Weblogic-oriented module usable with Tomcat ? Or is this too much of a rosy view of the world ? Anyway, the only other thing that comes to mind is, since you seem to be an OAM customer, can you not ask the OAM support people if OAM sets the internal Apache user-id or not ? Hi, I'll answer the last question first: We have asked, but they don't support integration with Tomcat out-of-the-box. That was why I've been looking into it for our organization. Ok. But the question here is different : you are not asking if they support Tomcat. What you are asking is if OAM can set the Apache internal user-id, once the user is authenticated by OAM. The situation is the same as if you had to support, say, some legacy Apache-based application, and this Apache-based application needs the user-id, and it normally gets it from Apache. For example, imagine that your organisation has some pre-existing content-management system based on Apache and Perl. Now you purchase OAM as a global SSO mechanism, and you want to use OAM to authenticate the users for your content-management application. For that, the easiest way is for OAM to just set the Apache user-id, because then you don't have to change anything to your existing application. Hi, I didn't say anything about it before, but I've been, in parallel with our discussion, mucking around both the OAM innards and the Apache source code, as best I can, trying to find out why that internal remote_user string (it is, I believe, only internal to Apache), to see why it isn't being set. Notice also that I said remote_user string, rather than remote_user variable. The reason is that, in looking through the Apache source code, I haven't (yet) been able to find a variable like that. Rather, it looks like the Apache code just dumps the string representing the user into some buffer that its building to send out via AJP protocol. On the OAM side, I haven't been able to find any configuration tweaks that would make their webagent populate (or not populate) whatever data structure inside of Apache either. I may or may not decide to try to bug Oracle about why their webagent doesn't do appear to do that. Probably not though, as in the past, it's hard to find someone who knows their stuff well enough to answer such an esoteric question. Plus, the valve seems to work at the moment. Having said that, and having started to work more with my valve code, I do have a more on-topic question for you and for the list, in general. To recall, my test Tomcat is pretty much vanilla, including the default realm that uses the tomcat-users.xml. Earlier, you and Chuck said that when my valve code asserts a user into Tomcat (e.g., via the setUserPrincipal()), that that asserted user didn't have to even be in the Tomcat realm. I'm finding that that part does work as we've discussed, but the question that I have is what roles in Tomcat would that user have (in Tomcat)? In my testing, and as I've mucked around with my valve code, I found that I could assert not only a user, but it looks like I can also assert that user's roles in Tomcat. And, I can even assert roles that don't exist in the realm!! In other words, suppose my valve gets a request with a userID of foobar. Then, it appears that my valve code
Re: Do any of the Tomcat LDAP-type realms support no password authentication?
Hi, I didn't say anything about it before, but I've been, in parallel with our discussion, mucking around both the OAM innards and the Apache source code, as best I can, trying to find out why that internal remote_user string (it is, I believe, only internal to Apache), to see why it isn't being set. Notice also that I said remote_user string, rather than remote_user variable. The reason is that, in looking through the Apache source code, I haven't (yet) been able to find a variable like that. Rather, it looks like the Apache code just dumps the string representing the user into some buffer that its building to send out via AJP protocol. On the OAM side, I haven't been able to find any configuration tweaks that would make their webagent populate (or not populate) whatever data structure inside of Apache either. I may or may not decide to try to bug Oracle about why their webagent doesn't do appear to do that. Probably not though, as in the past, it's hard to find someone who knows their stuff well enough to answer such an esoteric question. Plus, the valve seems to work at the moment. Having said that, and having started to work more with my valve code, I do have a more on-topic question for you and for the list, in general. To recall, my test Tomcat is pretty much vanilla, including the default realm that uses the tomcat-users.xml. Earlier, you and Chuck said that when my valve code asserts a user into Tomcat (e.g., via the setUserPrincipal()), that that asserted user didn't have to even be in the Tomcat realm. I'm finding that that part does work as we've discussed, but the question that I have is what roles in Tomcat would that user have (in Tomcat)? In my testing, and as I've mucked around with my valve code, I found that I could assert not only a user, but it looks like I can also assert that user's roles in Tomcat. And, I can even assert roles that don't exist in the realm!! In other words, suppose my valve gets a request with a userID of foobar. Then, it appears that my valve code can not only assert the foobar user into Tomcat, but can also assert that the foobar user has roles foobarRole1 and foobarRole2, EVEN when those roles don't exist/aren't defined in the Tomcat realm. Is this correct? If it is, I may have a problem. Let me explain: My original plan/thought/idea/thinking was that if I could get my valve code to assert the user into Tomcat as a principal in the Tomcat environment, then, at least to Tomcat itself, that user/principal would pick up the roles that that user would have within the Tomcat realm. In other words, if I asserted foobar into Tomcat, and if there was already a user named foobar in the Tomcat realm, that then the asserted user would have all of the roles within Tomcat that he/she should have, via the realm. However, that doesn't appear to be the case :(. Rather it appears that even if the user that I'm asserting actually exists in the Tomcat realm, after my valve asserts the user into Tomcat, the user doesn't appear to have any roles in Tomcat. I'm using the security example app in the /examples that comes with Tomcat to check if Tomcat 'believes that the asserted user has role. In other words, even though my valve code can assert a user into Tomcat, and even if that same user already exists in the Tomcat realm, the asserted user seems to be 'disassociated' from the same user in the Tomcat realm? I'm not sure if I'm explaining that clearly, but let me know? Here's an example: In tomcat-users.xml, I have a user, 0test with role manager-gui. I send a header into my valve with userID 0test, and it asserts the 0test user into Tomcat. Then I go to the Tomcat security example app, and I search for role of manager-gui, and the app tells me that user 0test has not been granted the manager-gui role. So the question that I really have here is: Can I connect the user that my valve asserts into Tomcat with the corresponding user in the Tomcat realm (so that the asserted user can have all of the roles in Tomcat that he/she should have)? Thanks, Jim Hi, I just found the following, which seems to confirm what I'm finding with asserted users, as described above: http://wiki.oss-watch.ac.uk/ShibbolethTomcatIntegration Note where it says: This requires that any acess to /jsp-examples/snp/* be authenticated to any of the roles declared to Tomcat elsewhere in the web.xml file. The problem with this when receiving authentication information from Apache httpd via mod_jk is that we have not found any way to associate role membership with the
RE: Do any of the Tomcat LDAP-type realms support no password authentication?
From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In other words, even though my valve code can assert a user into Tomcat, and even if that same user already exists in the Tomcat realm, the asserted user seems to be 'disassociated' from the same user in the Tomcat realm? Need to get some terminology correct here. A Realm does not normally contain users, roles, or any other authentication or authorization _data_; rather, it is a Java class that embodies rules for examining the credentials supplied by a login attempt and comparing them to credentials and roles stored in some external location. By default (and never meant to be used in production), the external location is the file tomcat-users.xml, and the Realm is UserDatabaseRealm (augmented by LockOutRealm to discourage probing). Several other Realm classes are supplied with Tomcat, to allow access to credentials from LDAP servers, relational databases, JAAS, etc. I think what you need is essentially a Realm that does no authentication of its own (trusting httpd to do that), but does perform the authorization function. It can then map the userid to whatever set of roles are appropriate for that user, and return the appropriate response when queried. See the doc for details: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html It would seem likely that someone out there has written a Realm that performs the above functions in conjunction with httpd authentication. (Note: you keep using the word Apache - which is a software organization with many products - when you're referring to httpd, a specific Apache product, as is Tomcat.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Do any of the Tomcat LDAP-type realms support no password authentication?
Caldarale wrote: From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In other words, even though my valve code can assert a user into Tomcat, and even if that same user already exists in the Tomcat realm, the asserted user seems to be 'disassociated' from the same user in the Tomcat realm? Need to get some terminology correct here. A Realm does not normally contain users, roles, or any other authentication or authorization _data_; rather, it is a Java class that embodies rules for examining the credentials supplied by a login attempt and comparing them to credentials and roles stored in some external location. By default (and never meant to be used in production), the external location is the file tomcat-users.xml, and the Realm is UserDatabaseRealm (augmented by LockOutRealm to discourage probing). Several other Realm classes are supplied with Tomcat, to allow access to credentials from LDAP servers, relational databases, JAAS, etc. I think what you need is essentially a Realm that does no authentication of its own (trusting httpd to do that), but does perform the authorization function. It can then map the userid to whatever set of roles are appropriate for that user, and return the appropriate response when queried. See the doc for details: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html It would seem likely that someone out there has written a Realm that performs the above functions in conjunction with httpd authentication. (Note: you keep using the word Apache - which is a software organization with many products - when you're referring to httpd, a specific Apache product, as is Tomcat.) - Chuck Hi Chuck, Corrections understood, and I'll try to be more careful. As you point out, and as I mentioned earlier in the thread, it seems like I've come all the way around to the original subject ...Tomcat LDAP-type realms support no password authentication?. I've been and still am looking around for something like that, but haven't found it yet. I'm still puzzled by something though. Even if I did find (or implement) a realm that was a no password realm, how do I tie the two pieces that I end up with, the valve and the no-password realm, together? In other words, I can pull the userID from the incoming header in the valve, but then I think that the valve code then needs to authenticate against the no-password realm. Is that correct? And, if so, how to do that? I've been looking for a way (API?) to programmatically authenticate the user against Tomcat, so that I could add that into my valve code, but haven't been find anything yet. Thanks, Jim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org