Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?
Hi Andre (and Christopher and Olaf), I think that that is a good summary of where this is at this point. Thanks! Jim On Saturday, May 16, 2020, 08:23:54 AM EDT, André Warnier (tomcat/perl) wrote: In summary, yes, I think you're right in your final conclusion below. If the tomcat access log shows the authenticated user, it means that tomcat got it, and I see no other way than from Apache and through that "tomcatAuthentication=false" option of the tomcat AJP connector. And that in turn means that, for Apache, this request was authenticated, which in turn means that OAM /did/ also set the Apache-internal R->user variable. The values printed by your Apache cgi-bin script are maybe a bit confusing regarding what is going on, because they are the result of a different (and parallel) process : when Apache runs a cgi-bin script, it does this in a separate child process, and when it creates this process, it provides it with an environment. And that is what your cgi-bin script is showing (it's own environment values). That in this environment, Apache creates a "remote-user" variable and populates it with the Apache authenticated user-id, is fortuitous but unrelated to the fact that Apache+mod_proxy_ajp *also* passes this authenticated user-id via AJP to tomcat. So now indeed, you have to figure out why this tomcat webapp wants the browser to retrieve a login page, despite the fact that this access is already authenticated. But indeed this is no longer an Apache or a tomcat or tomcat Connector issue, it is a webapp logic or configuration issue. On 16.05.2020 08:40, ohaya wrote: > Hi, > > When I configure the OAM protection, they have the ability to configure > values that go into HTTP headers (among other things) upon successful > authentication (to OAM). > > I usually test this by protecting /cgi-bin/printenv on the Apache. printenv > has this : > > ## > ## printenv -- demo CGI program which just prints its environment > ## > use strict; > use warnings; > > print "Content-type: text/plain; charset=iso-8859-1\n\n"; > foreach my $var (sort(keys(%ENV))) { > my $val = $ENV{$var}; > $val =~ s|\n|\\n|g; > $val =~ s|"|\\"|g; > print "${var}=\"${val}\"\n"; > > and when do that test, it does dump out remote_user (among others). > > Also FYI, I was just looking at the Tomcat localhost_access_log..txt > file, and I am seeing lines like: > > xx.0.xx.xx - [16/May/2020:06:18:41 +] "GET /xxx/login > HTTP/1.1" 302 - > > where is the username of the user that authenticated to > OAM. > > I am not 100% about the format of that log, but does that line say that > Tomcat thinks that the user that is logged INTO TOMCAT is that > ? > > If so, then does that mean that I am already passing that user from Apache > into Tomcat successfully? > > If so, I have thinking that maybe the webapp that I am trying to get logged > into (it is Apache Syncope) is not leveraging the authentication mechanisms > that are inbuilt in Tomcat? > > That kind of makes sense, because I know that I didn't have to add that user > to the tomcat-users.xml. > > Finally if that is the case, this is no longer just a Tomcat-related issue. > > Jim > > > On Friday, May 15, 2020, 09:38:19 AM EDT, Christopher Schultz > wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Jim, > > On 5/15/20 08:42, ohaya wrote: >> Yes, I am using Oracle Access Manager (OAM) so we have what they >> call an "OAM webgate" that is integrated with the Apache. That >> webgate automatically populates an HTTP header named "remote_user" >> with the user that OAM authenticated. >> >> So the problem I having is trying to figure out how to "integrate" >> that with Tomcat. > > Okay. > >> So we have: >> >> Browser <==> Apache+webgate <==> Tomcat (webapp) > > Good. > > First thing's first: Do you get your pages from Tomcat, but you aren't > authenticated, or do you get some other kind of error? Sounds like you > see your application, just no authentication. > > If this is your first time doing this, I assume you mean you're trying > to figure out how to get it done, not trying to move a working > configuration from another environment./version to Tomcat 9, right? > > There is nothing in the configuration you have posted so far that > leads me to believe you'll be sending any REMOTE_USER HTTP header to > Tomcat. Apache httpd doesn't (usually) auto-forward anything to > Tomcat. Your OAS module is more likely setting an environment variable > (remote_user) than an HTTP header. But it might be setting a header. > That would be good information to know. > > To send arbitrary headers (etc.) to Tomcat via mod_proxy_ajp, you need > to configuration to do that. Let's take a look at the Tomcat > documentation to see how tomcatAuthentication="false" works. > > Awesome, the documentation says nothing about how to tie-into it. > Well, the code says that tomcatAuthentication="false" means that AJP > can accept
Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?
In summary, yes, I think you're right in your final conclusion below. If the tomcat access log shows the authenticated user, it means that tomcat got it, and I see no other way than from Apache and through that "tomcatAuthentication=false" option of the tomcat AJP connector. And that in turn means that, for Apache, this request was authenticated, which in turn means that OAM /did/ also set the Apache-internal R->user variable. The values printed by your Apache cgi-bin script are maybe a bit confusing regarding what is going on, because they are the result of a different (and parallel) process : when Apache runs a cgi-bin script, it does this in a separate child process, and when it creates this process, it provides it with an environment. And that is what your cgi-bin script is showing (it's own environment values). That in this environment, Apache creates a "remote-user" variable and populates it with the Apache authenticated user-id, is fortuitous but unrelated to the fact that Apache+mod_proxy_ajp *also* passes this authenticated user-id via AJP to tomcat. So now indeed, you have to figure out why this tomcat webapp wants the browser to retrieve a login page, despite the fact that this access is already authenticated. But indeed this is no longer an Apache or a tomcat or tomcat Connector issue, it is a webapp logic or configuration issue. On 16.05.2020 08:40, ohaya wrote: Hi, When I configure the OAM protection, they have the ability to configure values that go into HTTP headers (among other things) upon successful authentication (to OAM). I usually test this by protecting /cgi-bin/printenv on the Apache. printenv has this : ## ## printenv -- demo CGI program which just prints its environment ## use strict; use warnings; print "Content-type: text/plain; charset=iso-8859-1\n\n"; foreach my $var (sort(keys(%ENV))) { my $val = $ENV{$var}; $val =~ s|\n|\\n|g; $val =~ s|"|\\"|g; print "${var}=\"${val}\"\n"; and when do that test, it does dump out remote_user (among others). Also FYI, I was just looking at the Tomcat localhost_access_log..txt file, and I am seeing lines like: xx.0.xx.xx - [16/May/2020:06:18:41 +] "GET /xxx/login HTTP/1.1" 302 - where is the username of the user that authenticated to OAM. I am not 100% about the format of that log, but does that line say that Tomcat thinks that the user that is logged INTO TOMCAT is that ? If so, then does that mean that I am already passing that user from Apache into Tomcat successfully? If so, I have thinking that maybe the webapp that I am trying to get logged into (it is Apache Syncope) is not leveraging the authentication mechanisms that are inbuilt in Tomcat? That kind of makes sense, because I know that I didn't have to add that user to the tomcat-users.xml. Finally if that is the case, this is no longer just a Tomcat-related issue. Jim On Friday, May 15, 2020, 09:38:19 AM EDT, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jim, On 5/15/20 08:42, ohaya wrote: Yes, I am using Oracle Access Manager (OAM) so we have what they call an "OAM webgate" that is integrated with the Apache. That webgate automatically populates an HTTP header named "remote_user" with the user that OAM authenticated. So the problem I having is trying to figure out how to "integrate" that with Tomcat. Okay. So we have: Browser <==> Apache+webgate <==> Tomcat (webapp) Good. First thing's first: Do you get your pages from Tomcat, but you aren't authenticated, or do you get some other kind of error? Sounds like you see your application, just no authentication. If this is your first time doing this, I assume you mean you're trying to figure out how to get it done, not trying to move a working configuration from another environment./version to Tomcat 9, right? There is nothing in the configuration you have posted so far that leads me to believe you'll be sending any REMOTE_USER HTTP header to Tomcat. Apache httpd doesn't (usually) auto-forward anything to Tomcat. Your OAS module is more likely setting an environment variable (remote_user) than an HTTP header. But it might be setting a header. That would be good information to know. To send arbitrary headers (etc.) to Tomcat via mod_proxy_ajp, you need to configuration to do that. Let's take a look at the Tomcat documentation to see how tomcatAuthentication="false" works. Awesome, the documentation says nothing about how to tie-into it. Well, the code says that tomcatAuthentication="false" means that AJP can accept the REMOTE_USER /request attribute/ which is a special servlet-thing which isn't the same as a header. So you have to arrange for mod_proxy_ajp to send your "remote_user" (header or environment variable) to Tomcat as a request attribute. Here's how to do that. According to the mod_proxy_ajp docs: " Environment Variables Environment variables whose names have the prefix AJP_ are forwarded to the origin ser