Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Rainer, Thanks for the response. I should have thought of testing the relevant methods in a simpler servlet. This has revealed the following: If I turn off the SSL requirement in my application's web.xml (i.e., in the security constraint of web.xml), request.getRemoteUser() works fine. As soon as I flip it back on (by adding CONFIDENTIAL), I get null as before. I need to have tomcat working over SSL with the client. Is there I way I can get it to trust the information its obtained from the apache web-server via AJP? Thanks, Omar Rainer Jung wrote: Hi Omar, Omar Nafees schrieb: request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. request.getRemoteUser() works for me (mod_jk 1.2.25 and TC 5.5.23) 1) remove the JkEnvVar REMOTE_USER. It's not an Apache environment variable, and it will be forwarded by mod_jk automatically 2) Set log level to debug in a dev system. The request should produce a line similar to [Sun Aug 26 01:12:03.482 2007] [27669:0] [debug] init_ws_service::mod_jk.c (782): Service protocol=HTTP/1.1 method=GET host=(null) addr=127.0.0.1 name=fraxinus.entenhausen.zz port=8080 auth=Basic user=jung laddr=127.0.0.1 raddr=127.0.0.1 uri=/auth.jsp Here you can see, that mod_jk found Basic authentication and User "jung" in the Apache repesentation of the request. Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via mod_jk-ap2-1.2.23 on FreeBSD 6.2 Snippet of AJP13 header: ... 01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.0. 01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf eesB 01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic REMOTE_U 0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees.. Starting from 01e0 we have "03" for "remote_user", then "0008" for 8 Bytes, then the name of the remote user "omnafees" and a terminating "00", then "04" for authentication type, "0005" for length 5, and "Basic" as the authentication type. That looks fine! How do I get Tomcat servlet to read remote user as sent above?? Looks good to me. Try with a very simple servlet first. Maybe put in in the root context to isolate it from alle complex things in your webapp: User: <%=request.getRemoteUser() %> Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Omar, Omar Nafees schrieb: > request.getRemoteUser() returns null in my servlet. > request.getAttribute("REMOTE_USER") also returns null. I have even > checked the headers that are being sent to the AJP connector in Tomcat. > request.getRemoteUser() works for me (mod_jk 1.2.25 and TC 5.5.23) 1) remove the JkEnvVar REMOTE_USER. It's not an Apache environment variable, and it will be forwarded by mod_jk automatically 2) Set log level to debug in a dev system. The request should produce a line similar to [Sun Aug 26 01:12:03.482 2007] [27669:0] [debug] init_ws_service::mod_jk.c (782): Service protocol=HTTP/1.1 method=GET host=(null) addr=127.0.0.1 name=fraxinus.entenhausen.zz port=8080 auth=Basic user=jung laddr=127.0.0.1 raddr=127.0.0.1 uri=/auth.jsp Here you can see, that mod_jk found Basic authentication and User "jung" in the Apache repesentation of the request. > Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via > mod_jk-ap2-1.2.23 on FreeBSD 6.2 > > > Snippet of AJP13 header: > ... > 01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.0. > 01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf eesB > 01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic REMOTE_U > 0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees.. Starting from 01e0 we have "03" for "remote_user", then "0008" for 8 Bytes, then the name of the remote user "omnafees" and a terminating "00", then "04" for authentication type, "0005" for length 5, and "Basic" as the authentication type. That looks fine! > How do I get Tomcat servlet to read remote user as sent above?? > > enableLookups="false" redirectPort="8443" > protocol="AJP/1.3" tomcatAuthentication="false" /> Looks good to me. Try with a very simple servlet first. Maybe put in in the root context to isolate it from alle complex things in your webapp: User: <%=request.getRemoteUser() %> Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -Original Message- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
he original transmission from all of your systems and hard drives, including any attachments, without making a copy. -----Original Message----- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omar, Omar Nafees wrote: request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. This is a FAQ. The answer is easily findable in the archives: http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss OPTfCFM5pLAQ0jH0i+BCkis= =+c/H -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Regards Gabriel Wong Beyond Private JVM JAVA Hosting http://www.webappcabaret.com - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Thank you for the tips David. The JkEnvVar was just a shot at passing the REMOTE_USER explicitly. I read about it in one of the mod_jk documents. I was unable to get this to work without it either. Oh and my apologies for a cluttered server.xml on the list. I have restarted tomcat and apache several times. I was actually trying to get it to work with tomcat 6.0 and switched to 5.5 to see if that would make a difference. I've also tried to get this to work with apache 1.3 to no avail. I now suspect mod_jk itself... May I ask what versions of each software you are using? What form of Apache authentication are you using (some in house authorization software)? Did you first test your setup with Apache's Basic authentication? Sorry for the many questions - but I'd like to know what you've done differently as I'd like to be where you are with this right now =) Thanks, Omar David Smith wrote: Hi. I'm in the same boat as you in using an apache httpd module to authenticate users and have had it working for a few years now. Your configuration looked good as far as I could tell. Here are a couple of suggestions though. 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache config. I've never used it and have what you are working on working flawlessly. 2. Drop all those documenting comments and example configuration from your server.xml. You could make a copy of it named server.xml.original if you want. The commented parts are excellent documentation, but hamper readability of the active parts. 3. Restart Tomcat. I'm not sure if you restarted after you added tomcatAuthentication="false" to the connector, but it needs to happen. --David Omar Nafees wrote: Hi Robert, Thanks for the response. So I've come to believe that its possible to avoid using Tomcat authentication altogether, i.e., without specifying realms and using tomcat user/roles in an application's web.xml. Given my context (a University environment with over several hundreds of students hitting an apache web server and a small subset needing tomcat), I need to completely separate authentication from the Tomcat server. I guess this approach of using JNDI or even JAAS is a last resort... but I would really like to see what everyone else seems to have already accomplished - the REMOTE_USER variable being read from the first AJP header that is sent to tomcat. Thanks, Omar Robert Segal wrote: Omar I actually had this exact same problem early today although I'm sure my environment is slightly different from your perhaps I can offer some help. In my case I have LDAP authentication configured for my servlet. I believe this step should be the same regardless of the authentication scheme you are using First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define roles and constraints for what pages can be accessed... BASIC GRP-myGroup my Authentication /* GRP-myGroup The other file I change sets up all the LDAP machine details. I've placed it in Context.xml because there are several servlets that make use of this authentication... $CATALINA_HOME/conf/Context.xml ldap://ldapMachine:3268"; connectionName="CRYPTOLOGIC\myUser" connectionPassword="myPassword" userBase ="dc=myDomain,dc=com" userSearch="(sAMAccountName={0})" userSubtree ="true" userRoleName ="memberOf" roleBase ="OU=Groups,DC=myDomain,DC=com" roleSubtree="false" roleName ="cn" roleSearch ="(member={0})"/> This has worked for me. Hope it is of some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -----Original Message- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thank
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi. I'm in the same boat as you in using an apache httpd module to authenticate users and have had it working for a few years now. Your configuration looked good as far as I could tell. Here are a couple of suggestions though. 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache config. I've never used it and have what you are working on working flawlessly. 2. Drop all those documenting comments and example configuration from your server.xml. You could make a copy of it named server.xml.original if you want. The commented parts are excellent documentation, but hamper readability of the active parts. 3. Restart Tomcat. I'm not sure if you restarted after you added tomcatAuthentication="false" to the connector, but it needs to happen. --David Omar Nafees wrote: Hi Robert, Thanks for the response. So I've come to believe that its possible to avoid using Tomcat authentication altogether, i.e., without specifying realms and using tomcat user/roles in an application's web.xml. Given my context (a University environment with over several hundreds of students hitting an apache web server and a small subset needing tomcat), I need to completely separate authentication from the Tomcat server. I guess this approach of using JNDI or even JAAS is a last resort... but I would really like to see what everyone else seems to have already accomplished - the REMOTE_USER variable being read from the first AJP header that is sent to tomcat. Thanks, Omar Robert Segal wrote: Omar I actually had this exact same problem early today although I'm sure my environment is slightly different from your perhaps I can offer some help. In my case I have LDAP authentication configured for my servlet. I believe this step should be the same regardless of the authentication scheme you are using First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define roles and constraints for what pages can be accessed... BASIC GRP-myGroup my Authentication /* GRP-myGroup The other file I change sets up all the LDAP machine details. I've placed it in Context.xml because there are several servlets that make use of this authentication... $CATALINA_HOME/conf/Context.xml ldap://ldapMachine:3268"; connectionName="CRYPTOLOGIC\myUser" connectionPassword="myPassword" userBase ="dc=myDomain,dc=com" userSearch="(sAMAccountName={0})" userSubtree ="true" userRoleName ="memberOf" roleBase ="OU=Groups,DC=myDomain,DC=com" roleSubtree="false" roleName ="cn" roleSearch ="(member={0})"/> This has worked for me. Hope it is of some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -Original Message----- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omar, Omar Nafees wrote: request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. This is a FAQ. The answer is easily findable in the archives: http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DB
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Robert, Thanks for the response. So I've come to believe that its possible to avoid using Tomcat authentication altogether, i.e., without specifying realms and using tomcat user/roles in an application's web.xml. Given my context (a University environment with over several hundreds of students hitting an apache web server and a small subset needing tomcat), I need to completely separate authentication from the Tomcat server. I guess this approach of using JNDI or even JAAS is a last resort... but I would really like to see what everyone else seems to have already accomplished - the REMOTE_USER variable being read from the first AJP header that is sent to tomcat. Thanks, Omar Robert Segal wrote: Omar I actually had this exact same problem early today although I'm sure my environment is slightly different from your perhaps I can offer some help. In my case I have LDAP authentication configured for my servlet. I believe this step should be the same regardless of the authentication scheme you are using First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define roles and constraints for what pages can be accessed... BASIC GRP-myGroup my Authentication /* GRP-myGroup The other file I change sets up all the LDAP machine details. I've placed it in Context.xml because there are several servlets that make use of this authentication... $CATALINA_HOME/conf/Context.xml ldap://ldapMachine:3268"; connectionName="CRYPTOLOGIC\myUser" connectionPassword="myPassword" userBase ="dc=myDomain,dc=com" userSearch="(sAMAccountName={0})" userSubtree ="true" userRoleName ="memberOf" roleBase ="OU=Groups,DC=myDomain,DC=com" roleSubtree="false" roleName ="cn" roleSearch ="(member={0})"/> This has worked for me. Hope it is of some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -Original Message----- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omar, Omar Nafees wrote: request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. This is a FAQ. The answer is easily findable in the archives: http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss OPTfCFM5pLAQ0jH0i+BCkis= =+c/H -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Robert, Thanks for the response. So I've come to believe that its possible to avoid using Tomcat authentication altogether, i.e., without specifying realms and using tomcat user/roles in an application's web.xml. Given my context (a University environment with over several hundreds of students hitting an apache web server and a small subset needing tomcat), I need to completely separate authentication from the Tomcat server. I guess this approach of using JNDI or even JAAS is a last resort... but I would really like to see what everyone else seems to have already accomplished - the REMOTE_USER variable being read from the first AJP header that is sent to tomcat. Thanks, Omar Robert Segal wrote: Omar I actually had this exact same problem early today although I'm sure my environment is slightly different from your perhaps I can offer some help. In my case I have LDAP authentication configured for my servlet. I believe this step should be the same regardless of the authentication scheme you are using First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define roles and constraints for what pages can be accessed... BASIC GRP-myGroup my Authentication /* GRP-myGroup The other file I change sets up all the LDAP machine details. I've placed it in Context.xml because there are several servlets that make use of this authentication... $CATALINA_HOME/conf/Context.xml ldap://ldapMachine:3268"; connectionName="CRYPTOLOGIC\myUser" connectionPassword="myPassword" userBase ="dc=myDomain,dc=com" userSearch="(sAMAccountName={0})" userSubtree ="true" userRoleName ="memberOf" roleBase ="OU=Groups,DC=myDomain,DC=com" roleSubtree="false" roleName ="cn" roleSearch ="(member={0})"/> This has worked for me. Hope it is of some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -Original Message----- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omar, Omar Nafees wrote: request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. This is a FAQ. The answer is easily findable in the archives: http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss OPTfCFM5pLAQ0jH0i+BCkis= =+c/H -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Apache authentication information (remoteuser) not visible in Tomcat
Omar I actually had this exact same problem early today although I'm sure my environment is slightly different from your perhaps I can offer some help. In my case I have LDAP authentication configured for my servlet. I believe this step should be the same regardless of the authentication scheme you are using First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define roles and constraints for what pages can be accessed... BASIC GRP-myGroup my Authentication /* GRP-myGroup The other file I change sets up all the LDAP machine details. I've placed it in Context.xml because there are several servlets that make use of this authentication... $CATALINA_HOME/conf/Context.xml ldap://ldapMachine:3268"; connectionName="CRYPTOLOGIC\myUser" connectionPassword="myPassword" userBase ="dc=myDomain,dc=com" userSearch="(sAMAccountName={0})" userSubtree ="true" userRoleName ="memberOf" roleBase ="OU=Groups,DC=myDomain,DC=com" roleSubtree="false" roleName ="cn" roleSearch ="(member={0})"/> This has worked for me. Hope it is of some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -Original Message- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Omar, > > Omar Nafees wrote: > >> request.getRemoteUser() returns null in my servlet. >> request.getAttribute("REMOTE_USER") also returns null. I have even >> checked the headers that are being sent to the AJP connector in Tomcat. >> > > This is a FAQ. The answer is easily findable in the archives: > > http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y > > - -chris > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss > OPTfCFM5pLAQ0jH0i+BCkis= > =+c/H > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omar, Omar Nafees wrote: request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. This is a FAQ. The answer is easily findable in the archives: http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss OPTfCFM5pLAQ0jH0i+BCkis= =+c/H -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Omar, Omar Nafees wrote: > request.getRemoteUser() returns null in my servlet. > request.getAttribute("REMOTE_USER") also returns null. I have even > checked the headers that are being sent to the AJP connector in Tomcat. This is a FAQ. The answer is easily findable in the archives: http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss OPTfCFM5pLAQ0jH0i+BCkis= =+c/H -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Apache authentication information (remoteuser) not visible in Tomcat
Hello, request.getRemoteUser() returns null in my servlet. request.getAttribute("REMOTE_USER") also returns null. I have even checked the headers that are being sent to the AJP connector in Tomcat. Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via mod_jk-ap2-1.2.23 on FreeBSD 6.2 Snippet of AJP13 header: 0180 6c 61 74 65 00 a0 02 00 07 55 54 46 2d 38 2c 2a late .UTF-8,* 0190 00 00 0a 4b 65 65 70 2d 41 6c 69 76 65 00 00 03 ...Keep- Alive... 01a0 33 30 30 00 a0 06 00 0a 6b 65 65 70 2d 61 6c 69 300. keep-ali 01b0 76 65 00 a0 05 00 22 42 61 73 69 63 20 62 32 31 ve"B asic b21 01c0 75 59 57 5a 6c 5a 58 4d 36 5a 6d 46 79 61 54 67 uYWZlZXM 6ZmFyaTg 01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.0. 01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf eesB 01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic REMOTE_U 0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees.. How do I get Tomcat servlet to read remote user as sent above?? Below I reproduce three relevant configuration files: * The mod_jk.conf that is included in apache 2's httpd.conf: ServerName localhost JkMount /webdav ajp13 JkMount /webdav/* ajp13 JkMount /servlets-examples ajp13 JkMount /servlets-examples/* ajp13 JkMount /jsp-examples ajp13 JkMount /jsp-examples/* ajp13 JkMount /balancer ajp13 JkMount /balancer/* ajp13 JkMount /~omnafees ajp13 JkMount /~omnafees/* ajp13 JkMount /tomcat-docs ajp13 JkMount /tomcat-docs/* ajp13 JkMount /submitServer ajp13 JkMount /submitServer/* ajp13 ### Customizations # Where to put jk logs JkLogFile /var/log/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel error # Select the log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # JkOptions indicate to send SSL KEY SIZE, #JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories # JkRequestLogFormat set the request format JkRequestLogFormat "%b %w %V %T %r" # environment variable? JkEnvVar REMOTE_USER ### Omar's authentication testing AuthType Basic AuthName "By Invitation Only" AuthUserFile /usr/local/etc/apache/passwd/passwords Require valid-user *** *** The worker.properties file: worker.list=ajp13 worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 *** *** Tomcat's server.xml: className="org.apache.catalina.mbeans.ServerLifecycleListener" /> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> keystoreFile="/usr/local/apache-tomcat6.0/conf/ssl/marmosetKeystore" clientAuth="false" sslProtocol="TLS" /> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" /> modJk="/usr/local/libexec/apache2/mod_jk.so" workersConfig="/usr/local/tomcat5.5/conf/jk/workers.properties" jkLog="/var/log/mod_jk.log" jKDebug="error" jkWorker="ajp13" /> - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]