Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Rainer,
Thanks for the response. I should have thought of testing the relevant
methods in a simpler servlet. This has revealed the following:
If I turn off the SSL requirement in my application's web.xml (i.e., in
the security constraint of web.xml), request.getRemoteUser() works fine.
As soon as I flip it back on (by adding
CONFIDENTIAL),
I get null as before.
I need to have tomcat working over SSL with the client. Is there I way I
can get it to trust the information its obtained from the apache
web-server via AJP?
Thanks,
Omar
Rainer Jung wrote:
Hi Omar,
Omar Nafees schrieb:
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in Tomcat.
request.getRemoteUser() works for me (mod_jk 1.2.25 and TC 5.5.23)
1) remove the JkEnvVar REMOTE_USER. It's not an Apache environment
variable, and it will be forwarded by mod_jk automatically
2) Set log level to debug in a dev system. The request should produce a
line similar to
[Sun Aug 26 01:12:03.482 2007] [27669:0] [debug]
init_ws_service::mod_jk.c (782): Service protocol=HTTP/1.1 method=GET
host=(null) addr=127.0.0.1 name=fraxinus.entenhausen.zz port=8080
auth=Basic user=jung laddr=127.0.0.1 raddr=127.0.0.1 uri=/auth.jsp
Here you can see, that mod_jk found Basic authentication and User "jung"
in the Apache repesentation of the request.
Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via
mod_jk-ap2-1.2.23 on FreeBSD 6.2
Snippet of AJP13 header:
...
01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.0.
01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf eesB
01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic REMOTE_U
0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees..
Starting from 01e0 we have "03" for "remote_user", then "0008" for 8
Bytes, then the name of the remote user "omnafees" and a terminating
"00", then "04" for authentication type, "0005" for length 5, and
"Basic" as the authentication type. That looks fine!
How do I get Tomcat servlet to read remote user as sent above??
Looks good to me.
Try with a very simple servlet first. Maybe put in in the root context
to isolate it from alle complex things in your webapp:
User: <%=request.getRemoteUser() %>
Regards,
Rainer
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Omar,
Omar Nafees schrieb:
> request.getRemoteUser() returns null in my servlet.
> request.getAttribute("REMOTE_USER") also returns null. I have even
> checked the headers that are being sent to the AJP connector in Tomcat.
>
request.getRemoteUser() works for me (mod_jk 1.2.25 and TC 5.5.23)
1) remove the JkEnvVar REMOTE_USER. It's not an Apache environment
variable, and it will be forwarded by mod_jk automatically
2) Set log level to debug in a dev system. The request should produce a
line similar to
[Sun Aug 26 01:12:03.482 2007] [27669:0] [debug]
init_ws_service::mod_jk.c (782): Service protocol=HTTP/1.1 method=GET
host=(null) addr=127.0.0.1 name=fraxinus.entenhausen.zz port=8080
auth=Basic user=jung laddr=127.0.0.1 raddr=127.0.0.1 uri=/auth.jsp
Here you can see, that mod_jk found Basic authentication and User "jung"
in the Apache repesentation of the request.
> Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via
> mod_jk-ap2-1.2.23 on FreeBSD 6.2
>
>
> Snippet of AJP13 header:
>
...
> 01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.0.
> 01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf eesB
> 01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic REMOTE_U
> 0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees..
Starting from 01e0 we have "03" for "remote_user", then "0008" for 8
Bytes, then the name of the remote user "omnafees" and a terminating
"00", then "04" for authentication type, "0005" for length 5, and
"Basic" as the authentication type. That looks fine!
> How do I get Tomcat servlet to read remote user as sent above??
>
> enableLookups="false" redirectPort="8443"
> protocol="AJP/1.3" tomcatAuthentication="false" />
Looks good to me.
Try with a very simple servlet first. Maybe put in in the root context
to isolate it from alle complex things in your webapp:
User: <%=request.getRemoteUser() %>
Regards,
Rainer
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
some use to you. We also have Apache over top of Tomcat in our environment and found it necessary to configure authentication both in Apache and in Tomcat to get things to work properly. Robert Segal Tools Developer CryptoLogic Inc. 55 St. Clair Ave W., 3rd Floor Toronto, Ontario Canada M4V 2Y7 tel. + 1.416.545.1455 x5896 fax. + 1.416.545.1454 This message, including any attachments, is confidential and/or privileged and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy. -Original Message- From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday, August 24, 2007 2:30 PM To: Tomcat Users List Subject: Re: Apache authentication information (remoteuser) not visible in Tomcat Thanks for the response Christopher... although I had very early on, already tried what is suggested in the link you have referred to, i.e., setting tomcatAuthentication="false" in the appropriate server.xml line (see the config listing I produced earlier in the thread). Oh I hope its not some obscure bug in mod_jk!! :) Thanks, Omar - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
he original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-----Original Message-----
From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday,
August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not
visible
in Tomcat
Thanks for the response Christopher... although I had very early
on, already tried what is suggested in the link you have referred
to, i.e., setting tomcatAuthentication="false" in the appropriate
server.xml line (see the config listing I produced earlier in the
thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omar,
Omar Nafees wrote:
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in
Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
OPTfCFM5pLAQ0jH0i+BCkis=
=+c/H
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Regards
Gabriel Wong
Beyond Private JVM JAVA Hosting
http://www.webappcabaret.com
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Thank you for the tips David. The JkEnvVar was just a shot at passing
the REMOTE_USER explicitly. I read about it in one of the mod_jk
documents. I was unable to get this to work without it either.
Oh and my apologies for a cluttered server.xml on the list.
I have restarted tomcat and apache several times. I was actually trying
to get it to work with tomcat 6.0 and switched to 5.5 to see if that
would make a difference.
I've also tried to get this to work with apache 1.3 to no avail. I now
suspect mod_jk itself...
May I ask what versions of each software you are using? What form of
Apache authentication are you using (some in house authorization
software)? Did you first test your setup with Apache's Basic authentication?
Sorry for the many questions - but I'd like to know what you've done
differently as I'd like to be where you are with this right now =)
Thanks,
Omar
David Smith wrote:
Hi.
I'm in the same boat as you in using an apache httpd module to
authenticate users and have had it working for a few years now. Your
configuration looked good as far as I could tell. Here are a couple
of suggestions though.
1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
config. I've never used it and have what you are working on working
flawlessly.
2. Drop all those documenting comments and example configuration from
your server.xml. You could make a copy of it named
server.xml.original if you want. The commented parts are excellent
documentation, but hamper readability of the active parts.
3. Restart Tomcat. I'm not sure if you restarted after you added
tomcatAuthentication="false" to the connector, but it needs to happen.
--David
Omar Nafees wrote:
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students hitting
an apache web server and a small subset needing tomcat), I need to
completely separate authentication from the Tomcat server. I guess
this approach of using JNDI or even JAAS is a last resort... but I
would really like to see what everyone else seems to have already
accomplished - the REMOTE_USER variable being read from the first AJP
header that is sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can offer
some help. In my case I have LDAP authentication configured for my
servlet. I
believe this step should be the same regardless of the authentication
scheme you are using
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
define
roles and constraints for what pages can be accessed...
BASIC
GRP-myGroup
my Authentication
/*
GRP-myGroup
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
ldap://ldapMachine:3268";
connectionName="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-----Original Message-
From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday,
August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not visible
in Tomcat
Thank
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi.
I'm in the same boat as you in using an apache httpd module to
authenticate users and have had it working for a few years now. Your
configuration looked good as far as I could tell. Here are a couple of
suggestions though.
1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
config. I've never used it and have what you are working on working
flawlessly.
2. Drop all those documenting comments and example configuration from
your server.xml. You could make a copy of it named server.xml.original
if you want. The commented parts are excellent documentation, but
hamper readability of the active parts.
3. Restart Tomcat. I'm not sure if you restarted after you added
tomcatAuthentication="false" to the connector, but it needs to happen.
--David
Omar Nafees wrote:
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students hitting
an apache web server and a small subset needing tomcat), I need to
completely separate authentication from the Tomcat server. I guess
this approach of using JNDI or even JAAS is a last resort... but I
would really like to see what everyone else seems to have already
accomplished - the REMOTE_USER variable being read from the first AJP
header that is sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can offer
some help.
In my case I have LDAP authentication configured for my servlet. I
believe this step should be the same regardless of the authentication
scheme you are using
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
define
roles and constraints for what pages can be accessed...
BASIC
GRP-myGroup
my Authentication
/*
GRP-myGroup
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
ldap://ldapMachine:3268";
connectionName="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-Original Message-----
From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday,
August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not visible
in Tomcat
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to,
i.e., setting tomcatAuthentication="false" in the appropriate
server.xml line (see the config listing I produced earlier in the
thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omar,
Omar Nafees wrote:
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in
Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DB
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students hitting an
apache web server and a small subset needing tomcat), I need to
completely separate authentication from the Tomcat server. I guess this
approach of using JNDI or even JAAS is a last resort... but I would
really like to see what everyone else seems to have already accomplished
- the REMOTE_USER variable being read from the first AJP header that is
sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can offer
some help.
In my case I have LDAP authentication configured for my servlet. I
believe this step should be the same regardless of the authentication
scheme you are using
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define
roles and constraints for what pages can be accessed...
BASIC
GRP-myGroup
my Authentication
/*
GRP-myGroup
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
ldap://ldapMachine:3268";
connectionName="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-Original Message-----
From: Omar Nafees [mailto:[EMAIL PROTECTED]
Sent: Friday, August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not visible
in Tomcat
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to, i.e.,
setting tomcatAuthentication="false" in the appropriate server.xml line
(see the config listing I produced earlier in the thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omar,
Omar Nafees wrote:
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in
Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
OPTfCFM5pLAQ0jH0i+BCkis=
=+c/H
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students hitting an
apache web server and a small subset needing tomcat), I need to
completely separate authentication from the Tomcat server. I guess this
approach of using JNDI or even JAAS is a last resort... but I would
really like to see what everyone else seems to have already accomplished
- the REMOTE_USER variable being read from the first AJP header that is
sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can offer
some help.
In my case I have LDAP authentication configured for my servlet. I
believe this step should be the same regardless of the authentication
scheme you are using
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define
roles and constraints for what pages can be accessed...
BASIC
GRP-myGroup
my Authentication
/*
GRP-myGroup
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
ldap://ldapMachine:3268";
connectionName="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-Original Message-----
From: Omar Nafees [mailto:[EMAIL PROTECTED]
Sent: Friday, August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not visible
in Tomcat
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to, i.e.,
setting tomcatAuthentication="false" in the appropriate server.xml line
(see the config listing I produced earlier in the thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omar,
Omar Nafees wrote:
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in
Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
OPTfCFM5pLAQ0jH0i+BCkis=
=+c/H
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Apache authentication information (remoteuser) not visible in Tomcat
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can offer
some help.
In my case I have LDAP authentication configured for my servlet. I
believe this step should be the same regardless of the authentication
scheme you are using
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define
roles and constraints for what pages can be accessed...
BASIC
GRP-myGroup
my Authentication
/*
GRP-myGroup
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
ldap://ldapMachine:3268";
connectionName="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-Original Message-
From: Omar Nafees [mailto:[EMAIL PROTECTED]
Sent: Friday, August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not visible
in Tomcat
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to, i.e.,
setting tomcatAuthentication="false" in the appropriate server.xml line
(see the config listing I produced earlier in the thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Omar,
>
> Omar Nafees wrote:
>
>> request.getRemoteUser() returns null in my servlet.
>> request.getAttribute("REMOTE_USER") also returns null. I have even
>> checked the headers that are being sent to the AJP connector in
Tomcat.
>>
>
> This is a FAQ. The answer is easily findable in the archives:
>
> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>
> - -chris
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
> OPTfCFM5pLAQ0jH0i+BCkis=
> =+c/H
> -END PGP SIGNATURE-
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to, i.e.,
setting tomcatAuthentication="false" in the appropriate server.xml line
(see the config listing I produced earlier in the thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omar,
Omar Nafees wrote:
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
OPTfCFM5pLAQ0jH0i+BCkis=
=+c/H
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache authentication information (remoteuser) not visible in Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omar,
Omar Nafees wrote:
> request.getRemoteUser() returns null in my servlet.
> request.getAttribute("REMOTE_USER") also returns null. I have even
> checked the headers that are being sent to the AJP connector in Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
OPTfCFM5pLAQ0jH0i+BCkis=
=+c/H
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Apache authentication information (remoteuser) not visible in Tomcat
Hello,
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in Tomcat.
Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via
mod_jk-ap2-1.2.23 on FreeBSD 6.2
Snippet of AJP13 header:
0180 6c 61 74 65 00 a0 02 00 07 55 54 46 2d 38 2c 2a late .UTF-8,*
0190 00 00 0a 4b 65 65 70 2d 41 6c 69 76 65 00 00 03 ...Keep- Alive...
01a0 33 30 30 00 a0 06 00 0a 6b 65 65 70 2d 61 6c 69 300. keep-ali
01b0 76 65 00 a0 05 00 22 42 61 73 69 63 20 62 32 31 ve"B asic b21
01c0 75 59 57 5a 6c 5a 58 4d 36 5a 6d 46 79 61 54 67 uYWZlZXM 6ZmFyaTg
01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.0.
01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf eesB
01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic REMOTE_U
0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees..
How do I get Tomcat servlet to read remote user as sent above??
Below I reproduce three relevant configuration files:
*
The mod_jk.conf that is included in apache 2's httpd.conf:
ServerName localhost
JkMount /webdav ajp13
JkMount /webdav/* ajp13
JkMount /servlets-examples ajp13
JkMount /servlets-examples/* ajp13
JkMount /jsp-examples ajp13
JkMount /jsp-examples/* ajp13
JkMount /balancer ajp13
JkMount /balancer/* ajp13
JkMount /~omnafees ajp13
JkMount /~omnafees/* ajp13
JkMount /tomcat-docs ajp13
JkMount /tomcat-docs/* ajp13
JkMount /submitServer ajp13
JkMount /submitServer/* ajp13
### Customizations
# Where to put jk logs
JkLogFile /var/log/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel error
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
#JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%b %w %V %T %r"
# environment variable?
JkEnvVar REMOTE_USER
### Omar's authentication testing
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/etc/apache/passwd/passwords
Require valid-user
***
***
The worker.properties file:
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
***
***
Tomcat's server.xml:
className="org.apache.catalina.mbeans.ServerLifecycleListener" />
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
keystoreFile="/usr/local/apache-tomcat6.0/conf/ssl/marmosetKeystore"
clientAuth="false" sslProtocol="TLS" />
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" tomcatAuthentication="false" />
modJk="/usr/local/libexec/apache2/mod_jk.so"
workersConfig="/usr/local/tomcat5.5/conf/jk/workers.properties"
jkLog="/var/log/mod_jk.log"
jKDebug="error"
jkWorker="ajp13" />
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
