Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
Maciej Matecki wrote: On Mon, Jun 29, 2009 at 1:28 AM, André Warniera...@ice-sa.com wrote: Maciej Matecki wrote: Actually I've got much more bigger problem I can't get compiled module for kerberos with Apache on Windows :( Can I ask again : why do you need to authenticate /under Apache/ with Kerberos ? Is it just to pass the user-id to Tomcat ? Or do you also need it at the Apache level for something ? I just need to pass the user-id to Tomcat. Then why don't you do the Kerberos authentication directly in Tomcat, instead of trying to do it under Apache ? I googled a bit last night for tomcat +auth +kerberos, and although I personally don't understand most of it, it seems that there are already ready-made ways of doing this, around the JAAS realm concept. Once your app is authenticated under Tomcat, if you need to pick up the user-id from Tomcat to pass it in another way to other webapps/filters, you can just pick it up as request.getRemoteUser(). Also, once you have done the Kerberos authentication in Tomcat, and if you ever need, later, to bring this back to the Apache level, then the method I previously indicated would apply. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maciej On 6/24/2009 10:15 AM, Maciej Matecki wrote: I've got the big problem with forward REMOTE_HOST from Apache to Tomcat. On the Apache side everything works ok. I've tested it with PHP script and it simply works. But on the Tomcat side REMOTE_USER header value is not available. Apart from what Chris wrote : do not confuse cgi-bin environment variables, with HTTP Request headers. As far as I know, all Apache-Tomcat connectors will forward to Tomcat, all the HTTP headers which they received in the request (which comes from the browser). But REMOTE_HOST is /not/ a HTTP Request header received from the browser. The browser never sends that. Apache itself detects where the request comes from, and then /creates/ this environment value REMOTE_HOST (and others), in the environment of the process in which it runs the cgi-bin script. That is why you see it in a PHP script running under Apache. Apache, or the Apache-Tomcat connector, is under no obligation to do the same when it passes a request to Tomcat (for one, it would be difficult to do, because Tomcat is another independent process, whose environment Apache does not control). So, what you really want to do here, is - get some internal value which Apache knows (the IP address from which the request is coming), - translate this into a /new/ HTTP header REMOTE_HOST, - and /add/ this HTTP header to the request, before you forward the request to Tomcat. Alternatively, you can try to set this IP address into an Apache environment variable, using for instance SetEnvIf : SetEnvIf Remote_Addr ^(.*)$ remote_addr=$1 mod_jk would then normally forward it to Tomcat as a request attribute (I think there is still something to do for that to happen). Then at the Tomcat level, you use a servlet filter to pick up this request attribute, and add it as a request header (which would force you to create a RequestWrapper, because the original Request itself is immutable). Now once you are that far anyway, the question would be : why not do this directly in a Tomcat servlet filter anyway ? It should also be able to find out the address of the client, and could create this additional HTTP header. P.S. I have just checked my favorite tool at http://www.tuckey.org/urlrewrite, but unfortunately, adding a HTTP header to the request is not something it seems able to do. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
On Sun, Jun 28, 2009 at 5:31 AM, Christopher Schultzch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maciej On 6/24/2009 10:15 AM, Maciej Matecki wrote: I've got the big problem with forward REMOTE_HOST from Apache to Tomcat. On the Apache side everything works ok. I've tested it with PHP script and it simply works. But on the Tomcat side REMOTE_USER header value is not available. [snip] What I've already done is testing for many different ways: 1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg9.html 2) tomcatAuthentication set to false Which connector are you using? AJP or HTTP? If AJP, are you using mod_proxy_ajp or mod_jk? [cut] I use mod_jk. Thank you for your suggestions. Finally I set in Apache: JkEnvVar REMOTE_USER and in my preauth filter I can get the user by: httpServletRequest.getAttribute(REMOTE_USER); Actually I've got much more bigger problem I can't get compiled module for kerberos with Apache on Windows :( Regards, -- Maciej Matecki skype: m.matecki || www: http://matecki.info/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
http://modauthkerb.sourceforge.net Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: mmate...@gmail.com Date: Sun, 28 Jun 2009 21:08:59 +0200 Subject: Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb To: users@tomcat.apache.org On Sun, Jun 28, 2009 at 5:31 AM, Christopher Schultzch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maciej On 6/24/2009 10:15 AM, Maciej Matecki wrote: I've got the big problem with forward REMOTE_HOST from Apache to Tomcat. On the Apache side everything works ok. I've tested it with PHP script and it simply works. But on the Tomcat side REMOTE_USER header value is not available. [snip] What I've already done is testing for many different ways: 1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg9.html 2) tomcatAuthentication set to false Which connector are you using? AJP or HTTP? If AJP, are you using mod_proxy_ajp or mod_jk? [cut] I use mod_jk. Thank you for your suggestions. Finally I set in Apache: JkEnvVar REMOTE_USER and in my preauth filter I can get the user by: httpServletRequest.getAttribute(REMOTE_USER); Actually I've got much more bigger problem I can't get compiled module for kerberos with Apache on Windows :( Regards, -- Maciej Matecki skype: m.matecki || www: http://matecki.info/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Insert movie times and more without leaving Hotmail®. http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd_062009
Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
Maciej Matecki wrote: Actually I've got much more bigger problem I can't get compiled module for kerberos with Apache on Windows :( Can I ask again : why do you need to authenticate /under Apache/ with Kerberos ? Is it just to pass the user-id to Tomcat ? Or do you also need it at the Apache level for something ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
On Mon, Jun 29, 2009 at 1:28 AM, André Warniera...@ice-sa.com wrote: Maciej Matecki wrote: Actually I've got much more bigger problem I can't get compiled module for kerberos with Apache on Windows :( Can I ask again : why do you need to authenticate /under Apache/ with Kerberos ? Is it just to pass the user-id to Tomcat ? Or do you also need it at the Apache level for something ? I just need to pass the user-id to Tomcat. Regards, -- Maciej Matecki skype: m.matecki || www: http://matecki.info/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maciej On 6/24/2009 10:15 AM, Maciej Matecki wrote: I've got the big problem with forward REMOTE_HOST from Apache to Tomcat. On the Apache side everything works ok. I've tested it with PHP script and it simply works. But on the Tomcat side REMOTE_USER header value is not available. [snip] What I've already done is testing for many different ways: 1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg9.html 2) tomcatAuthentication set to false Which connector are you using? AJP or HTTP? If AJP, are you using mod_proxy_ajp or mod_jk? If I use JkEnvVar REMOTE_HOST I've got attribute available on the Tomcat side, but I need that value in header (I want to use RequestHeaderPreAuthenticatedProcessingFilter from Spring Security). You're going to have to do some kind of re-writing to get this in an HTTP header instead of a request attribute. Only mod_jk supports JkEnvVar, but the documentation states: If the default value is not given explicitly, the variable will only be send, if it is set during runtime. It's unclear if during runtime means that the value must be calculated somehow from within httpd, or if the value must be specified in the original request. In either case, the JkEnvVar option will only provide these values to the request attributes. If you want them to act like headers, you're doing to need to do something else. mod_headers is a good bet, but then you need to use mod_proxy_http instead of mod_jk or mod_proxy_ajp because I don't think mod_jk will forward automagically-generated HTTP headers over the AJP connection. You could always try to set something simple (like setting FOO=BAR) and seeing if Tomcat receives it properly. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpG4/gACgkQ9CaO5/Lv0PAAgwCgnOVyNL1R4RS32enYKDDPrv4c SG4AniZanN84Ugmi9t0y0YernnJXIB0r =4Veb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
