Re: tomcat, apache with mod_jk and mod_auth_kerb
On Wed, Jul 16, 2008 at 8:06 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > Thanks Rainer. If I want to explicitly pass an environment variable from >> the httpd to the tomcat, I am using the RequestHeader, JkEnvVar, Setenv >> but >> unable to have them as it is passed in the tomcat... how do I go about >> that? >> While I am completely convinced to use getRemoteUser() method only for >> getting the authenticated principal... >> > > If you've already set a value in some variable "xxx", then you configure > > JkEnvVar xxx > > On the Tomcat side, you retrieve the value by request.getAttribute("xxx"); > > > Regards, > > Rainer > Thanks Rainer. SetHandler jakarta-servlet SetEnv JK_WORKER_NAME my-tomcat JkEnvVar REMOTE_USER This is working now... I am able to read the REMOTE_USER variable via getAttribute method. I was blindly using two arguments to JkEnvVar earlier. Thanks a lot for all the patience and help!. :-) Regards, Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Thanks Rainer. If I want to explicitly pass an environment variable from the httpd to the tomcat, I am using the RequestHeader, JkEnvVar, Setenv but unable to have them as it is passed in the tomcat... how do I go about that? While I am completely convinced to use getRemoteUser() method only for getting the authenticated principal... If you've already set a value in some variable "xxx", then you configure JkEnvVar xxx On the Tomcat side, you retrieve the value by request.getAttribute("xxx"); Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Wed, Jul 16, 2008 at 3:22 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > Nikhil schrieb: > > On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung <[EMAIL PROTECTED]> >> wrote: >> >> To repeat two of my questions: >>> >>> What do you expect to be the value of the 'REMOTE_USER' variable? >>> >>> Do you expect something else, than what you get from >>> request.getRemoteUser()? >>> >>> After I understand that, we can find an appropriate solution. >>> >>> >>> Regards, >>> >>> Rainer >>> >>> >> Hi Rainer, >> >> REMOTE_USER variable value is always expected to be as set by the httpd >> process and passed onto the tomcat. >> >>> Do you expect something else, than what you get from >>> request.getRemoteUser()? >> No, but I would not want to have this method invoked everytime I want to >> know a logged in account instead an already set (global) variable value >> (preferrably by httpd and passed onto the tomcat) would do. >> > > OK. REMOTE_USER goes back to the times oF CGI. At that time the web server > could only pass along information to the CGI process via environmnt > variables, because it had to start an external process for doing CGI. > > The servlet spec tries to make the same information available in the > context of a java web container. The correct way of retrieving the name of > the authenticated user from the container *is* request.getRemoteUser(). In > java you would nearly always implement a "global variable" as a member of > some object, which you retrieve via a getter function. > request.getRemoteUser() is the right and standards conforming way to do it. > > When the web container has a web server in front, e.g. Apache httpd and a > connection component like mod_jk, usually the combination tries to hide the > information, that the architecture is more complex, from the webapp > developer. So Apache/mod_jk/Tomcat correctly configured provide the user > name authenticated by httpd to the webapp in exactly the same way, as it > would be seen without Apache and mod_jk. That way the developer doesn't have > to know the details. So using request.gerRemoteUser() still is the correct > way. > > The only thing to configure is tomcatAuthentiction="false" in order to tell > Tomcat to trust the authentication done by Apache and not try to do > authentication itself. > > > Regards, > > Rainer > Thanks Rainer. If I want to explicitly pass an environment variable from the httpd to the tomcat, I am using the RequestHeader, JkEnvVar, Setenv but unable to have them as it is passed in the tomcat... how do I go about that? While I am completely convinced to use getRemoteUser() method only for getting the authenticated principal...
Re: tomcat, apache with mod_jk and mod_auth_kerb
Thanks for the explanation, Rainer. Fine, I am going with using the method only then... Regards, Nikhil On Wed, Jul 16, 2008 at 3:22 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > Nikhil schrieb: > > On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung <[EMAIL PROTECTED]> >> wrote: >> >> To repeat two of my questions: >>> >>> What do you expect to be the value of the 'REMOTE_USER' variable? >>> >>> Do you expect something else, than what you get from >>> request.getRemoteUser()? >>> >>> After I understand that, we can find an appropriate solution. >>> >>> >>> Regards, >>> >>> Rainer >>> >>> >> Hi Rainer, >> >> REMOTE_USER variable value is always expected to be as set by the httpd >> process and passed onto the tomcat. >> >>> Do you expect something else, than what you get from >>> request.getRemoteUser()? >> No, but I would not want to have this method invoked everytime I want to >> know a logged in account instead an already set (global) variable value >> (preferrably by httpd and passed onto the tomcat) would do. >> > > OK. REMOTE_USER goes back to the times oF CGI. At that time the web server > could only pass along information to the CGI process via environmnt > variables, because it had to start an external process for doing CGI. > > The servlet spec tries to make the same information available in the > context of a java web container. The correct way of retrieving the name of > the authenticated user from the container *is* request.getRemoteUser(). In > java you would nearly always implement a "global variable" as a member of > some object, which you retrieve via a getter function. > request.getRemoteUser() is the right and standards conforming way to do it. > > When the web container has a web server in front, e.g. Apache httpd and a > connection component like mod_jk, usually the combination tries to hide the > information, that the architecture is more complex, from the webapp > developer. So Apache/mod_jk/Tomcat correctly configured provide the user > name authenticated by httpd to the webapp in exactly the same way, as it > would be seen without Apache and mod_jk. That way the developer doesn't have > to know the details. So using request.gerRemoteUser() still is the correct > way. > > The only thing to configure is tomcatAuthentiction="false" in order to tell > Tomcat to trust the authentication done by Apache and not try to do > authentication itself. > > > Regards, > > Rainer > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil schrieb: On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: To repeat two of my questions: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expect something else, than what you get from request.getRemoteUser()? After I understand that, we can find an appropriate solution. Regards, Rainer Hi Rainer, REMOTE_USER variable value is always expected to be as set by the httpd process and passed onto the tomcat. Do you expect something else, than what you get from request.getRemoteUser()? No, but I would not want to have this method invoked everytime I want to know a logged in account instead an already set (global) variable value (preferrably by httpd and passed onto the tomcat) would do. OK. REMOTE_USER goes back to the times oF CGI. At that time the web server could only pass along information to the CGI process via environmnt variables, because it had to start an external process for doing CGI. The servlet spec tries to make the same information available in the context of a java web container. The correct way of retrieving the name of the authenticated user from the container *is* request.getRemoteUser(). In java you would nearly always implement a "global variable" as a member of some object, which you retrieve via a getter function. request.getRemoteUser() is the right and standards conforming way to do it. When the web container has a web server in front, e.g. Apache httpd and a connection component like mod_jk, usually the combination tries to hide the information, that the architecture is more complex, from the webapp developer. So Apache/mod_jk/Tomcat correctly configured provide the user name authenticated by httpd to the webapp in exactly the same way, as it would be seen without Apache and mod_jk. That way the developer doesn't have to know the details. So using request.gerRemoteUser() still is the correct way. The only thing to configure is tomcatAuthentiction="false" in order to tell Tomcat to trust the authentication done by Apache and not try to do authentication itself. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
I tried using both getAttribute methods and getHeaderNames/getHeaders methods but unfortunately the variables are set to null On Wed, Jul 16, 2008 at 2:01 PM, André Warnier <[EMAIL PROTECTED]> wrote: > Nikhil wrote: > >> On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung <[EMAIL PROTECTED]> >> wrote: >> >> What do you expect to be the value of the 'REMOTE_USER' variable? Do you >> >>> expoect something else, than what you get from request.getRemoteUser()? >>> What >>> do you mean by variable? Maybe an httpd environment Variable? >>> >>> >>> Precisely. I also need the httpd environment variable REMOTE_USER also >> passed to the tomcat I have this in my httpd.conf ... and I am >> reading >> all the environment variables(apart from the headers) in the jsp but have >> these values set to null... am I missing anything specific with these >> directives? >> >> >> SetHandler jakarta-servlet >> RequestHeader set X_REMOTE_USER %{RU}e >> SetEnv SET_REMOTE_USER %{REMOTE_USER}e >> JkEnvVar JK_REMOTE_USER %{remoteUser}e >> >> As far as I know, REMOTE_USER is a *http header* of the request, added > automatically by the browser if the user is authenticated. And as all http > request headers, it is always passed on to Tomcat. > At the Tomcat level, you can retrieve it like any other http header (I > don't remember the precise way). > But this has nothing to do with "environment values". > In other words, you do not really need to mess around with environment > values in Apache/Tomcat (like above), just retrieve the corresponding http > header, it should already be there. > No ? > > André > > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > > To repeat two of my questions: > > What do you expect to be the value of the 'REMOTE_USER' variable? > > Do you expect something else, than what you get from > request.getRemoteUser()? > > After I understand that, we can find an appropriate solution. > > > Regards, > > Rainer > Hi Rainer, REMOTE_USER variable value is always expected to be as set by the httpd process and passed onto the tomcat. >>Do you expect something else, than what you get from request.getRemoteUser()? No, but I would not want to have this method invoked everytime I want to know a logged in account instead an already set (global) variable value (preferrably by httpd and passed onto the tomcat) would do. Regards, Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil schrieb: On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expoect something else, than what you get from request.getRemoteUser()? What do you mean by variable? Maybe an httpd environment Variable? Precisely. I also need the httpd environment variable REMOTE_USER also passed to the tomcat I have this in my httpd.conf ... and I am reading all the environment variables(apart from the headers) in the jsp but have these values set to null... am I missing anything specific with these directives? SetHandler jakarta-servlet RequestHeader set X_REMOTE_USER %{RU}e SetEnv SET_REMOTE_USER %{REMOTE_USER}e JkEnvVar JK_REMOTE_USER %{remoteUser}e To repeat two of my questions: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expect something else, than what you get from request.getRemoteUser()? After I understand that, we can find an appropriate solution. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expoect something else, than what you get from request.getRemoteUser()? What do you mean by variable? Maybe an httpd environment Variable? Precisely. I also need the httpd environment variable REMOTE_USER also passed to the tomcat I have this in my httpd.conf ... and I am reading all the environment variables(apart from the headers) in the jsp but have these values set to null... am I missing anything specific with these directives? SetHandler jakarta-servlet RequestHeader set X_REMOTE_USER %{RU}e SetEnv SET_REMOTE_USER %{REMOTE_USER}e JkEnvVar JK_REMOTE_USER %{remoteUser}e As far as I know, REMOTE_USER is a *http header* of the request, added automatically by the browser if the user is authenticated. And as all http request headers, it is always passed on to Tomcat. At the Tomcat level, you can retrieve it like any other http header (I don't remember the precise way). But this has nothing to do with "environment values". In other words, you do not really need to mess around with environment values in Apache/Tomcat (like above), just retrieve the corresponding http header, it should already be there. No ? André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: What do you expect to be the value of the 'REMOTE_USER' variable? Do you > expoect something else, than what you get from request.getRemoteUser()? What > do you mean by variable? Maybe an httpd environment Variable? > > Precisely. I also need the httpd environment variable REMOTE_USER also passed to the tomcat I have this in my httpd.conf ... and I am reading all the environment variables(apart from the headers) in the jsp but have these values set to null... am I missing anything specific with these directives? SetHandler jakarta-servlet RequestHeader set X_REMOTE_USER %{RU}e SetEnv SET_REMOTE_USER %{REMOTE_USER}e JkEnvVar JK_REMOTE_USER %{remoteUser}e
Re: tomcat, apache with mod_jk and mod_auth_kerb
Thats right and clueful. Yes, I modifued my httpd.conf to include the webapp location that I was going through and it updated the remote user, I was able to use have the result now properly set from the request.getRemoteUser call. Fine. BUT, again, I was not able to pass the 'REMOTE_USER' variable. How can I do that in my httpd.conf.. any ideas what else do I need to add more in my httpd.conf ? I don't understand, what you mean by "pass the 'REMOTE_USER' variable". If you want to pass the name of the authenticated user, that's request.getRemoteUser(), which now works. What do you expect to be the value of the 'REMOTE_USER' variable? Do you expoect something else, than what you get from request.getRemoteUser()? What do you mean by variable? Maybe an httpd environment Variable? Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Tue, Jul 15, 2008 at 2:23 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > Nikhil schrieb: > >> [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (607): Service >> protocol=HTTP/1.1 method=GET host=(null) addr=149.77.175.155 name= >> is3.hyd.deshaw.com port=8080 auth=(null) user=(null) >> laddr=149.77.160.20raddr= >> 149.77.175.155 >> >> -- >> >> If noticed, auth=(null) and user=(null) are being set ... but I wonder >> why? >> Do I have to look somewhere else to make any changes too ? >> > > That means, Apache httpd did not provide any authentication information. > Looks like your authentication setup doesn't even work inside httpd. > > If it does work, the user name should get logged in your access log. > Usually the default log format for the access log of httpd is "common", > which contains the authenticated user name in the third column ("%u"). > > If it isn't shown in the httpd access log, then you need to fix your > authentication setup in httpd first. > > Regards, > > > Rainer > Thats right and clueful. Yes, I modifued my httpd.conf to include the webapp location that I was going through and it updated the remote user, I was able to use have the result now properly set from the request.getRemoteUser call. BUT, again, I was not able to pass the 'REMOTE_USER' variable. How can I do that in my httpd.conf.. any ideas what else do I need to add more in my httpd.conf ? Thanks again, Rainer.
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil schrieb: [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (607): Service protocol=HTTP/1.1 method=GET host=(null) addr=149.77.175.155 name= is3.hyd.deshaw.com port=8080 auth=(null) user=(null) laddr=149.77.160.20raddr= 149.77.175.155 -- If noticed, auth=(null) and user=(null) are being set ... but I wonder why? Do I have to look somewhere else to make any changes too ? That means, Apache httpd did not provide any authentication information. Looks like your authentication setup doesn't even work inside httpd. If it does work, the user name should get logged in your access log. Usually the default log format for the access log of httpd is "common", which contains the authenticated user name in the third column ("%u"). If it isn't shown in the httpd access log, then you need to fix your authentication setup in httpd first. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
While I am at it, I found this interesting information from the jk_logs: [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_uri_worker_map.c (589): Attempting to map URI '/examples/jsp/rheaders.jsp' from 0 maps [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_uri_worker_map.c (589): Attempting to map URI '/examples/jsp/rheaders.jsp' from 0 maps [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (2092): Single worker (default) configuration for /examples/jsp/rheaders.jsp [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (2111): Into handler jakarta-servlet worker=default r->proxyreq=0 [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_worker.c (114): found a worker default [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_worker.c (321): Maintaining worker default [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_worker.c (290): Found worker type 'ajp13' [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (607): Service protocol=HTTP/1.1 method=GET host=(null) addr=149.77.175.155 name= is3.hyd.deshaw.com port=8080 auth=(null) user=(null) laddr=149.77.160.20raddr= 149.77.175.155 -- If noticed, auth=(null) and user=(null) are being set ... but I wonder why? Do I have to look somewhere else to make any changes too ? On Tue, Jul 15, 2008 at 12:39 PM, Nikhil <[EMAIL PROTECTED]> wrote: > I am still not able to get this straight. Looking at the server.xml tells > me there is a userDatabase resource that is looked which I may need to > comment? Could you please confirm? > I am posting my server.xml (tomcat-6.0.16) for thoroughness so I do not > miss any points here : Please let me know if I need to make any changes to > configuration file. > > Thanks, Nikhil > > - > > > > > > >SSLEngine="on" /> > > > >/> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > > > > >type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > > > > > > > > > > > connectionTimeout="2" >redirectPort="8443" /> > > > > > > > tomcatAuthentication="false" redirectPort="8443" /> > > > > > > > > > > > > > > > resourceName="UserDatabase"/> > > >unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > > > > > > > > > > > > = > > > > -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
I am still not able to get this straight. Looking at the server.xml tells me there is a userDatabase resource that is looked which I may need to comment? Could you please confirm? I am posting my server.xml (tomcat-6.0.16) for thoroughness so I do not miss any points here : Please let me know if I need to make any changes to configuration file. Thanks, Nikhil - =
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 7:46 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > Use request.getRemoteUser() > > HTH > > > Rainer > Thanks Rainer. I am now using Tomcat6(latest stable release) and configured the server.xml with ajp connector to use tomcatAuthentication=false and I am still getting the 'null' value :-( . Any other suggestions that I need to edit anywhere else like web.xml / security constraints. with the following sample jsp : - <%@ page language="java" %> <%@ page import="java.util.Enumeration" %> HTTP Request Headers Name Value <% // Get all HTTP request headers names/values Enumeration e1 = request.getHeaderNames(); String valueuser = request.getRemoteUser(); while (e1.hasMoreElements()) { boolean doLoop = true; String name = ((String)e1.nextElement()).toUpperCase(); Enumeration e2 = request.getHeaders(name); while (e2.hasMoreElements()){ String value = (String)e2.nextElement(); %> <%= name %> <%= value %> <%= valueuser %> <% } } %>
Re: tomcat, apache with mod_jk and mod_auth_kerb
I tried out Tomcat6 too and added 'tomcatAuthentication="false"' to the ajp connector but that still not work. :-( On Mon, Jul 14, 2008 at 7:15 PM, Nikhil <[EMAIL PROTECTED]> wrote: > Rainer, > I seem to have found a related link on this but this is really old > pertaining to the older versions of Tomcat.. any suggestions please. > http://marc.info/?t=10431829842&r=1&w=2 > -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: OK After editing the change in the ajp connector, and restarting the tomcat, I still am not able to get the remote_user variable passed. Any suggestions? (Although I am still to try out the Tomcat6, but would prefer for fixing the existing installation unless there are any real problems in the tomcat version that I am using. Use request.getRemoteUser() HTH Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
Rainer, I seem to have found a related link on this but this is really old pertaining to the older versions of Tomcat.. any suggestions please. http://marc.info/?t=10431829842&r=1&w=2
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 5:00 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > > Again, the http connector is *not* what you need to edit, if you want to > combine Tomcat with mod_jk or mod_proxy_ajp. It is the AJP connector. See my > previous mail. > > You need to add tomcatAuthentication="false" to that connector. > > > Regards, > > Rainer > I seem to get it, Rainer. But the thing is that with my installed tomcat-5.5.12 version and I do not have any already tomcatAuthentication directive (if I call it that way). Okay I get you want me to "add", so this is what I edited the server.xml now After editing the change in the ajp connector, and restarting the tomcat, I still am not able to get the remote_user variable passed. I am using the following jsp installed under webapps/jsp-examples/readheaders.jsp to have the environment variables listed but with out any success.. <%@ page language="java" %> <%@ page import="java.util.Enumeration" %> HTTP Request Headers Name Value <% // Get all HTTP request headers names/values Enumeration e1 = request.getHeaderNames(); while (e1.hasMoreElements()) { boolean doLoop = true; String name = ((String)e1.nextElement()).toUpperCase(); Enumeration e2 = request.getHeaders(name); while (e2.hasMoreElements()){ String value = (String)e2.nextElement(); %> <%= name %> <%= value %> <% } } %> -- Any suggestions? (Although I am still to try out the Tomcat6, but would prefer for fixing the existing installation unless there are any real problems in the tomcat version that I am using. Thanks, Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: On Mon, Jul 14, 2008 at 4:22 PM, Nikhil <[EMAIL PROTECTED]> wrote: On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: First of all 5.5.12 is very outdated and also very early in the 5.5 release cycle. You need to add 'tomcatAuthentication="false"' in the Connector element for your AJP connector. The connector you showed us above is - an https connector - a comment and not active At least two good reasons, why this is not the right one. The AJP Connector is the one, which uses port 8009 in the default configuration and which you can identify by 'protocol="AJP/1.3"'. Regards, Rainer Oops.. here is the http connector line in my configuration: Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. Nikhil but still.. I do not get what is wrong with 5.5.12 and what could I do atleast in the httpd configuration that would get the kerberized apache authentication working in the tomcat apps. Again, the http connector is *not* what you need to edit, if you want to combine Tomcat with mod_jk or mod_proxy_ajp. It is the AJP connector. See my previous mail. You need to add tomcatAuthentication="false" to that connector. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 4:22 PM, Nikhil <[EMAIL PROTECTED]> wrote: > > > On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung <[EMAIL PROTECTED]> > wrote: > >> >>> First of all 5.5.12 is very outdated and also very early in the 5.5 >> release cycle. >> >> You need to add 'tomcatAuthentication="false"' in the Connector element >> for your AJP connector. The connector you showed us above is >> >> - an https connector >> - a comment and not active >> >> At least two good reasons, why this is not the right one. The AJP >> Connector is the one, which uses port 8009 in the default configuration and >> which you can identify by 'protocol="AJP/1.3"'. >> >> >> Regards, >> >> Rainer >> > > Oops.. here is the http connector line in my configuration: > > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >enableLookups="false" redirectPort="8443" acceptCount="100" >connectionTimeout="2" disableUploadTimeout="true" /> > > > Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. > > Nikhil > > > > but still.. I do not get what is wrong with 5.5.12 and what could I do atleast in the httpd configuration that would get the kerberized apache authentication working in the tomcat apps. -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > >> First of all 5.5.12 is very outdated and also very early in the 5.5 > release cycle. > > You need to add 'tomcatAuthentication="false"' in the Connector element for > your AJP connector. The connector you showed us above is > > - an https connector > - a comment and not active > > At least two good reasons, why this is not the right one. The AJP Connector > is the one, which uses port 8009 in the default configuration and which you > can identify by 'protocol="AJP/1.3"'. > > > Regards, > > Rainer > Oops.. here is the http connector line in my configuration: Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: The remote user gets forwarded automatically, but in order to make Tomcat accept that info and not try to authenticate itself, you need to set tomcatAuthentication="false" in the ajp connector element in server.xml. See also http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html If you want to forward additional info, you could use httpd env vars and JkEnvVars. On the Tomcat side, retrieve those via request.getAttribute("MyEnvVar"). I am using Tomcat -5.5.12 and this is what I have in my server.xml configuration for http: I could not lookup for the attribute tomcatAuthentication in the configuration however. First of all 5.5.12 is very outdated and also very early in the 5.5 release cycle. You need to add 'tomcatAuthentication="false"' in the Connector element for your AJP connector. The connector you showed us above is - an https connector - a comment and not active At least two good reasons, why this is not the right one. The AJP Connector is the one, which uses port 8009 in the default configuration and which you can identify by 'protocol="AJP/1.3"'. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
> > > > The remote user gets forwarded automatically, but in order to make Tomcat > accept that info and not try to authenticate itself, you need to set > tomcatAuthentication="false" in the ajp connector element in server.xml. > > See also http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html > > > If you want to forward additional info, you could use httpd env vars and > JkEnvVars. On the Tomcat side, retrieve those via > request.getAttribute("MyEnvVar"). > > Regards, > > Rainer > > Hi Rainer, I am using Tomcat -5.5.12 and this is what I have in my server.xml configuration for http: I could not lookup for the attribute tomcatAuthentication in the configuration however.
Re: tomcat, apache with mod_jk and mod_auth_kerb
> > Not necessarily. You could configure address attribute of the Tomcat HTTP > to listen only on 127.0.0.1 if httpd is on the same system, or > if on a different system, configure Tomcat's RemoteAddrValve to limit > requests to just that system. > > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html > > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Address%20Filter > > You may need to adjust the above links for the Tomcat version you're using, > which you didn't bother to tell us. > > - Chuck > Thanks Chuck. I am using Tomcat 5.5.12 and I could not find this attribute in the server.xml configuration. What is the equivalent of RemoteAddressValve for v5.5.12 ? Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Hi Nikhil, Nikhil schrieb: I have no problems in using mod_jk but could not figure out the ways of passing the remote_user variable effectively to the tomcat instance would also desire to have a scalability that with a single httpd instance supporting the multiple tomcat instances (may be on a single host/spanned across multiple hosts). I have tried using SetEnvIf, JkEnvVar, RequestHeader directives to only to find of no use. The remote user gets forwarded automatically, but in order to make Tomcat accept that info and not try to authenticate itself, you need to set tomcatAuthentication="false" in the ajp connector element in server.xml. See also http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html If you want to forward additional info, you could use httpd env vars and JkEnvVars. On the Tomcat side, retrieve those via request.getAttribute("MyEnvVar"). Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat, apache with mod_jk and mod_auth_kerb
> From: Nikhil [mailto:[EMAIL PROTECTED] > Subject: tomcat, apache with mod_jk and mod_auth_kerb > > I have earlier tried using the mod_rewrite module > with proxy .. but that would ask me to enable the > http connector port of the tomcat instance and will > prompt to keep the spoofing chances wide open. Not necessarily. You could configure address attribute of the Tomcat HTTP to listen only on 127.0.0.1 if httpd is on the same system, or if on a different system, configure Tomcat's RemoteAddrValve to limit requests to just that system. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Address%20Filter You may need to adjust the above links for the Tomcat version you're using, which you didn't bother to tell us. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]