Can anyone confirm this as an issue ?

-- 

Joe Van Demark
[EMAIL PROTECTED]



I'm running Apache/tomcat 3.3 Beta with jserv.

My server.xml contains the following RequestInterceptor tag/element

      <RequestInterceptor
         className="org.apache.tomcat.modules.server.Ajp12Interceptor"
         tomcatAuthentication="false"
         port="8007" />

But it doesn't seem that tomcatAuthentication is actually disabled.

Looking at the code I see the following

The AjpInteceptor instantiates both AjpRequest and AjpResponse objects.
The instantiation of AjpRequest in turn instantiates an instance of Ajp12
which is where we read off the stream from jserv.

Both AjpInterceptor and Ajp12 default tomcatAuthentication to true.

when Ajp12 is reading the stream it will ignore the remote users if
tomcat Authentication is true.

                    if (isTomcatAuthentication())
                        dummy=readString(ajpin, null);
                    else

which is what is happening.

It would seem to me given the Request interceptor definition
in server.xml that Ajp12 should be reading the remote user,
i.e. tomcatAuthentication is false.

Since Ajp12Interceptor instantiates Ajp12 I would expect given
the server.xml def it would make a call to Ajp12 to set tomcat
authentication to false. This might possible occur in the
processConnection method:


            if( reqA==null || resA==null ) {
                reqA = new AJP12Request();
                reqA.setSecret( secret );
                ((AJP12Request)reqA).setTomcatAuthentication(
                                        isTomcatAuthentication());
                resA=new AJP12Response();
                cm.initRequest( reqA, resA );
            }

But it would require that the local instance field tomcatAuthentication 
be set to false
if it were to work at all. None of this is happening as far as I can tell.

Basically I don't see a path through the code which would disable 
tomcatAuthentication
that corresponds the the server.xml Request Intercepter definition.

The only way I've been able to disable the tomcatAuthentication and read 
a remote_user
off the jserv stream was to modify Ajp12, defaulting 
tomcatAuthentication to false.

Any insight would be appreciated.

-- 

Joe Van Demark
[EMAIL PROTECTED]




Reply via email to