Re: user and certificate info is not passed to tomcat

Mon, 07 Oct 2019 15:30:02 -0700 

Adding to my own previous post :

A posteriori, I saw a question here :
https://stackoverflow.com/questions/58240796/pass-username-and-client-certificate-from-apache-to-tomcat-using-mod-jk
that may be related to your question on this list.
Examining the above, you problem may be in the httpd configuration :
As I interpret it, the <Directory> section that you mention, will not be taken into account for the URLs that you are proxying to tomcat. That is because <Directory> sections only apply if the URL ultimately maps to a local file for httpd. In this case, it does not, because you are proxying this request to tomcat. For such URLs, you should use a <Location> or <LocationMatch> in httpd, not a <Directory>. 
For example, *add* this to your httpd configuration :
<LocationMatch /servlet.*>
    DirectoryIndex off
    RewriteEngine Off
    AuthType openid-connect
    AllowOverride None
    AuthzDBDQuery "a correct database query"
    Require dbd-group allrepo
    LogLevel debug
</LocationMatch>

Note: the above is very rough, and you may need to tune the regex a bit better.

On 08.10.2019 00:11, André Warnier (tomcat) wrote:

On 07.10.2019 23:24, Magosányi Árpád wrote:

On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:


Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?



Yes, I did, however adding it back did not improve the situation.


Ok. I just mentioned that, because it is one piece of the puzzle, and you might 
have
forgotten it.
What this piece really does is :
- IF the front-end Apache httpd authenticates the HTTP request which it later 
passes on to
tomcat
- IF the protocol used between Apache httpd and tomcat is AJP
- IF the AJP Connector in tomcat has the attribute set as above
- THEN tomcat will retrieve the user-id of the httpd-authenticated user, and 
save it
internally as the tomcat-authenticated user-id for this request

So now you have the two last IF's answered positively.
What about the first IF ?

Info : in the default format of the Apache httpd access log, it will show the
authenticated user (if any) for each request, for example like this :

127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET 
/starwebtt-internal/esearch...
(where "THEUSER" is the httpd-authenticated user)

while if the request is not authenticated by httpd, it will show a "-" instead 
of the
user-id, like this :
127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...

(and, of course, if httpd has not authenticated the request which it later 
passes on to
tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot 
retrieve
this user-id, and thus the request, at the tomcat level, is not authenticated).


Next comes the question of how the tomcat application retrieves this user-id, 
from tomcat
itself. I suppose that this would be a question for the developers of the
"com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your 
configuration below.
(if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses 
some other
method, then you are out of luck for this front-end/back-end combination)(or 
you may need
to do something additional at the front-end httpd level).




My server.xml now:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="-1" shutdown="SHUTDOWN">
   <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
   <Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
   <Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
   <Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
   <Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

   <GlobalNamingResources>
     <Resource name="UserDatabase" auth="Container"
               type="org.apache.catalina.UserDatabase"
               description="User database that can be updated and saved"
               factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
               pathname="conf/tomcat-users.xml" />
   </GlobalNamingResources>

   <Service name="Catalina">

     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>


     <Engine name="Catalina" defaultHost="localhost">

       <Realm className="org.apache.catalina.realm.LockOutRealm">
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                resourceName="UserDatabase"/>
       </Realm>

       <Host name="localhost"  appBase="webapps"
             unpackWARs="true" autoDeploy="true">

         <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
                prefix="localhost_access_log" suffix=".txt"
                pattern="%h %l %u %t &quot;%r&quot; %s %b" />

       </Host>
     </Engine>
   </Service>
</Server>

and my web.xml until mime mappings:

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                       http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd";
   version="4.0">


     <servlet>
         <servlet-name>default</servlet-name>

<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
         <init-param>
             <param-name>debug</param-name>
             <param-value>0</param-value>
         </init-param>
         <init-param>
             <param-name>listings</param-name>
             <param-value>false</param-value>
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>


     <servlet>
         <servlet-name>jsp</servlet-name>
         <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
         <init-param>
             <param-name>fork</param-name>
             <param-value>false</param-value>
         </init-param>
         <init-param>
             <param-name>xpoweredBy</param-name>
             <param-value>false</param-value>
         </init-param>
         <load-on-startup>3</load-on-startup>
     </servlet>


     <servlet-mapping>
         <servlet-name>default</servlet-name>
         <url-pattern>/</url-pattern>
     </servlet-mapping>

     <servlet-mapping>
         <servlet-name>jsp</servlet-name>
         <url-pattern>*.jsp</url-pattern>
         <url-pattern>*.jspx</url-pattern>
     </servlet-mapping>

   <filter>
     <filter-name>KKAuthorizationFilter</filter-name>

<filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
   </filter>

   <filter-mapping>
     <filter-name>KKAuthorizationFilter</filter-name>
     <url-pattern>/*</url-pattern>
     <dispatcher>REQUEST</dispatcher>
   </filter-mapping>

     <session-config>
         <session-timeout>30</session-timeout>
     </session-config>










---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to