oh...@cox.net wrote:
---- oh...@cox.net wrote:
---- "André Warnier" <a...@ice-sa.com> wrote:
oh...@cox.net wrote:
...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false" />
That is correct. The "false" means that Tomcat will not do it's own authentication, and
will instead rely on the authenticated user-id passed by the front-end server.
Now could you also show us the section of your Apache front-end configuration, containing
the directives which forward the requests to Tomcat ?
(proxy or rewrite stanzas)
Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the
authenticated user-id to Tomcat along with the proxied request, depends on the fact that
within Apache (more precisely within the internal Apache "request record"), the request is
really authenticated (*).
I am saying this because in an earlier post, you mentioned that you were using a
third-party authentication package at the Apache httpd level.
It is unlikely, but possible, that this authentication package would use its own logic,
and never "populate" the internal Apache request record with this user-id (**).
In such a case, the automatic forwarding of the user-id by the Apache-level connector
module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal
Apache request record, and have no knowledge of another user-id source.
(*) in Tomcat terms, the equivalent of populating the userPrincipal object
(**) for example, it may act as a filter, and rely on each request always containing a
cookie which "authenticates" the request, and do its own access control independently of
Apache httpd itself
Andre,
Sure. Here's the section from httpd.conf. This is testing where I purposely insert a
"REMOTE_USER" HTTP header into the request being proxied. As I said, I have a
sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my
test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the
hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and
WebLogic is shutdown there).
# Proxy to Tomcat on weblogic1 machine, using AJP
<Location /samplesajp>
RequestHeader set "REMOTE_USER" "222222229test111111111111"
ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp
ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp
</Location>
Jim
Hi,
BTW, I asked about this earlier, but is it possible to turn on some debugging
on the Tomcat side, that might help diagnose why the AJP connector is not
working the expected way? I'm not that familiar with Tomcat or AJP logging,
but I've only been able to set logging in logging.properties so that there's
either almost no logging or it generated a ton of logging (but not stuff on AJP
connection/processing) :(...
Sorry, dunno. Logging is not my favorite area in Tomcat..
Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to
Tomcat. I strongly suspect that the "REMOTE_USER" HTTP header may not be it, and that it
may be via what Tomcat calls "request attributes", and Apache calls "environment
variables" (but not in the usual shell sense). But I don't know how this particular one
may be named.
Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP
Connector code somewhere. I would start looking for "request attribute" rather than "header".
This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
seems to hint at ditto, and even mentions a request attribute named
"remote_user" (lowercase).
Maybe you could try to set this "environment variable" in Apache, and see where
it leads you ?
In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
it shows how to do that (but there it calls them "server variables").
The terminology is not very consistent..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
