---- oh...@cox.net wrote: > > ---- oh...@cox.net wrote: > > > > ---- "André Warnier" <a...@ice-sa.com> wrote: > > > oh...@cox.net wrote: > > > > ---- "André Warnier" <a...@ice-sa.com> wrote: > > > >> oh...@cox.net wrote: > > > >>> ---- "André Warnier" <a...@ice-sa.com> wrote: > > > >>>> oh...@cox.net wrote: > > > >>>>>> Now let me ask another question : > > > >>>>>> Why do you need to authenticate the user at the Apache level, and > > > >>>>>> pass this user-id to > > > >>>>>> Tomcat ? > > > >>>>>> Obviously, from the OAM documentation I scanned, there must exist > > > >>>>>> an OAM module directly > > > >>>>>> for Tomcat, to authenticate users there. Why are you not using > > > >>>>>> that ? > > > >>>>> It seems like they should have one, but, unfortunately, they don't. > > > >>>>> > > > >>>> Mmm. Browsing the documentation, I seem to remember seeing something > > > >>>> about Weblogic, no ? > > > >>>> Is that not usable ? > > > >>>> > > > >>>> (As an aside, send your messages only to the list. I get all > > > >>>> messages to the list anyway, > > > >>>> so if you send them to me too, I get them twice). > > > >>> > > > >>> Hi, > > > >>> > > > >>> Sorry about the emails. > > > >>> > > > >>> Yes, they do support integrating with WebLogic, and we do use that > > > >>> for other cases, but that's probably a bit off-topic here. > > > >>> > > > >> We don't mind the competition here. Keeps us on our toes. > > > >> Just kidding. > > > >> What I meant to ask (me being the not-so-Java specialist see) was, > > > >> since Weblogic is a > > > >> servlet engine, and Tomcat is a servlet engine, both ought to abide by > > > >> the servlet spec > > > >> and such, so isn't the Weblogic-oriented module usable with Tomcat ? > > > >> Or is this too much of a rosy view of the world ? > > > >> > > > >> Anyway, the only other thing that comes to mind is, since you seem to > > > >> be an OAM customer, > > > >> can you not ask the OAM support people if OAM sets the internal Apache > > > >> user-id or not ? > > > >> > > > > > > > > > > > > Hi, > > > > > > > > I'll answer the last question first: We have asked, but they don't > > > > support integration with Tomcat out-of-the-box. That was why I've been > > > > looking into it for our organization. > > > > > > > > > > Ok. But the question here is different : you are not asking if they > > > support Tomcat. > > > What you are asking is if OAM can set the Apache internal user-id, once > > > the user is > > > authenticated by OAM. > > > > > > The situation is the same as if you had to support, say, some legacy > > > Apache-based > > > application, and this Apache-based application needs the user-id, and it > > > normally gets it > > > from Apache. > > > For example, imagine that your organisation has some pre-existing > > > content-management > > > system based on Apache and Perl. Now you purchase OAM as a global SSO > > > mechanism, and you > > > want to use OAM to authenticate the users for your content-management > > > application. For > > > that, the easiest way is for OAM to just set the Apache user-id, because > > > then you don't > > > have to change anything to your existing application. > > > > > > > Hi, > > > > I didn't say anything about it before, but I've been, in parallel with our > > discussion, mucking around both the OAM innards and the Apache source code, > > as best I can, trying to find out why that internal remote_user string (it > > is, I believe, only internal to Apache), to see why it isn't being set. > > Notice also that I said "remote_user string", rather than "remote_user > > variable". > > > > The reason is that, in looking through the Apache source code, I haven't > > (yet) been able to find a variable like that. Rather, it looks like the > > Apache code just dumps the string representing the user into some buffer > > that its building to send out via AJP protocol. > > > > On the OAM side, I haven't been able to find any configuration "tweaks" > > that would make their webagent populate (or not populate) whatever data > > structure inside of Apache either. > > > > I may or may not decide to try to bug Oracle about why their webagent > > doesn't do appear to do that. Probably not though, as in the past, it's > > hard to find someone who knows their stuff well enough to answer such an > > esoteric question. Plus, the valve seems to work at the moment. > > > > Having said that, and having started to work more with my valve code, I do > > have a more on-topic question for you and for the list, in general. > > > > To recall, my test Tomcat is pretty much vanilla, including the default > > realm that uses the tomcat-users.xml. > > > > Earlier, you and Chuck said that when my valve code asserts a user into > > Tomcat (e.g., via the setUserPrincipal()), that that asserted user didn't > > have to even be in the Tomcat realm. > > > > I'm finding that that part does work as we've discussed, but the question > > that I have is what roles in Tomcat would that user have (in Tomcat)? > > > > In my testing, and as I've mucked around with my valve code, I found that I > > could assert not only a user, but it looks like I can also assert that > > user's roles in Tomcat. > > > > And, I can even assert roles that don't exist in the realm!! > > > > In other words, suppose my valve gets a request with a userID of "foobar". > > Then, it appears that my valve code can not only assert the "foobar" user > > into Tomcat, but can also assert that the "foobar" user has roles > > "foobarRole1" and "foobarRole2", EVEN when those roles don't exist/aren't > > defined in the Tomcat realm. > > > > Is this correct? > > > > > > If it is, I may have a problem. > > > > Let me explain: > > > > My original plan/thought/idea/thinking was that if I could get my valve > > code to assert the user into Tomcat as a principal in the Tomcat > > environment, then, at least to Tomcat itself, that user/principal would > > "pick up" the roles that that user would have within the Tomcat realm. > > > > In other words, if I asserted "foobar" into Tomcat, and if there was > > already a user named "foobar" in the Tomcat realm, that then the asserted > > user would have all of the roles within Tomcat that he/she should have, via > > the realm. > > > > However, that doesn't appear to be the case :(. > > > > Rather it appears that even if the user that I'm asserting actually exists > > in the Tomcat realm, after my valve asserts the user into Tomcat, the user > > doesn't appear to have any roles in Tomcat. I'm using the security example > > app in the /examples that comes with Tomcat to check if Tomcat 'believes" > > that the asserted user has xxxx role. > > > > In other words, even though my valve code can assert a user into Tomcat, > > and even if that same user already exists in the Tomcat realm, the asserted > > user seems to be 'disassociated' from the same user in the Tomcat realm? > > > > I'm not sure if I'm explaining that clearly, but let me know? > > > > Here's an example: > > > > In tomcat-users.xml, I have a user, "0test" with role "manager-gui". > > > > I send a header into my valve with userID "0test", and it asserts the > > "0test" user into Tomcat. > > > > Then I go to the Tomcat security example app, and I search for role of > > "manager-gui", and the app tells me that user "0test" has not been granted > > the "manager-gui" role. > > > > So the question that I really have here is: Can I "connect" the user that > > my valve asserts into Tomcat with the corresponding user in the Tomcat > > realm (so that the asserted user can "have" all of the roles in Tomcat that > > he/she "should" have)? > > > > Thanks, > > Jim > > > > > > > Hi, > > I just found the following, which seems to confirm what I'm finding with > asserted users, as described above: > > http://wiki.oss-watch.ac.uk/ShibbolethTomcatIntegration > > Note where it says: > > "This requires that any acess to /jsp-examples/snp/* be authenticated to any > of > the roles declared to Tomcat elsewhere in the web.xml file. The problem with > this when receiving authentication information from Apache httpd via mod_jk > is > that we have not found any way to associate role membership with the > authenticated user. As a result, Tomcat refuses access to the servlet, even > though we do appear to have successfully conveyed authenticated user > information > to Tomcat. > > It appears that when Tomcat's own authentication is bypassed (using > tomcatAuthentication="false" noted above), Tomcat's mechanisms for assigning > roles to users (e.g. from tomcat-users.xml) are also bypassed, so the > authentication is effectively useless for invoking servlets." > > That is exactly the same problem/behavior that I'm seeing with users that I > assert into Tomcat using my valve code... > > Jim >
P.S. Also, the same problem/behavior occurs, even when I'm not using my valve code to do the assertion, when I use mod_jk and AJP and tomcatAuthentication=false. In this case (using mod_jk and AJP), the user that gets asserted into Tomcat via the AJP connector doesn't get any roles within the Tomcat realm :(.... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
