tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Omar Nafees <omnaf...@cs.uwaterloo.ca>
Subject Re: Apache authentication information (remoteuser) not visible in Tomcat
Date Sat, 25 Aug 2007 15:46:20 GMT
Thank you for the tips David. The JkEnvVar was just a shot at passing 
the REMOTE_USER explicitly. I read about it in one of the mod_jk 
documents.  I was unable to get this to work without it either.

Oh and my apologies for a cluttered server.xml on the list.

I have restarted tomcat and apache several times. I was actually trying 
to get it to work with tomcat 6.0 and switched to 5.5 to see if that 
would make a difference.

I've also tried to get this to work with apache 1.3 to no avail. I now 
suspect mod_jk itself...

May I ask what versions of each software you are using? What form of 
Apache authentication are you using (some in house authorization 
software)? Did you first test your setup with Apache's Basic authentication?

Sorry for the many questions - but I'd like to know what you've done 
differently as I'd like to be where you are with this right now =)


Thanks,
Omar


David Smith wrote:
> Hi.
>
> I'm in the same boat as you in using an apache httpd module to 
> authenticate users and have had it working for a few years now.  Your 
> configuration looked good as far as I could tell.  Here are a couple 
> of suggestions though.
>
> 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your  apache 
> config.  I've never used it and have what you are working on working 
> flawlessly.
>
> 2. Drop all those documenting comments and example configuration from 
> your server.xml.  You could make a copy of it named 
> server.xml.original if you want.  The commented parts are excellent 
> documentation, but hamper readability of the active parts.
>
> 3. Restart Tomcat.  I'm not sure if you restarted after you added 
> tomcatAuthentication="false" to the connector, but it needs to happen.
>
> --David
>
> Omar Nafees wrote:
>> Hi Robert,
>>
>> Thanks for the response.
>>
>> So I've come to believe that its possible to avoid using Tomcat 
>> authentication altogether, i.e., without specifying realms and using 
>> tomcat user/roles in an application's web.xml. Given my context (a 
>> University environment with over several hundreds of students hitting 
>> an apache web server and a small subset needing tomcat), I need to 
>> completely separate authentication from the Tomcat server. I guess 
>> this approach of using JNDI or even JAAS is a last resort... but I 
>> would really like to see what everyone else seems to have already 
>> accomplished - the REMOTE_USER variable being read from the first AJP 
>> header that is sent to tomcat.
>>
>>
>> Thanks,
>>
>> Omar
>>
>>
>> Robert Segal wrote:
>>> Omar I actually had this exact same problem early today although I'm
>>> sure my environment is slightly different from your perhaps I can offer
>>> some help. In my case I have LDAP authentication configured for my 
>>> servlet.  I
>>> believe this step should be the same regardless of the authentication
>>> scheme you are using....
>>>   First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to 
>>> define
>>> roles and constraints for what pages can be accessed...
>>>
>>> <login-config>
>>>     <auth-method>BASIC</auth-method>
>>>   </login-config>
>>>
>>>   <security-role>
>>>     <role-name>GRP-myGroup </role-name>
>>>   </security-role>
>>>
>>>   <security-constraint>
>>>     <web-resource-collection>
>>>       <web-resource-name>my Authentication</web-resource-name>
>>>       <url-pattern>/*</url-pattern>
>>>     </web-resource-collection>
>>>
>>>     <auth-constraint>
>>>       <role-name>GRP-myGroup</role-name>
>>>     </auth-constraint>
>>>   </security-constraint>
>>>
>>>
>>> The other file I change sets up all the LDAP machine details.  I've
>>> placed it in Context.xml because there are several servlets that make
>>> use of this authentication...
>>>
>>> $CATALINA_HOME/conf/Context.xml
>>>
>>> <Context>
>>>     <Realm className       ="org.apache.catalina.realm.JNDIRealm"
>>>          debug             ="99"
>>>          connectionURL     ="ldap://ldapMachine:3268"
>>>          connectionName    ="CRYPTOLOGIC\myUser"
>>>          connectionPassword="myPassword"                           
>>> userBase          ="dc=myDomain,dc=com"
>>>          userSearch        ="(sAMAccountName={0})"
>>>             userSubtree       ="true"
>>>          userRoleName      ="memberOf"
>>>                   roleBase   ="OU=Groups,DC=myDomain,DC=com"
>>>          roleSubtree="false"
>>>          roleName   ="cn"
>>>          roleSearch ="(member={0})"/>
>>> </Context>
>>>
>>> This has worked for me.  Hope it is of some use to you.  We also have
>>> Apache over top of Tomcat in our environment and found it necessary to
>>> configure authentication both in Apache and in Tomcat to get things to
>>> work properly.
>>>
>>> Robert Segal
>>> Tools Developer
>>> CryptoLogic Inc.
>>> 55 St. Clair Ave W., 3rd Floor
>>> Toronto, Ontario
>>> Canada  M4V 2Y7
>>> tel.  + 1.416.545.1455 x5896
>>> fax. + 1.416.545.1454
>>>
>>> This message, including any attachments, is confidential and/or
>>> privileged and contains information intended only for the person(s)
>>> named above. Any other distribution, copying or disclosure is strictly
>>> prohibited. If you are not the intended recipient or have received this
>>> message in error, please notify us immediately by reply email and
>>> permanently delete the original transmission from all of your systems
>>> and hard drives, including any attachments, without making a copy.
>>>
>>> -----Original Message-----
>>> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca] Sent: Friday, 
>>> August 24, 2007 2:30 PM
>>> To: Tomcat Users List
>>> Subject: Re: Apache authentication information (remoteuser) not visible
>>> in Tomcat
>>>
>>> Thanks for the response Christopher... although I had very early on, 
>>> already tried what is suggested in the link you have referred to, 
>>> i.e., setting tomcatAuthentication="false" in the appropriate 
>>> server.xml line (see the config listing I produced earlier in the 
>>> thread).
>>>
>>> Oh I hope its not some obscure bug in mod_jk!! :)
>>>
>>> Thanks,
>>> Omar
>>>
>>>
>>>
>>> Christopher Schultz wrote:
>>>  
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Omar,
>>>>
>>>> Omar Nafees wrote:
>>>>     
>>>>> request.getRemoteUser() returns null in my servlet.
>>>>> request.getAttribute("REMOTE_USER") also returns null. I have even
>>>>> checked the headers that are being sent to the AJP connector in
>>>>>       
>>> Tomcat.
>>>  
>>>>>           
>>>> This is a FAQ. The answer is easily findable in the archives:
>>>>
>>>> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>>>>
>>>> - -chris
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.7 (MingW32)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>>
>>>> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
>>>> OPTfCFM5pLAQ0jH0i+BCkis=
>>>> =+c/H
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>       
>>>
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the MessageLabs Email Security System.
>>> For more information please visit http://www.messagelabs.com/email 
>>> ______________________________________________________________________
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>   
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message