tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: Apache authentication information (remoteuser) not visible in Tomcat
Date Sat, 25 Aug 2007 22:06:34 GMT
Hi Omar.

1. Removing the comments from server.xml is more for your sanity than 
mine.  I started doing it to my server.xml's and it's made life so much 
easier.

2. The current production mod_jk is 1.2.14 in my system.  I have to 
upgrade my server soon and will probably upgrade that when I do.  I'm 
using it with both tomcat 5.0.28 and tomcat 5.5.23 without issue.  For 
those out there scratching your heads on this one, the tomcat 5.5 
instance is a dev/test environment while the 5.0 is production.  Apache 
Httpd is version 2.0.48

3. The auth module is Cornell's mod_cuwebauth.so which off-loads the 
authentication to the universities authentication service.  There's no 
Tomcat realm version if it.

4. I never tested with BASIC first.  I needed to get the mod_cuwebauth 
REMOTE_USER header and found a brief reference to it in the archives.  
Set it, restarted, and it started working instantly.  When you access 
pages in /submitServer, are you challenged for a username and password?

--David

Omar Nafees wrote:
> Thank you for the tips David. The JkEnvVar was just a shot at passing 
> the REMOTE_USER explicitly. I read about it in one of the mod_jk 
> documents.  I was unable to get this to work without it either.
>
> Oh and my apologies for a cluttered server.xml on the list.
>
> I have restarted tomcat and apache several times. I was actually 
> trying to get it to work with tomcat 6.0 and switched to 5.5 to see if 
> that would make a difference.
>
> I've also tried to get this to work with apache 1.3 to no avail. I now 
> suspect mod_jk itself...
>
> May I ask what versions of each software you are using? What form of 
> Apache authentication are you using (some in house authorization 
> software)? Did you first test your setup with Apache's Basic 
> authentication?
>
> Sorry for the many questions - but I'd like to know what you've done 
> differently as I'd like to be where you are with this right now =)
>
>
> Thanks,
> Omar
>
>
> David Smith wrote:
>> Hi.
>>
>> I'm in the same boat as you in using an apache httpd module to 
>> authenticate users and have had it working for a few years now.  Your 
>> configuration looked good as far as I could tell.  Here are a couple 
>> of suggestions though.
>>
>> 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your  apache 
>> config.  I've never used it and have what you are working on working 
>> flawlessly.
>>
>> 2. Drop all those documenting comments and example configuration from 
>> your server.xml.  You could make a copy of it named 
>> server.xml.original if you want.  The commented parts are excellent 
>> documentation, but hamper readability of the active parts.
>>
>> 3. Restart Tomcat.  I'm not sure if you restarted after you added 
>> tomcatAuthentication="false" to the connector, but it needs to happen.
>>
>> --David
>>
>> Omar Nafees wrote:
>>> Hi Robert,
>>>
>>> Thanks for the response.
>>>
>>> So I've come to believe that its possible to avoid using Tomcat 
>>> authentication altogether, i.e., without specifying realms and using 
>>> tomcat user/roles in an application's web.xml. Given my context (a 
>>> University environment with over several hundreds of students 
>>> hitting an apache web server and a small subset needing tomcat), I 
>>> need to completely separate authentication from the Tomcat server. I 
>>> guess this approach of using JNDI or even JAAS is a last resort... 
>>> but I would really like to see what everyone else seems to have 
>>> already accomplished - the REMOTE_USER variable being read from the 
>>> first AJP header that is sent to tomcat.
>>>
>>>
>>> Thanks,
>>>
>>> Omar
>>>
>>>
>>> Robert Segal wrote:
>>>> Omar I actually had this exact same problem early today although I'm
>>>> sure my environment is slightly different from your perhaps I can 
>>>> offer
>>>> some help. In my case I have LDAP authentication configured for my 
>>>> servlet.  I
>>>> believe this step should be the same regardless of the authentication
>>>> scheme you are using....
>>>>   First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to 
>>>> define
>>>> roles and constraints for what pages can be accessed...
>>>>
>>>> <login-config>
>>>>     <auth-method>BASIC</auth-method>
>>>>   </login-config>
>>>>
>>>>   <security-role>
>>>>     <role-name>GRP-myGroup </role-name>
>>>>   </security-role>
>>>>
>>>>   <security-constraint>
>>>>     <web-resource-collection>
>>>>       <web-resource-name>my Authentication</web-resource-name>
>>>>       <url-pattern>/*</url-pattern>
>>>>     </web-resource-collection>
>>>>
>>>>     <auth-constraint>
>>>>       <role-name>GRP-myGroup</role-name>
>>>>     </auth-constraint>
>>>>   </security-constraint>
>>>>
>>>>
>>>> The other file I change sets up all the LDAP machine details.  I've
>>>> placed it in Context.xml because there are several servlets that make
>>>> use of this authentication...
>>>>
>>>> $CATALINA_HOME/conf/Context.xml
>>>>
>>>> <Context>
>>>>     <Realm className       ="org.apache.catalina.realm.JNDIRealm"
>>>>          debug             ="99"
>>>>          connectionURL     ="ldap://ldapMachine:3268"
>>>>          connectionName    ="CRYPTOLOGIC\myUser"
>>>>          connectionPassword="myPassword"                           
>>>> userBase          ="dc=myDomain,dc=com"
>>>>          userSearch        ="(sAMAccountName={0})"
>>>>             userSubtree       ="true"
>>>>          userRoleName      ="memberOf"
>>>>                   roleBase   ="OU=Groups,DC=myDomain,DC=com"
>>>>          roleSubtree="false"
>>>>          roleName   ="cn"
>>>>          roleSearch ="(member={0})"/>
>>>> </Context>
>>>>
>>>> This has worked for me.  Hope it is of some use to you.  We also have
>>>> Apache over top of Tomcat in our environment and found it necessary to
>>>> configure authentication both in Apache and in Tomcat to get things to
>>>> work properly.
>>>>
>>>> Robert Segal
>>>> Tools Developer
>>>> CryptoLogic Inc.
>>>> 55 St. Clair Ave W., 3rd Floor
>>>> Toronto, Ontario
>>>> Canada  M4V 2Y7
>>>> tel.  + 1.416.545.1455 x5896
>>>> fax. + 1.416.545.1454
>>>>
>>>> This message, including any attachments, is confidential and/or
>>>> privileged and contains information intended only for the person(s)
>>>> named above. Any other distribution, copying or disclosure is strictly
>>>> prohibited. If you are not the intended recipient or have received 
>>>> this
>>>> message in error, please notify us immediately by reply email and
>>>> permanently delete the original transmission from all of your systems
>>>> and hard drives, including any attachments, without making a copy.
>>>>
>>>> -----Original Message-----
>>>> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca] Sent: Friday, 
>>>> August 24, 2007 2:30 PM
>>>> To: Tomcat Users List
>>>> Subject: Re: Apache authentication information (remoteuser) not 
>>>> visible
>>>> in Tomcat
>>>>
>>>> Thanks for the response Christopher... although I had very early 
>>>> on, already tried what is suggested in the link you have referred 
>>>> to, i.e., setting tomcatAuthentication="false" in the appropriate 
>>>> server.xml line (see the config listing I produced earlier in the 
>>>> thread).
>>>>
>>>> Oh I hope its not some obscure bug in mod_jk!! :)
>>>>
>>>> Thanks,
>>>> Omar
>>>>
>>>>
>>>>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message