tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Apache --> Tomcat SSL via mod_jk
Date Wed, 29 Aug 2007 20:17:03 GMT
Christopher Schultz wrote:
> Omar Nafees wrote:
>> 1) request.getRemoteUser() only works on the "entry-point" servlet (e.g.
>> index.jsp) - it doesn't work if you forward immediately to another page.
>> It seems strange that Tomcat doesn't keep remote user around for later
>> use and forces me to keep it around explicitly in some form (such as a
>> hidden POST parameter).
> 
> This doesn't sound right; getRemoteUser should return the REMOTE_USER
> each time, regardless of which request it is.

And it does. fwd.jsp is

<jsp:forward page="auth.jsp"/>

and auth.jsp is

<%@page session="false"%>
<HTML>
User: <%=request.getRemoteUser() %>
</HTML>

and I do get the correct user name when sending the request to an apache 
with basic authentication configured and connected to Tomcat via mod_jk.

>> 2) The above is assuming SSL is turned off for my application. The
>> minute I turn it on in it's security constraint (in web.xml)
> 
> You cannot "turn on" SSL in web.xml; all you can do is require that SSL
> be used in order for security to work.
> 
> Since you're using mod_jk, you won't be able to use CONFIDENTIAL as a
> security constraint, since mod_jk doesn't communicate using a
> CONFIDENTIAL channel.

I added

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Context</web-resource-name>
           <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>

to web.xml. If I contact the webapp via Apache with http, I get a 
redirect to th https URL. If I talk to Apache via https, I can access 
the application. We know that mod_jk forwards the info about the 
protocol used by Apache when accepting the original request and this 
info is handled by Tomcats security-constraint the same was, as if 
Tomcat had created it on its own connectors.

>> request.getRemoteUser() only returns null. Is there a particular setting
>> in security constraint or elsewhere to achieve the desired behavior?
> 
> I believe you are making a mistake by using CONFIDENTIAL in web.xml, and
> Tomcat is reacting correctly by refusing to accept the remote user as
> furnished by mod_jk because it is not being sent over SSL.

In my test case, it

- doesn't reject or redirect, it simply answers the request - if it was 
sent via Apache/mod_jk using https in the original request

- the JSP correctly outputs the user name. I get it when requesting 
fwd.jsp, and also when requesting auth.jsp.

Again I think you should try a simple example first.

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message