tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Fri, 02 Dec 2011 16:26:41 GMT

---- "André Warnier" <aw@ice-sa.com> wrote: 
> ohaya@cox.net wrote:
> > 
> ...
> > 
> >     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"
/>
> > 
> That is correct. The "false" means that Tomcat will not do it's own authentication, and

> will instead rely on the authenticated user-id passed by the front-end server.
> 
> Now could you also show us the section of your Apache front-end configuration, containing

> the directives which forward the requests to Tomcat ?
> (proxy or rewrite stanzas)
> 
> Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes
the 
> authenticated user-id to Tomcat along with the proxied request, depends on the fact that

> within Apache (more precisely within the internal Apache "request record"), the request
is 
> really authenticated (*).
> I am saying this because in an earlier post, you mentioned that you were using a 
> third-party authentication package at the Apache httpd level.
> It is unlikely, but possible, that this authentication package would use its own logic,

> and never "populate" the internal Apache request record with this user-id (**).
> In such a case, the automatic forwarding of the user-id by the Apache-level connector

> module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal

> Apache request record, and have no knowledge of another user-id source.
> 
> 
> (*) in Tomcat terms, the equivalent of populating the userPrincipal object
> (**) for example, it may act as a filter, and rely on each request always containing
a 
> cookie which "authenticates" the request, and do its own access control independently
of 
> Apache httpd itself
> 


Andre,

Sure.  Here's the section from httpd.conf.  This is testing where I purposely insert a "REMOTE_USER"
HTTP header into the request being proxied.  As I said, I have a sniffer on the line, and
I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat,
getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc.  I just
happen to be hosting Tomcat on that machine, and WebLogic is shutdown there).


# Proxy to Tomcat on weblogic1 machine, using AJP
<Location /samplesajp>
RequestHeader set "REMOTE_USER" "222222229test111111111111"
ProxyPass		ajp://weblogic1.whatever.com:8009/samplesajp
ProxyPassReverse	ajp://weblogic1.whatever.com:8009/samplesajp
</Location>

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message