tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Fri, 02 Dec 2011 16:30:37 GMT

---- ohaya@cox.net wrote: 
> 
> ---- "André Warnier" <aw@ice-sa.com> wrote: 
> > ohaya@cox.net wrote:
> > > 
> > ...
> > > 
> > >     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"
/>
> > > 
> > That is correct. The "false" means that Tomcat will not do it's own authentication,
and 
> > will instead rely on the authenticated user-id passed by the front-end server.
> > 
> > Now could you also show us the section of your Apache front-end configuration, containing

> > the directives which forward the requests to Tomcat ?
> > (proxy or rewrite stanzas)
> > 
> > Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes
the 
> > authenticated user-id to Tomcat along with the proxied request, depends on the fact
that 
> > within Apache (more precisely within the internal Apache "request record"), the
request is 
> > really authenticated (*).
> > I am saying this because in an earlier post, you mentioned that you were using a

> > third-party authentication package at the Apache httpd level.
> > It is unlikely, but possible, that this authentication package would use its own
logic, 
> > and never "populate" the internal Apache request record with this user-id (**).
> > In such a case, the automatic forwarding of the user-id by the Apache-level connector

> > module (mod_proxy_ajp or mod_jk) would of course not work, because they check the
internal 
> > Apache request record, and have no knowledge of another user-id source.
> > 
> > 
> > (*) in Tomcat terms, the equivalent of populating the userPrincipal object
> > (**) for example, it may act as a filter, and rely on each request always containing
a 
> > cookie which "authenticates" the request, and do its own access control independently
of 
> > Apache httpd itself
> > 
> 
> 
> Andre,
> 
> Sure.  Here's the section from httpd.conf.  This is testing where I purposely insert
a "REMOTE_USER" HTTP header into the request being proxied.  As I said, I have a sniffer on
the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted
on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass,
etc.  I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there).
> 
> 
> # Proxy to Tomcat on weblogic1 machine, using AJP
> <Location /samplesajp>
> RequestHeader set "REMOTE_USER" "222222229test111111111111"
> ProxyPass		ajp://weblogic1.whatever.com:8009/samplesajp
> ProxyPassReverse	ajp://weblogic1.whatever.com:8009/samplesajp
> </Location>
> 
> Jim
> 
>

Hi,

BTW, I asked about this earlier, but is it possible to turn on some debugging on the Tomcat
side, that might help diagnose why the AJP connector is not working the expected way?  I'm
not that familiar with Tomcat or AJP logging, but I've only been able to set logging in logging.properties
so that there's either almost no logging or it generated a ton of logging (but not stuff on
AJP connection/processing) :(...

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message