tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Fri, 02 Dec 2011 17:00:30 GMT

---- "André Warnier" <aw@ice-sa.com> wrote: 
> ohaya@cox.net wrote:
> > ---- ohaya@cox.net wrote: 
> >> ---- "André Warnier" <aw@ice-sa.com> wrote: 
> >>> ohaya@cox.net wrote:
> >>> ...
> >>>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false" />
> >>>>
> >>> That is correct. The "false" means that Tomcat will not do it's own authentication,
and 
> >>> will instead rely on the authenticated user-id passed by the front-end server.
> >>>
> >>> Now could you also show us the section of your Apache front-end configuration,
containing 
> >>> the directives which forward the requests to Tomcat ?
> >>> (proxy or rewrite stanzas)
> >>>
> >>> Note: the fact that the Apache/Tomcat connector (the one at the Apache level)
passes the 
> >>> authenticated user-id to Tomcat along with the proxied request, depends
on the fact that 
> >>> within Apache (more precisely within the internal Apache "request record"),
the request is 
> >>> really authenticated (*).
> >>> I am saying this because in an earlier post, you mentioned that you were
using a 
> >>> third-party authentication package at the Apache httpd level.
> >>> It is unlikely, but possible, that this authentication package would use
its own logic, 
> >>> and never "populate" the internal Apache request record with this user-id
(**).
> >>> In such a case, the automatic forwarding of the user-id by the Apache-level
connector 
> >>> module (mod_proxy_ajp or mod_jk) would of course not work, because they
check the internal 
> >>> Apache request record, and have no knowledge of another user-id source.
> >>>
> >>>
> >>> (*) in Tomcat terms, the equivalent of populating the userPrincipal object
> >>> (**) for example, it may act as a filter, and rely on each request always
containing a 
> >>> cookie which "authenticates" the request, and do its own access control
independently of 
> >>> Apache httpd itself
> >>>
> >>
> >> Andre,
> >>
> >> Sure.  Here's the section from httpd.conf.  This is testing where I purposely
insert a "REMOTE_USER" HTTP header into the request being proxied.  As I said, I have a sniffer
on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted
on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass,
etc.  I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there).
> >>
> >>
> >> # Proxy to Tomcat on weblogic1 machine, using AJP
> >> <Location /samplesajp>
> >> RequestHeader set "REMOTE_USER" "222222229test111111111111"
> >> ProxyPass		ajp://weblogic1.whatever.com:8009/samplesajp
> >> ProxyPassReverse	ajp://weblogic1.whatever.com:8009/samplesajp
> >> </Location>
> >>
> >> Jim
> >>
> >>
> > 
> > Hi,
> > 
> > BTW, I asked about this earlier, but is it possible to turn on some debugging on
the Tomcat side, that might help diagnose why the AJP connector is not working the expected
way?  I'm not that familiar with Tomcat or AJP logging, but I've only been able to set logging
in logging.properties so that there's either almost no logging or it generated a ton of logging
(but not stuff on AJP connection/processing) :(...
> > 
> Sorry, dunno.  Logging is not my favorite area in Tomcat..
> 
> Also, to tell the truth, I do not know exactly /how/ the Apache user-id is passed to

> Tomcat.  I strongly suspect that the "REMOTE_USER" HTTP header may not be it, and that
it 
> may be via what Tomcat calls "request attributes", and Apache calls "environment 
> variables" (but not in the usual shell sense).  But I don't know how this particular
one 
> may be named.
> Since you seem better at Java that I am, you may be able to find it in the Tomcat AJP

> Connector code somewhere.  I would start looking for "request attribute" rather than
"header".
> 
> This page : http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
> seems to hint at ditto, and even mentions a request attribute named "remote_user" (lowercase).
> 
> Maybe you could try to set this "environment variable" in Apache, and see where it leads
you ?
> In this page : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
> it shows how to do that (but there it calls them "server variables").
> The terminology is not very consistent..
> 
> 
> 
>

Hi,

Ok, I'll take a look at those.  FYI, I have debug level on the Apache side, and there is some
stuff there, which I think confirms that I am indeed including REMOTE_USER in the requests
to Tomcat/AJP:


[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(44): proxy: AJP: canonicalising URL //weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1412): [client 192.168.0.7] proxy: ajp: found
worker ajp://weblogic1.whatever.com:8009/samplesajp for ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy.c(819): Running scheme ajp handler (attempt 0)
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_http.c(1683): proxy: HTTP: declining URL ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(520): proxy: AJP: serving URL ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1790): proxy: AJP: retrying the worker for
(weblogic1.whatever.com)
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1796): proxy: AJP: worker for (weblogic1.whatever.com)
has been marked for retry
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1852): proxy: AJP: has acquired connection
for (weblogic1.whatever.com)
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1913): proxy: connecting ajp://weblogic1.whatever.com:8009/samplesajp/ssoAMTomcatTest.jsp
to weblogic1.whatever.com:8009
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(2012): proxy: connected /samplesajp/ssoAMTomcatTest.jsp
to weblogic1.whatever.com:8009
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(2169): proxy: AJP: fam 2 socket created to
connect to weblogic1.whatever.com
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(218): Into ajp_marshal_into_msgb
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[0] [Host]
= [apache1.whatever.com]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[1] [User-Agent]
= [Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[2] [Accept]
= [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[3] [Accept-Language]
= [en-us,en;q=0.5]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[4] [Accept-Encoding]
= [gzip, deflate]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[5] [Accept-Charset]
= [ISO-8859-1,utf-8;q=0.7,*;q=0.7]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[6] [Connection]
= [keep-alive]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[11] [REMOTE_USER]
= [222222229test111111111111]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[12] [Max-Forwards]
= [10]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(424): ajp_marshal_into_msgb: Done
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(201): proxy: APR_BUCKET_IS_EOS
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(206): proxy: data to read (max 8186 at
4)
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(221): proxy: got 0 bytes of data
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(646): ajp_read_header: ajp_ilink_received
04
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(656): ajp_parse_type: got 04
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(485): ajp_unmarshal_response: status = 200
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(496): ajp_unmarshal_response: Number of headers
is = 3
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(558): ajp_unmarshal_response: Header[0] [Set-Cookie]
= [JSESSIONID=887932DFF778B68B9BA3A43C85E8A4F2; Path=/samplesajp; Secure]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(558): ajp_unmarshal_response: Header[1] [Content-Type]
= [text/html;charset=ISO-8859-1]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(568): ajp_unmarshal_response: ap_set_content_type
done
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(558): ajp_unmarshal_response: Header[2] [Content-Length]
= [1132]
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(646): ajp_read_header: ajp_ilink_received
03
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(656): ajp_parse_type: got 03
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(646): ajp_read_header: ajp_ilink_received
05
[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(656): ajp_parse_type: got 05
[Fri Dec 02 02:55:41 2011] [debug] mod_proxy_ajp.c(439): proxy: got response from 192.168.0.211:8009
(weblogic1.whatever.com)
[Fri Dec 02 02:55:41 2011] [debug] proxy_util.c(1870): proxy: AJP: has released connection
for (weblogic1.whatever.com)

As you can see, there is a REMOTE_USER header:


[Fri Dec 02 02:55:41 2011] [debug] ajp_header.c(284): ajp_marshal_into_msgb: Header[11] [REMOTE_USER]
= [222222229test111111111111]


Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message