tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Fri, 02 Dec 2011 19:26:41 GMT

---- ohaya@cox.net wrote: 
> 
> ---- Christopher Schultz <chris@christopherschultz.net> wrote: 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Jim,
> > 
> > On 12/2/11 11:26 AM, ohaya@cox.net wrote:
> > > Sure. Here's the section from httpd.conf. This is testing where I 
> > > purposely insert a "REMOTE_USER" HTTP header into the request
> > > being proxied. As I said, I have a sniffer on the line, and I can
> > > see the REMOTE_USER header, but still, when I get to my test JSP
> > > hosted on the Tomcat, getUserPrincipal() is returning null (don't
> > > mind the hostname in the ProxyPass, etc. I just happen to be
> > > hosting Tomcat on that machine, and WebLogic is shutdown there).
> > 
> > The problem is that AJP sends the authentication information as part
> > of the AJP protocol, not as a request header. You are setting a
> > request header which is not the mechanism AJP uses to transfer the userid.
> > 
> > You might want to check to see if your SSO module works the way that
> > other httpd modules expect -- like the other mod_auth_[xyz], for instance.
> > 
> > See http://tomcat.apache.org/connectors-doc/reference/apache.html.
> > Specifically, the JkRemoteUserIndicator directive which allows you to
> > override the environment variable whose value will be used to
> > send-over the username to Tomcat.
> > 
> > I wouldn't think you'd have to do that (REMOTE_USER should already be
> > set by your auth module and mod_proxy_jk should already be using
> > that), but you might be able to force it for some testing.
> > 
> > - -chris
> 
> 
> Chris,
> 
> FYI, that link you posted give as 404 error.
> 
> To be clear, in the discussion before now, I was just using mod_ajp (built into/included
with Apache), and NOT mod_jk.  
> 
> I'm now in the process of trying to switch my Apache conf to use mod_jk.  The reason
is that I'm starting to get the feeling that the Apache 3rd party agent (it's Oracle's OAM
webgate, which I haven't said till now, sorry) might not be setting things in the Apache environment
that are needed for AJP.  I've been checking, and there's very little (= none) that I can
do with trying to change the OAM webgate behavior, and if it's not setting whatever Apache/AJP
needs, then I'm stuck, so I'm trying mod_jk, hoping that that'll give me some way to set what
AJP needs.
> 
> Now that I'm doing that, I'm starting to remember how confusing (to me at least) configuring
mod_jk is :) (vs. mod_ajp).
> 
> I just got the initial part of the re-configuration done.  I got the mod_jk.so (my test
Apache is on Windows, BTW), and added the LoadModule.  I have the Apache pointed to a new
simple workers.properties file, and the Apache comes up, but it doesn't seem to be proxing
my test URLs to the Tomcat anymore (/samplesajp/*).
> 
> Here's what I added to my Apache httpd.conf:
> 
> 
> # 2011-12-02 - ADDING MOD_JK
> LoadModule jk_module modules/mod_jk.so
> JkWorkersFile c:/Apache2.2/conf/workers.properties
>  # some other configuration
>  JkLogFile "c:/Apache2.2/logs/jk.log"
>  JkLogLevel debug
>  JkShmFile c:/Apache2.2/logs/jk.shm
>  JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
>  # forwarding URL prefixes to Tomcat instances
>  JkMount /samplesajp/* tomcatA
> 
>  JkEnvVar REMOTE_USER
> 
> 
> And, here's the workers.properties:
> 
> 
> <IfModule mod_jk.c>
>  # a list of Tomcat instances
>  #JkWorkerProperty worker.list=tomcatA
>  worker.list=tomcatA
>  # connection properties to instance A on localhost
> # JkWorkerProperty worker.tomcatA.type=ajp13
> # JkWorkerProperty worker.tomcatA.host=weblogic1.whatever.com
> # JkWorkerProperty worker.tomcatA.port=8009
> worker.tomcatA.type=ajp13
> worker.tomcatA.host=weblogic1.whatever.com
> worker.tomcatA.port=8009
> 
> </IfModule>
> 
> 
> And, here's what I'm seeing in jk.log when I try to access my test URL (via the Apache):
> 

Hi,

I stripped the jk.log stuff (too long) above.

I've made some progress.  I have a VirtualHost, so I had to add a "JkMountCopy 'on'" inside
the <VirtualHost>, and now, it's at least proxying through to the Tomcat using mod_jk!!

BUT, it's still not logging me into the Tomcat :(...

I don't want to post the entire jk.log, so can someone point me to what to look for in there,
maybe?

Thanks,
Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message