tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Tue, 06 Dec 2011 03:08:57 GMT

---- Rainer Jung <rainer.jung@kippdata.de> wrote: 
> On 05.12.2011 10:42, ohaya@cox.net wrote:
> >
> > ---- "André Warnier"<aw@ice-sa.com>  wrote:
> >> ohaya@cox.net wrote:
> >> ...
> >>> ---- Rainer Jung<rainer.jung@kippdata.de>  wrote:
> >>>> Although this thread has moved forward towards the role topic, I want
to
> >>>> give some infos about the user forwarding by mod_jk. Some of it was
> >>>> already present in previous posts.
> >>>>
> >>>> 1) In order to let Tomcat accept the user, you need to set
> >>>> tomcatAuthentication to "false"
> >>>>
> >>>> 2) mod_jk will always forward the user as detected by the
> >>>>      following logic:
> >>>>      - the user as authenticated by Apache
> >>>>      - if this doesn't exist it will forward the value of
> >>>>        an Apache environment variable. The default name of the
> >>>>        variable is "JK_REMOTE_USER", but it can be changed using
> >>>>        the configuration directive "JkRemoteUserIndicator"
> >>>>
> >>>> 3) The user ID will *not* be forwarded in the form of a request header
> >>>>
> >>>> 4) The forwarded user id is logged in the JK log file on level debug
> >>>>      as the "user" field in the line:
> >>>>
> >>>> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
> >>>> auth=%s user=%s laddr=%s raddr=%s uri=%s
> >>>>
> >>>> 5) There is no need to use JkEnvVar
> >>>>
> >>>> 6) When not using a real Apache authentication, you can instead
> >>>>      set the Apache environment variable JK_REMOTE_USER
> >>>>      e.g. via mod_setenvif or the E= syntax of mod_rewrite.
> >>>>      If you change the name of the env var using JkRemoteUserIndicator
> >>>>      use the variable name given there instead.
> >>>>
> >>>> 7) The Apache authenticated user can be logged in the Apache AccessLog
> >>>>      using "%u". Any environment variable XXX can be logged using
> >>>>      %{XXX}e.
> >>>>
> >>>> 8) The user can be logged in the Tomcat AccessLog using %u.
> >>>>
> >>>> 9) The user is returned by request.getRemoteUser() on the Tomcat side.
> >>>>
> >>>> Regards,
> >>>>
> >>>> Rainer
> >>>>
> >>>
> >>>
> >>> Hi Rainier,
> >>>
> >>> Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator.
> >>>
> >>> I'm kind of well along the way with my valve, but I still have mod_jk for
one proxy section, so I'll give those a try.
> >>>
> >> Hi Rainer.
> >> Thanks also for the precise information.  We've missed you..
> >>
> >> Jim, one more question :
> >> At the Apache httpd level, when the user has been authenticated by OAM, /can/
you get the
> >> authenticated user's user-id ? and how ?
> >>
> >>
> >
> > Hi,
> >
> > On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that
gets populated by the OAM agent, called "OAM_REMOTE_USER".
> 
> So if you want mod_jk to use the value of this header as the 
> authenticated user name and forward it to Tomcat, you either:
> 
> a) have to rely on the Oracle module to correctly set the Apache 
> internal request user field
> 
> b) or have to find a way to copy the value of this header into the 
> environment variable JK_REMOTE_USER
> 
> Concerning a): Usually there's %u in the default LogFormat used by 
> AccessLog. So have a look at the access log to check, whether Apache 
> outputs the correct user name. In that case mod_jk should automatically 
> forward it. This in turn can be checked by the mentioned "Service" debug 
> log line in the JK log.
> 
> If %u in the access log is empty, and the docs of the Oracle module do 
> not give a solution how to set the real Apache request user, we are up 
> to b).
> 
> First add %{OAM_REMOTE_USER} to the format/pattern configuration of your 
> Apache and Tomcat access logs, so you can easily check, what both think 
> about the value of that header. Check, that it is populated for both 
> with the right user id.
> 
> Now we try to copy the value of the header OAM_REMOTE_USER to the Apache 
> environment variable JK_REMOTE_USER.
> 
> As you can see in
> 
> http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif
> 
> It works like this (assuming you have enabled/loaded mod_setenvif):
> 
> SetEnvIf OAM_REMOTE_USER (.*) JK_REMOTE_USER=$1
> 
> Unfortunately this will only work, if the Oracle module that populates 
> the header runs before mod_setenvif.
> 
> Check, whether the copying works by adding %{JK_REMOTE_USER}e to the 
> format of your Apache AccessLog.
> 
> Finally look at the "Service" line in the jk debug log to see, whether 
> the right user info is now being forwarded. If so, the rest is to be 
> done in Tomcat land.
> 
> Set tomcatAuthentication to "false" and check via 
> request.getRemoteUser() whether you received the right user id.
> 
> I would do all this first using a basic test webapp in Tomcat, not your 
> real app.
> 
> Finally: this is probably not secure, because
> 
> - everyone can send a request which already has a populated 
> OAM_REMOTE_USER header. You would rely on the implementation detail, 
> that the Oracle module might always overwrite that header. Not sure if 
> it does!
> 
> - everyone having access to the network port could start talking AJP13 
> directly to your Tomcat adding whatever remote user id she likes. The 
> protocol is easy to fake.
> 
> Regards,
> 
> Rainer
> 


Hi,

I've tried both SetEnvIf approach, and the setting JkRemoteUserIndicator, and have added the
%{JK_REMOTE_USER}e to my Apache log config.

In all cases, that field in the logs is appearing as "", i.e., neither is working.

Also, in the JK log file, the "user=" is always showing up as "null".

So, I think that I'm going to be focusing on the valve approach, which appears to be working,
aside from the roles problem (asserted roles vs. roles from Tomcat realm), which I've also
been able to workaround by having my valve code authenticate to the realm.

Later,
Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message