tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Mon, 05 Dec 2011 10:27:08 GMT
On 05.12.2011 10:42, ohaya@cox.net wrote:
>
> ---- "André Warnier"<aw@ice-sa.com>  wrote:
>> ohaya@cox.net wrote:
>> ...
>>> ---- Rainer Jung<rainer.jung@kippdata.de>  wrote:
>>>> Although this thread has moved forward towards the role topic, I want to
>>>> give some infos about the user forwarding by mod_jk. Some of it was
>>>> already present in previous posts.
>>>>
>>>> 1) In order to let Tomcat accept the user, you need to set
>>>> tomcatAuthentication to "false"
>>>>
>>>> 2) mod_jk will always forward the user as detected by the
>>>>      following logic:
>>>>      - the user as authenticated by Apache
>>>>      - if this doesn't exist it will forward the value of
>>>>        an Apache environment variable. The default name of the
>>>>        variable is "JK_REMOTE_USER", but it can be changed using
>>>>        the configuration directive "JkRemoteUserIndicator"
>>>>
>>>> 3) The user ID will *not* be forwarded in the form of a request header
>>>>
>>>> 4) The forwarded user id is logged in the JK log file on level debug
>>>>      as the "user" field in the line:
>>>>
>>>> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
>>>> auth=%s user=%s laddr=%s raddr=%s uri=%s
>>>>
>>>> 5) There is no need to use JkEnvVar
>>>>
>>>> 6) When not using a real Apache authentication, you can instead
>>>>      set the Apache environment variable JK_REMOTE_USER
>>>>      e.g. via mod_setenvif or the E= syntax of mod_rewrite.
>>>>      If you change the name of the env var using JkRemoteUserIndicator
>>>>      use the variable name given there instead.
>>>>
>>>> 7) The Apache authenticated user can be logged in the Apache AccessLog
>>>>      using "%u". Any environment variable XXX can be logged using
>>>>      %{XXX}e.
>>>>
>>>> 8) The user can be logged in the Tomcat AccessLog using %u.
>>>>
>>>> 9) The user is returned by request.getRemoteUser() on the Tomcat side.
>>>>
>>>> Regards,
>>>>
>>>> Rainer
>>>>
>>>
>>>
>>> Hi Rainier,
>>>
>>> Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator.
>>>
>>> I'm kind of well along the way with my valve, but I still have mod_jk for one
proxy section, so I'll give those a try.
>>>
>> Hi Rainer.
>> Thanks also for the precise information.  We've missed you..
>>
>> Jim, one more question :
>> At the Apache httpd level, when the user has been authenticated by OAM, /can/ you
get the
>> authenticated user's user-id ? and how ?
>>
>>
>
> Hi,
>
> On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that gets
populated by the OAM agent, called "OAM_REMOTE_USER".

So if you want mod_jk to use the value of this header as the 
authenticated user name and forward it to Tomcat, you either:

a) have to rely on the Oracle module to correctly set the Apache 
internal request user field

b) or have to find a way to copy the value of this header into the 
environment variable JK_REMOTE_USER

Concerning a): Usually there's %u in the default LogFormat used by 
AccessLog. So have a look at the access log to check, whether Apache 
outputs the correct user name. In that case mod_jk should automatically 
forward it. This in turn can be checked by the mentioned "Service" debug 
log line in the JK log.

If %u in the access log is empty, and the docs of the Oracle module do 
not give a solution how to set the real Apache request user, we are up 
to b).

First add %{OAM_REMOTE_USER} to the format/pattern configuration of your 
Apache and Tomcat access logs, so you can easily check, what both think 
about the value of that header. Check, that it is populated for both 
with the right user id.

Now we try to copy the value of the header OAM_REMOTE_USER to the Apache 
environment variable JK_REMOTE_USER.

As you can see in

http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif

It works like this (assuming you have enabled/loaded mod_setenvif):

SetEnvIf OAM_REMOTE_USER (.*) JK_REMOTE_USER=$1

Unfortunately this will only work, if the Oracle module that populates 
the header runs before mod_setenvif.

Check, whether the copying works by adding %{JK_REMOTE_USER}e to the 
format of your Apache AccessLog.

Finally look at the "Service" line in the jk debug log to see, whether 
the right user info is now being forwarded. If so, the rest is to be 
done in Tomcat land.

Set tomcatAuthentication to "false" and check via 
request.getRemoteUser() whether you received the right user id.

I would do all this first using a basic test webapp in Tomcat, not your 
real app.

Finally: this is probably not secure, because

- everyone can send a request which already has a populated 
OAM_REMOTE_USER header. You would rely on the implementation detail, 
that the Oracle module might always overwrite that header. Not sure if 
it does!

- everyone having access to the network port could start talking AJP13 
directly to your Tomcat adding whatever remote user id she likes. The 
protocol is easy to fake.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message