Return-Path: 
 <users-return-229882-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0AAEC9DC4
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri,  2 Dec 2011 16:27:13 +0000 (UTC)
Received: (qmail 28503 invoked by uid 500); 2 Dec 2011 16:27:10 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 28328 invoked by uid 500); 2 Dec 2011 16:27:10 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 28319 invoked by uid 99); 2 Dec 2011 16:27:10 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Dec 2011 16:27:10 +0000
X-ASF-Spam-Status: No, hits=3.4 required=5.0
	tests=FH_FAKE_RCVD_LINE_B,RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ohaya@cox.net designates
 68.230.241.214 as permitted sender)
Received: from [68.230.241.214] (HELO eastrmfepo102.cox.net) (68.230.241.214)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Dec 2011 16:27:02 +0000
Received: from eastrmimpo109.cox.net ([68.230.241.222])
          by eastrmfepo102.cox.net
          (InterMail vM.8.01.04.00 201-2260-137-20101110) with ESMTP
          id
 <20111202162641.BANS3177.eastrmfepo102.cox.net@eastrmimpo109.cox.net>;
          Fri, 2 Dec 2011 11:26:41 -0500
Received: from eastrmwml301 ([172.18.18.217])
	by eastrmimpo109.cox.net with bizsmtp
	id 4GSh1i00M4h0NJL02GShrt; Fri, 02 Dec 2011 11:26:41 -0500
X-CT-Class: Clean
X-CT-Score: 0.00
X-CT-RefID: str=0001.0A02020A.4ED8FC41.01A7,ss=1,re=0.000,fgs=0
X-CT-Spam: 0
X-Authority-Analysis: v=1.1 cv=2Acw8yP2NENfRiZJ4RZtk6v+/jC/vIz8qOrlh6BYtZI=
 c=1 sm=1 a=oDu9JGl69GgA:10 a=G8Uczd0VNMoA:10 a=HmblazRPy8UA:10
 a=IkcTkHD0fZMA:10 a=t1PrUrtrk04foxyHgvPcUw==:17 a=kGNjuPkcAAAA:8
 a=kviXuzpPAAAA:8 a=wAGePkKKAAAA:8 a=-2gpy2OUIg6iGiyNFVkA:9 a=QEXdDO2ut3YA:10
 a=aaYDVmB8Po4A:10 a=4vB-4DCPJfMA:10 a=t1PrUrtrk04foxyHgvPcUw==:117
X-CM-Score: 0.00
Authentication-Results: cox.net; none
Received: from 72.205.21.101 by webmail.east.cox.net;
 Fri, 2 Dec 2011 11:26:41 -0500
Message-ID: <20111202112641.4R1SG.225941.imail@eastrmwml301>
Date: Fri, 2 Dec 2011 11:26:41 -0500
From: <ohaya@cox.net>
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Do any of the Tomcat LDAP-type realms support "no password"
 authentication?
Cc: =?utf-8?Q?Andr=C3=A9_Warnier?= <aw@ice-sa.com>
In-Reply-To: <4ED8A011.9030500@ice-sa.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
Sensitivity: Normal
X-Virus-Checked: Checked by ClamAV on apache.org


---- "Andr=C3=A9 Warnier" <aw@ice-sa.com> wrote:=20
> ohaya@cox.net wrote:
> >=20
> ...
> >=20
> >     <Connector port=3D"8009" protocol=3D"AJP/1.3" redirectPort=3D"8443"=
 tomcatAuthentication=3D"false" />
> >=20
> That is correct. The "false" means that Tomcat will not do it's own authe=
ntication, and=20
> will instead rely on the authenticated user-id passed by the front-end se=
rver.
>=20
> Now could you also show us the section of your Apache front-end configura=
tion, containing=20
> the directives which forward the requests to Tomcat ?
> (proxy or rewrite stanzas)
>=20
> Note: the fact that the Apache/Tomcat connector (the one at the Apache le=
vel) passes the=20
> authenticated user-id to Tomcat along with the proxied request, depends o=
n the fact that=20
> within Apache (more precisely within the internal Apache "request record"=
), the request is=20
> really authenticated (*).
> I am saying this because in an earlier post, you mentioned that you were =
using a=20
> third-party authentication package at the Apache httpd level.
> It is unlikely, but possible, that this authentication package would use =
its own logic,=20
> and never "populate" the internal Apache request record with this user-id=
 (**).
> In such a case, the automatic forwarding of the user-id by the Apache-lev=
el connector=20
> module (mod_proxy_ajp or mod_jk) would of course not work, because they c=
heck the internal=20
> Apache request record, and have no knowledge of another user-id source.
>=20
>=20
> (*) in Tomcat terms, the equivalent of populating the userPrincipal objec=
t
> (**) for example, it may act as a filter, and rely on each request always=
 containing a=20
> cookie which "authenticates" the request, and do its own access control i=
ndependently of=20
> Apache httpd itself
>=20


Andre,

Sure.  Here's the section from httpd.conf.  This is testing where I purpose=
ly insert a "REMOTE_USER" HTTP header into the request being proxied.  As I=
 said, I have a sniffer on the line, and I can see the REMOTE_USER header, =
but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal=
() is returning null (don't mind the hostname in the ProxyPass, etc.  I jus=
t happen to be hosting Tomcat on that machine, and WebLogic is shutdown the=
re).


# Proxy to Tomcat on weblogic1 machine, using AJP
<Location /samplesajp>
RequestHeader set "REMOTE_USER" "222222229test111111111111"
ProxyPass=09=09ajp://weblogic1.whatever.com:8009/samplesajp
ProxyPassReverse=09ajp://weblogic1.whatever.com:8009/samplesajp
</Location>

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org