tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Accessing CoyoteRequest attributes in a Servlet
Date Tue, 18 Sep 2012 13:30:07 GMT
Philip Kahle wrote:
> Hi all,
> I am trying to set up a Java Web Application using Servlets and JSPs in
> Tomcat 7. User authentication should be done on a central Shibboleth
> Identity Provider.
> I have already configured Apache including mod_ssl, mod_proxy_ajp and
> the shib2 module following these instructions:
> The redirect to the central login page works and, after entering my
> credentials, the session is correctly created by the identity provider
> and I am forwarded to my webapp.
> At this point I should have different attributes in my session, such as
> the user's email address, name and so on.
> But these are stored in the coyoteRequest attributes, which I can
> observe while debugging in Eclipse. As the coyoteRequest is a protected
> field of org.apache.catalina.connector.Request which again is a field of
> the RequestFacade I can not get any of these values.
> What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
> in the instructions above).
> By setting "ShibUseHeaders On" in apache I get all of the attributes in
> the request headers, but this is not recommended for security reasons.

Why ?  That is a generic recommendation, but it does not apply if :
- all the requests to Tomcat go through httpd first
- the link between httpd and Tomcat is "secure" (not accessible by anyone)

If e.g. httpd and Tomcat live on the same host, and you configure the Tomcat AJP Connector

to only accept requests from localhost, then it would be ok to pass private information 
through headers.

Simplify your life if possible.

> Is there any way to access the coyoteRequest in a servlet or at least
> configure tomcat to transfer more attributes to the servletRequest?

At least by using mod_jk instead of mod_proxy_ajp, you can transmit a bunch of things from

Apache httpd to Tomcat (including Apache httpd's "variables" e.g.).  I do not know 
mod_proxy_ajp well enough to confirm that this is possible with it also, but I would 
imagine so.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message