tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Accessing CoyoteRequest attributes in a Servlet
Date Tue, 18 Sep 2012 13:47:25 GMT
André Warnier wrote:
> Philip Kahle wrote:
>> Hi all,
>>
>> I am trying to set up a Java Web Application using Servlets and JSPs in
>> Tomcat 7. User authentication should be done on a central Shibboleth
>> Identity Provider.
>> I have already configured Apache including mod_ssl, mod_proxy_ajp and
>> the shib2 module following these instructions:
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
>> The redirect to the central login page works and, after entering my
>> credentials, the session is correctly created by the identity provider
>> and I am forwarded to my webapp.
>>
>> At this point I should have different attributes in my session, such as
>> the user's email address, name and so on.
>> But these are stored in the coyoteRequest attributes, which I can
>> observe while debugging in Eclipse. As the coyoteRequest is a protected
>> field of org.apache.catalina.connector.Request which again is a field of
>> the RequestFacade I can not get any of these values.
>> What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
>> in the instructions above).
>> By setting "ShibUseHeaders On" in apache I get all of the attributes in
>> the request headers, but this is not recommended for security reasons.
>>
> 
> Why ?  That is a generic recommendation, but it does not apply if :
> - all the requests to Tomcat go through httpd first
> - the link between httpd and Tomcat is "secure" (not accessible by anyone)
> 
> If e.g. httpd and Tomcat live on the same host, and you configure the 
> Tomcat AJP Connector to only accept requests from localhost, then it 
> would be ok to pass private information through headers.
> 
> Simplify your life if possible.
> 
> 
>> Is there any way to access the coyoteRequest in a servlet or at least
>> configure tomcat to transfer more attributes to the servletRequest?
>>
> 
> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a 
> bunch of things from Apache httpd to Tomcat (including Apache httpd's 
> "variables" e.g.).  I do not know mod_proxy_ajp well enough to confirm 
> that this is possible with it also, but I would imagine so.
> 
Addendum : sorry, that was not a direct answer to your question.
The direct answer is that HttpServletRequest (and ServletRequest) already provide a bunch

of methods to access request attributes. See 
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
These are part of the specification, so you do not need to configure anything at the 
Tomcat level for that.
As long as the request already contains attributes of course.

Still talking about mod_jk, basically anything you set in Apache httpd using "SetEnv" for

example, gets passed to Tomcat as a request attribute, through the AJP protocol.
Someone else would need to confirm if this is also the case using mod_proxy_ajp.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message