tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Kahle <philip.ka...@gmail.com>
Subject Re: Accessing CoyoteRequest attributes in a Servlet
Date Tue, 18 Sep 2012 16:13:23 GMT
Am 18.09.2012 15:47, schrieb André Warnier:
> André Warnier wrote:
>> Philip Kahle wrote:
>>> Hi all,
>>>
>>> I am trying to set up a Java Web Application using Servlets and JSPs in
>>> Tomcat 7. User authentication should be done on a central Shibboleth
>>> Identity Provider.
>>> I have already configured Apache including mod_ssl, mod_proxy_ajp and
>>> the shib2 module following these instructions:
>>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
>>>
>>> The redirect to the central login page works and, after entering my
>>> credentials, the session is correctly created by the identity provider
>>> and I am forwarded to my webapp.
>>>
>>> At this point I should have different attributes in my session, such as
>>> the user's email address, name and so on.
>>> But these are stored in the coyoteRequest attributes, which I can
>>> observe while debugging in Eclipse. As the coyoteRequest is a protected
>>> field of org.apache.catalina.connector.Request which again is a
>>> field of
>>> the RequestFacade I can not get any of these values.
>>> What I get is ONE of the attributes in the REMOTE_USER field
>>> (compare 2.
>>> in the instructions above).
>>> By setting "ShibUseHeaders On" in apache I get all of the attributes in
>>> the request headers, but this is not recommended for security reasons.
>>>
>>
>> Why ?  That is a generic recommendation, but it does not apply if :
>> - all the requests to Tomcat go through httpd first
>> - the link between httpd and Tomcat is "secure" (not accessible by
>> anyone)
>>
>> If e.g. httpd and Tomcat live on the same host, and you configure the
>> Tomcat AJP Connector to only accept requests from localhost, then it
>> would be ok to pass private information through headers.
>>
>> Simplify your life if possible.
>>
>>
>>> Is there any way to access the coyoteRequest in a servlet or at least
>>> configure tomcat to transfer more attributes to the servletRequest?
>>>
>>
>> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a
>> bunch of things from Apache httpd to Tomcat (including Apache httpd's
>> "variables" e.g.).  I do not know mod_proxy_ajp well enough to
>> confirm that this is possible with it also, but I would imagine so.
>>
> Addendum : sorry, that was not a direct answer to your question.
> The direct answer is that HttpServletRequest (and ServletRequest)
> already provide a bunch of methods to access request attributes. See
> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
> These are part of the specification, so you do not need to configure
> anything at the Tomcat level for that.
> As long as the request already contains attributes of course.
>
> Still talking about mod_jk, basically anything you set in Apache httpd
> using "SetEnv" for example, gets passed to Tomcat as a request
> attribute, through the AJP protocol.
> Someone else would need to confirm if this is also the case using
> mod_proxy_ajp.

Thanks for your answer!
I already studied the methods exposed by HttpServletRequest (and
ServletRequest from within a filter) but neither these objects nor the
attached session objects directly include these attributes. Only the
(invisible) coyoteRequest object inside does so.

I will further investigate the mod_env approach though.
As Tomcat and httpd indeed remain on the same host and both the
exceptions you named apply, I will just stick to the header approach for
now.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message