tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Accessing CoyoteRequest attributes in a Servlet
Date Tue, 18 Sep 2012 17:48:05 GMT
On 18/09/2012 17:13, Philip Kahle wrote:
> Am 18.09.2012 15:47, schrieb André Warnier:
>> André Warnier wrote:
>>> Philip Kahle wrote:
>>>> Hi all,
>>>>
>>>> I am trying to set up a Java Web Application using Servlets and JSPs in
>>>> Tomcat 7. User authentication should be done on a central Shibboleth
>>>> Identity Provider.
>>>> I have already configured Apache including mod_ssl, mod_proxy_ajp and
>>>> the shib2 module following these instructions:
>>>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
>>>>
>>>> The redirect to the central login page works and, after entering my
>>>> credentials, the session is correctly created by the identity provider
>>>> and I am forwarded to my webapp.
>>>>
>>>> At this point I should have different attributes in my session, such as
>>>> the user's email address, name and so on.
>>>> But these are stored in the coyoteRequest attributes, which I can
>>>> observe while debugging in Eclipse. As the coyoteRequest is a protected
>>>> field of org.apache.catalina.connector.Request which again is a
>>>> field of
>>>> the RequestFacade I can not get any of these values.
>>>> What I get is ONE of the attributes in the REMOTE_USER field
>>>> (compare 2.
>>>> in the instructions above).
>>>> By setting "ShibUseHeaders On" in apache I get all of the attributes in
>>>> the request headers, but this is not recommended for security reasons.
>>>>
>>>
>>> Why ?  That is a generic recommendation, but it does not apply if :
>>> - all the requests to Tomcat go through httpd first
>>> - the link between httpd and Tomcat is "secure" (not accessible by
>>> anyone)
>>>
>>> If e.g. httpd and Tomcat live on the same host, and you configure the
>>> Tomcat AJP Connector to only accept requests from localhost, then it
>>> would be ok to pass private information through headers.
>>>
>>> Simplify your life if possible.
>>>
>>>
>>>> Is there any way to access the coyoteRequest in a servlet or at least
>>>> configure tomcat to transfer more attributes to the servletRequest?
>>>>
>>>
>>> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a
>>> bunch of things from Apache httpd to Tomcat (including Apache httpd's
>>> "variables" e.g.).  I do not know mod_proxy_ajp well enough to
>>> confirm that this is possible with it also, but I would imagine so.
>>>
>> Addendum : sorry, that was not a direct answer to your question.
>> The direct answer is that HttpServletRequest (and ServletRequest)
>> already provide a bunch of methods to access request attributes. See
>> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
>> These are part of the specification, so you do not need to configure
>> anything at the Tomcat level for that.
>> As long as the request already contains attributes of course.
>>
>> Still talking about mod_jk, basically anything you set in Apache httpd
>> using "SetEnv" for example, gets passed to Tomcat as a request
>> attribute, through the AJP protocol.
>> Someone else would need to confirm if this is also the case using
>> mod_proxy_ajp.
> 
> Thanks for your answer!
> I already studied the methods exposed by HttpServletRequest (and
> ServletRequest from within a filter) but neither these objects nor the
> attached session objects directly include these attributes. Only the
> (invisible) coyoteRequest object inside does so.
> 
> I will further investigate the mod_env approach though.
> As Tomcat and httpd indeed remain on the same host and both the
> exceptions you named apply, I will just stick to the header approach for
> now.

A Valve will probably get you what you need but it is Tomcat specific.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message