tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Omari Stephens <x...@google.com>
Subject Re: How to get SSL connection information from Apache HTTPD over AJP?
Date Fri, 07 Jun 2013 00:31:55 GMT
Okay, searching around for 'tomcatAuthentication="false"' is bearing
some fruit.  It appears that my situation is similar to this one:
http://tomcat.10.x6.nabble.com/tomcat-apache-with-mod-jk-and-mod-auth-kerb-tt2097887.html#a2097891

Just like that person, I enabled debug logging for mod_jk and I see a
null user being passed over AJP:
[Fri Jun 07 00:07:45 2013] [21431:1579538176] [debug]
init_ws_service::mod_jk.c (977): Service protocol=HTTP/1.1 method=GET
ssl=true host=(null) addr=x.y.z.28 name=HOSTNAME port=443 auth=(null)
user=(null) laddr=x.y.z.210 raddr=x.y.z.28 uri=/nftest/

Double-checking the logs (thanks for the tip, Rainer-of-2008) I see
that the requests being forwarded to Tomcat are bypassing
authentication
x.y.z.28 - - [07/Jun/2013:00:07:45 +0000] "GET /nftest/?user=nobody
HTTP/1.1" 200 25424 "-" "Mozilla/5.0 ..."
versus one served directly by Apache:
x.y.z.28 - xsdg [07/Jun/2013:00:18:18 +0000] "GET /?user=nobody
HTTP/1.1" 200 14288 "-" "Mozilla/5.0 ..."

By comparison, when I hit both addresses from a browser instance with
no credentials:
x.y.z.28 - - [07/Jun/2013:00:24:41 +0000] "GET /?user=nobody HTTP/1.1"
302 3811 "-" "Mozilla/5.0 ..."
x.y.z.28 - - [07/Jun/2013:00:26:24 +0000] "GET /nftest/?user=nobody
HTTP/1.1" 200 22888 "-" "Mozilla/5.0 ..."

The 302 is when the unauthenticated browser instance gets redirected
to a login page, so this confirms that the Jk stuff is bypassing
authentication right now, even though I'm hitting it over port 443.

So that's what I'm working on figuring out right now.  If anyone has
any suggestions, let me know.  I feel like I'm close, though.

--xsdg

On Thu, Jun 6, 2013 at 4:13 PM, Caldarale, Charles R
<Chuck.Caldarale@unisys.com> wrote:
>> From: Omari Stephens [mailto:xsdg@google.com]
>> Subject: Re: How to get SSL connection information from Apache HTTPD over AJP?
>
>> [re-adding mailing list]
>
>> Martin:
>
> There's a reason everyone ignores Martin Gainty's postings: they are nearly always irrelevant,
or worse.  Consequently, he's taken to responding to postings off-list, which is counterproductive
and against the rules of the mailing list.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message