tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Omari Stephens <x...@google.com>
Subject Re: How to get SSL connection information from Apache HTTPD over AJP?
Date Fri, 07 Jun 2013 00:50:10 GMT
*phew*  Got it figured out, and now everything is working (including
the JkEnvVar thing that I had set up)

For anyone who runs across this thread in the future, the problem was
that I was using a <Directory /> stanza to require authentication.
Because Jakarta queries don't actually hit the filesystem, though,
they don't match that stanza.  I ended up using the advice here:
http://web.archiveorange.com/archive/v/JBjmW7BaH8HOOefUz8eK

When I created a <Location "/nftest" > stanza that required
authentication, the Jakarta queries started requiring authentication,
and then all of the authentication stuff in Tomcat started working
(with tomcatAuthentication="false", as described in my previous
email).  Now all is well.

Thanks again, Rainer,
--xsdg

On Thu, Jun 6, 2013 at 5:31 PM, Omari Stephens <xsdg@google.com> wrote:
> Okay, searching around for 'tomcatAuthentication="false"' is bearing
> some fruit.  It appears that my situation is similar to this one:
> http://tomcat.10.x6.nabble.com/tomcat-apache-with-mod-jk-and-mod-auth-kerb-tt2097887.html#a2097891
>
> Just like that person, I enabled debug logging for mod_jk and I see a
> null user being passed over AJP:
> [Fri Jun 07 00:07:45 2013] [21431:1579538176] [debug]
> init_ws_service::mod_jk.c (977): Service protocol=HTTP/1.1 method=GET
> ssl=true host=(null) addr=x.y.z.28 name=HOSTNAME port=443 auth=(null)
> user=(null) laddr=x.y.z.210 raddr=x.y.z.28 uri=/nftest/
>
> Double-checking the logs (thanks for the tip, Rainer-of-2008) I see
> that the requests being forwarded to Tomcat are bypassing
> authentication
> x.y.z.28 - - [07/Jun/2013:00:07:45 +0000] "GET /nftest/?user=nobody
> HTTP/1.1" 200 25424 "-" "Mozilla/5.0 ..."
> versus one served directly by Apache:
> x.y.z.28 - xsdg [07/Jun/2013:00:18:18 +0000] "GET /?user=nobody
> HTTP/1.1" 200 14288 "-" "Mozilla/5.0 ..."
>
> By comparison, when I hit both addresses from a browser instance with
> no credentials:
> x.y.z.28 - - [07/Jun/2013:00:24:41 +0000] "GET /?user=nobody HTTP/1.1"
> 302 3811 "-" "Mozilla/5.0 ..."
> x.y.z.28 - - [07/Jun/2013:00:26:24 +0000] "GET /nftest/?user=nobody
> HTTP/1.1" 200 22888 "-" "Mozilla/5.0 ..."
>
> The 302 is when the unauthenticated browser instance gets redirected
> to a login page, so this confirms that the Jk stuff is bypassing
> authentication right now, even though I'm hitting it over port 443.
>
> So that's what I'm working on figuring out right now.  If anyone has
> any suggestions, let me know.  I feel like I'm close, though.
>
> --xsdg
>
> On Thu, Jun 6, 2013 at 4:13 PM, Caldarale, Charles R
> <Chuck.Caldarale@unisys.com> wrote:
>>> From: Omari Stephens [mailto:xsdg@google.com]
>>> Subject: Re: How to get SSL connection information from Apache HTTPD over AJP?
>>
>>> [re-adding mailing list]
>>
>>> Martin:
>>
>> There's a reason everyone ignores Martin Gainty's postings: they are nearly always
irrelevant, or worse.  Consequently, he's taken to responding to postings off-list, which
is counterproductive and against the rules of the mailing list.
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL
and is thus for use only by the intended recipient. If you received this in error, please
contact the sender and delete the e-mail and its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message