REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[Maciej Matecki <mm...@gmail.com>]

Hello,
That's my first post for users@tomcat.apache.org list so I'd like to
say hello to everybody.

I've got the big problem with forward REMOTE_HOST from Apache to
Tomcat. On the Apache side everything works ok. I've tested it with
PHP script and it simply works. But on the Tomcat side REMOTE_USER
header value is not available. I spend almost all day today to solve
it. I've read a lot of articles and it still doesn't work. Please help
me :)

What I've already done is testing for many different ways:
1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg00009.html
2) tomcatAuthentication set to false

I also try that in Tomcat 5 and there I had also problem.

If I use JkEnvVar REMOTE_HOST I've got attribute available on the
Tomcat side, but I need that value in header (I want to use
RequestHeaderPreAuthenticatedProcessingFilter from Spring Security).

Any advices? Thank you in advance.

Best regards,
--
Maciej Matecki
skype: m.matecki || www: http://matecki.info/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[André Warnier <aw...@ice-sa.com>]

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Maciej
> 
> On 6/24/2009 10:15 AM, Maciej Matecki wrote:
>> I've got the big problem with forward REMOTE_HOST from Apache to
>> Tomcat. On the Apache side everything works ok. I've tested it with
>> PHP script and it simply works. But on the Tomcat side REMOTE_USER
>> header value is not available.
> 
Apart from what Chris wrote :
do not confuse cgi-bin environment variables, with HTTP Request headers.
As far as I know, all Apache-Tomcat connectors will forward to Tomcat, 
all the HTTP headers which they received in the request (which comes 
from the browser).
But REMOTE_HOST is /not/ a HTTP Request header received from the 
browser.  The browser never sends that.
Apache itself detects where the request comes from, and then /creates/ 
this environment value REMOTE_HOST (and others), in the environment of 
the process in which it runs the cgi-bin script.
That is why you "see" it in a PHP script running under Apache.

Apache, or the Apache-Tomcat connector, is under no obligation to do the 
same when it passes a request to Tomcat (for one, it would be difficult 
to do, because Tomcat is another independent process, whose environment 
Apache does not control).

So, what you really want to do here, is
- get some internal value which Apache knows (the IP address from which 
the request is coming),
- "translate" this into a /new/ HTTP header REMOTE_HOST,
- and /add/ this HTTP header to the request, before you forward the 
request to Tomcat.

Alternatively, you can try to set this IP address into an "Apache 
environment variable", using for instance SetEnvIf :
SetEnvIf Remote_Addr "^(.*)$" remote_addr=$1
mod_jk would then normally forward it to Tomcat as a "request attribute" 
(I think there is still something to do for that to happen).
Then at the Tomcat level, you use a servlet filter to pick up this 
request attribute, and add it as a request header (which would force you 
to create a RequestWrapper, because the original Request itself is 
immutable).

Now once you are that far anyway, the question would be : why not do 
this directly in a Tomcat servlet filter anyway ?
It should also be able to find out the address of the client, and could 
create this additional HTTP header.

P.S.  I have just checked my favorite tool at 
http://www.tuckey.org/urlrewrite,
but unfortunately, adding a HTTP header to the request is not something 
it seems able to do.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[André Warnier <aw...@ice-sa.com>]

Maciej Matecki wrote:
> On Mon, Jun 29, 2009 at 1:28 AM, André Warnier<aw...@ice-sa.com> wrote:
>> Maciej Matecki wrote:
>>> Actually I've got much more bigger problem I can't get compiled module
>>> for kerberos with Apache on Windows :(
>>>
>> Can I ask again : why do you need to authenticate /under Apache/ with
>> Kerberos ?  Is it just to pass the user-id to Tomcat ? Or do you also need
>> it at the Apache level for something ?
>>
> 
> I just need to pass the user-id to Tomcat.

Then why don't you do the Kerberos authentication directly in Tomcat, 
instead of trying to do it under Apache ?
I googled a bit last night for "tomcat +auth +kerberos", and although I 
personally don't understand most of it, it seems that there are already 
ready-made ways of doing this, around the "JAAS realm" concept.

Once your app is authenticated under Tomcat, if you need to pick up the 
user-id from Tomcat to pass it in another way to other webapps/filters, 
you can just pick it up as request.getRemoteUser().

Also, once you have done the Kerberos authentication in Tomcat, and if 
you ever need, later, to "bring this back" to the Apache level, then the 
method I previously indicated would apply.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[Maciej Matecki <mm...@gmail.com>]

On Mon, Jun 29, 2009 at 1:28 AM, André Warnier<aw...@ice-sa.com> wrote:
> Maciej Matecki wrote:
>>
>> Actually I've got much more bigger problem I can't get compiled module
>> for kerberos with Apache on Windows :(
>>
> Can I ask again : why do you need to authenticate /under Apache/ with
> Kerberos ?  Is it just to pass the user-id to Tomcat ? Or do you also need
> it at the Apache level for something ?
>

I just need to pass the user-id to Tomcat.
Regards,

--
Maciej Matecki
skype: m.matecki || www: http://matecki.info/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[André Warnier <aw...@ice-sa.com>]

Maciej Matecki wrote:
> 
> Actually I've got much more bigger problem I can't get compiled module
> for kerberos with Apache on Windows :(
> 
Can I ask again : why do you need to authenticate /under Apache/ with 
Kerberos ?  Is it just to pass the user-id to Tomcat ? Or do you also 
need it at the Apache level for something ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[Martin Gainty <mg...@hotmail.com>]

http://modauthkerb.sourceforge.net

Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.




> From: mmatecki@gmail.com
> Date: Sun, 28 Jun 2009 21:08:59 +0200
> Subject: Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + 	mod_auth_kerb
> To: users@tomcat.apache.org
> 
> On Sun, Jun 28, 2009 at 5:31 AM, Christopher
> Schultz<ch...@christopherschultz.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Maciej
> >
> > On 6/24/2009 10:15 AM, Maciej Matecki wrote:
> >> I've got the big problem with forward REMOTE_HOST from Apache to
> >> Tomcat. On the Apache side everything works ok. I've tested it with
> >> PHP script and it simply works. But on the Tomcat side REMOTE_USER
> >> header value is not available.
> >
> > [snip]
> >
> >> What I've already done is testing for many different ways:
> >> 1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg00009.html
> >> 2) tomcatAuthentication set to false
> >
> > Which connector are you using? AJP or HTTP? If AJP, are you using
> > mod_proxy_ajp or mod_jk?
> > [cut]
> 
> I use mod_jk. Thank you for your suggestions. Finally I set in Apache:
> JkEnvVar REMOTE_USER and in my preauth filter I can get the user by:
> httpServletRequest.getAttribute("REMOTE_USER");
> 
> Actually I've got much more bigger problem I can't get compiled module
> for kerberos with Apache on Windows :(
> 
> Regards,
> --
> Maciej Matecki
> skype: m.matecki || www: http://matecki.info/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Insert movie times and more without leaving Hotmail®. 
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd_062009

Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[Maciej Matecki <mm...@gmail.com>]

On Sun, Jun 28, 2009 at 5:31 AM, Christopher
Schultz<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Maciej
>
> On 6/24/2009 10:15 AM, Maciej Matecki wrote:
>> I've got the big problem with forward REMOTE_HOST from Apache to
>> Tomcat. On the Apache side everything works ok. I've tested it with
>> PHP script and it simply works. But on the Tomcat side REMOTE_USER
>> header value is not available.
>
> [snip]
>
>> What I've already done is testing for many different ways:
>> 1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg00009.html
>> 2) tomcatAuthentication set to false
>
> Which connector are you using? AJP or HTTP? If AJP, are you using
> mod_proxy_ajp or mod_jk?
> [cut]

I use mod_jk. Thank you for your suggestions. Finally I set in Apache:
JkEnvVar REMOTE_USER and in my preauth filter I can get the user by:
httpServletRequest.getAttribute("REMOTE_USER");

Actually I've got much more bigger problem I can't get compiled module
for kerberos with Apache on Windows :(

Regards,
--
Maciej Matecki
skype: m.matecki || www: http://matecki.info/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: REMOTE_USER with Apache 2.2.9 (Debian) + Tomcat 6.0.18 + mod_auth_kerb

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maciej

On 6/24/2009 10:15 AM, Maciej Matecki wrote:
> I've got the big problem with forward REMOTE_HOST from Apache to
> Tomcat. On the Apache side everything works ok. I've tested it with
> PHP script and it simply works. But on the Tomcat side REMOTE_USER
> header value is not available.

[snip]

> What I've already done is testing for many different ways:
> 1) rewriting: http://osdir.com/ml/apache.mod-auth-kerb.general/2005-10/msg00009.html
> 2) tomcatAuthentication set to false

Which connector are you using? AJP or HTTP? If AJP, are you using
mod_proxy_ajp or mod_jk?

> If I use JkEnvVar REMOTE_HOST I've got attribute available on the
> Tomcat side, but I need that value in header (I want to use
> RequestHeaderPreAuthenticatedProcessingFilter from Spring Security).

You're going to have to do some kind of re-writing to get this in an
HTTP header instead of a request attribute.

Only mod_jk supports JkEnvVar, but the documentation states:

"
If the default value is not given explicitly, the variable will only be
send, if it is set during runtime.
"

It's unclear if "during runtime" means that the value must be calculated
somehow from within httpd, or if the value must be specified in the
original request.

In either case, the JkEnvVar option will only provide these values to
the request attributes. If you want them to act like headers, you're
doing to need to do something else.

mod_headers is a good bet, but then you need to use mod_proxy_http
instead of mod_jk or mod_proxy_ajp because I don't think mod_jk will
forward automagically-generated HTTP headers over the AJP connection.
You could always try to set something simple (like setting FOO=BAR) and
seeing if Tomcat receives it properly.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpG4/gACgkQ9CaO5/Lv0PAAgwCgnOVyNL1R4RS32enYKDDPrv4c
SG4AniZanN84Ugmi9t0y0YernnJXIB0r
=4Veb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org