You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Bill Doster <bi...@umich.edu> on 2007/06/06 21:49:23 UTC

passing user variable from apache2.2 via mod_proxy_ajp to tomcat5.5?

On FC6 (intel), I need to have tomcat servlets know the user  
associated with each ajp request.

After authenticating (I'm using mod_cosign), when I load https://host/ 
cgi-bin/hi (a shell script which outputs html-ized "Hello  
$REMOTE_USER" the web-page returned is "Hello <user>" for whatever  
user I authenticated as.

I've got mod_proxy_ajp set-up to:

ProxyPass   /HelloWorld   ajp://locahost:8009/HelloWorld

Since I have the entire host set-up to be cosign-authenticated,  
accessing:

	https://host/HelloWorld/HelloWorld

causes cosign to force authentication (iff I haven't already).  Then  
the request gets passed via mod_proxy_ajp
to tomcat (running on the same host on port 8009).  HelloWorld  
happily executes, but all the ways that I've coded that I thought  
would receive the connection user... haven't.

Since I'm very much a beginner Java person, I've tried googling and  
FAQ'ing around but ended up following numerous dead ends.  I've read  
over the mod_proxy_ajp source and from ajp_header.c it certainly  
seems like "user" is always provided to tomcat as long as user is set  
for the connection (on the apache side).

I'd really appreciate any tips on how to access this from a servlet  
running under Tomcat.  Or any tips that would enable me to at least  
prove to myself that tomcat received it from mod_proxy_ajp (like how  
to tinker with tomcat logging).

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: passing user variable from apache2.2 via mod_proxy_ajp to tomcat5.5? -- SOLVED

Posted by Bill Doster <bi...@umich.edu>.

Another google ("mod_proxy_ajp REMOTE_USER tomcat") resulted in  
pointers to:

	http://mailman1.u.washington.edu/pipermail/pubcookie-users/2006-July/ 
001527.html

which in turn mentioned that adding:

	tomcatAuthentication="false"

to the AJP13 connector statement below (from %CATALINA_HOME%/conf/ 
server.xml) caused
things to work.

Now my servlet invokes the following with good results:

	import javax.servlet.*;
	import javax.servlet.http.*;

	HttpServletRequest	request <-- input argument for doGet()
	String user = request.getRemoteUser();

	this.log("user:" + user);

causes "user: <user>" to show up in catalina.out.

On Jun 6, 2007, at 4:54 PM, Bill Doster wrote:
> Yep.  I actually *do" have the ajp request getting handled by using:
>
>>> ProxyPass   /HelloWorld   ajp://locahost:8009/HelloWorld
>
> 			(note "ajp//:" not "http://")
>
> as well as enabling the AJP13 connector in server.xml via:
>
> 	<Connector port="8009" enableLookups="false" redirectPort="8443"  
> protocol="AJP/1.3" />
>
> The *problem* that I'm having is that I can NOT determine how to  
> access the equivalent of
> "REMOTE_USER" from a tomcat servlet.
>
>    request.getRemoteUser() is null (since no Authorization header  
> was provided)
>    System.getenv("REMOTE_USER") is not getting set by tomcat
>
> From looking at the source for mod_proxy_ajp (in ajp_header.c) it  
> looks like user value gets passed
> in the ajp protocol to the tomcat ajp13 listener on port 8009.  I  
> was kinda hoping that someone
> else could tell me how tomcat makes this user value available to a  
> servlet container.
>
> On Jun 6, 2007, at 4:35 PM, Martin Gainty wrote:
>> following
>> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
>>
>> I *thought* ProxyPass was
>>
>> ProxyPass /mirror/foo/ http://foo.com/
>> cause a local request for the
>> <http://wibble.org/mirror/foo/bar> to be internally converted into  
>> a proxy request to
>> <http://foo.com/bar>.
>>
>> so..
>> ProxyPass   /HelloWorld   http://locahost:8009/
>>
>> causes a local request for the
>> http://HelloWorld/HelloWorld
>>
>> will yield
>> http://localhost:8009/HelloWorld
>>
>> ajp is configured by enabling the AJP13 connector in Tomcat % 
>> CATALINA_HOME%/conf/server.xml on Port 8009
>> http://www.onjava.com/pub/a/onjava/2002/11/20/tomcat.html
>
>> From: "Bill Doster" <bi...@umich.edu>
>>> On FC6 (intel), I need to have tomcat servlets know the user   
>>> associated with each ajp request.
>>>
>>> After authenticating (I'm using mod_cosign), when I load https:// 
>>> host/ cgi-bin/hi (a shell script which outputs html-ized "Hello   
>>> $REMOTE_USER" the web-page returned is "Hello <user>" for  
>>> whatever  user I authenticated as.
>>>
>>> I've got mod_proxy_ajp set-up to:
>>>
>>> ProxyPass   /HelloWorld   ajp://locahost:8009/HelloWorld
>>>
>>> Since I have the entire host set-up to be cosign-authenticated,  
>>> accessing:
>>>
>>> https://host/HelloWorld/HelloWorld
>>>
>>> causes cosign to force authentication (iff I haven't already).   
>>> Then  the request gets passed via mod_proxy_ajp
>>> to tomcat (running on the same host on port 8009).  HelloWorld   
>>> happily executes, but all the ways that I've coded that I  
>>> thought  would receive the connection user... haven't.
>>>
>>> Since I'm very much a beginner Java person, I've tried googling  
>>> and FAQ'ing around but ended up following numerous dead ends.   
>>> I've read  over the mod_proxy_ajp source and from ajp_header.c it  
>>> certainly  seems like "user" is always provided to tomcat as long  
>>> as user is set  for the connection (on the apache side).
>>>
>>> I'd really appreciate any tips on how to access this from a  
>>> servlet running under Tomcat.  Or any tips that would enable me  
>>> to at least  prove to myself that tomcat received it from  
>>> mod_proxy_ajp (like how  to tinker with tomcat logging).
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: passing user variable from apache2.2 via mod_proxy_ajp to tomcat5.5?

Posted by Bill Doster <bi...@umich.edu>.

Yep.  I actually *do" have the ajp request getting handled by using:

>> ProxyPass   /HelloWorld   ajp://locahost:8009/HelloWorld

			(note "ajp//:" not "http://")

as well as enabling the AJP13 connector in server.xml via:

	<Connector port="8009" enableLookups="false" redirectPort="8443"  
protocol="AJP/1.3" />

The *problem* that I'm having is that I can NOT determine how to  
access the equivalent of
"REMOTE_USER" from a tomcat servlet.

    request.getRemoteUser() is null (since no Authorization header  
was provided)
    System.getenv("REMOTE_USER") is not getting set by tomcat

 From looking at the source for mod_proxy_ajp (in ajp_header.c) it  
looks like user value gets passed
in the ajp protocol to the tomcat ajp13 listener on port 8009.  I was  
kinda hoping that someone
else could tell me how tomcat makes this user value available to a  
servlet container.

On Jun 6, 2007, at 4:35 PM, Martin Gainty wrote:
> following
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
>
> I *thought* ProxyPass was
>
> ProxyPass /mirror/foo/ http://foo.com/
> cause a local request for the
> <http://wibble.org/mirror/foo/bar> to be internally converted into  
> a proxy request to
> <http://foo.com/bar>.
>
> so..
> ProxyPass   /HelloWorld   http://locahost:8009/
>
> causes a local request for the
> http://HelloWorld/HelloWorld
>
> will yield
> http://localhost:8009/HelloWorld
>
> ajp is configured by enabling the AJP13 connector in Tomcat % 
> CATALINA_HOME%/conf/server.xml on Port 8009
> http://www.onjava.com/pub/a/onjava/2002/11/20/tomcat.html

> From: "Bill Doster" <bi...@umich.edu>
>> On FC6 (intel), I need to have tomcat servlets know the user   
>> associated with each ajp request.
>>
>> After authenticating (I'm using mod_cosign), when I load https:// 
>> host/ cgi-bin/hi (a shell script which outputs html-ized "Hello   
>> $REMOTE_USER" the web-page returned is "Hello <user>" for  
>> whatever  user I authenticated as.
>>
>> I've got mod_proxy_ajp set-up to:
>>
>> ProxyPass   /HelloWorld   ajp://locahost:8009/HelloWorld
>>
>> Since I have the entire host set-up to be cosign-authenticated,  
>> accessing:
>>
>> https://host/HelloWorld/HelloWorld
>>
>> causes cosign to force authentication (iff I haven't already).   
>> Then  the request gets passed via mod_proxy_ajp
>> to tomcat (running on the same host on port 8009).  HelloWorld   
>> happily executes, but all the ways that I've coded that I thought   
>> would receive the connection user... haven't.
>>
>> Since I'm very much a beginner Java person, I've tried googling  
>> and FAQ'ing around but ended up following numerous dead ends.   
>> I've read  over the mod_proxy_ajp source and from ajp_header.c it  
>> certainly  seems like "user" is always provided to tomcat as long  
>> as user is set  for the connection (on the apache side).
>>
>> I'd really appreciate any tips on how to access this from a  
>> servlet running under Tomcat.  Or any tips that would enable me to  
>> at least  prove to myself that tomcat received it from  
>> mod_proxy_ajp (like how  to tinker with tomcat logging).


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: passing user variable from apache2.2 via mod_proxy_ajp to tomcat5.5?

Posted by Martin Gainty <mg...@hotmail.com>.

Hi Bill-

following
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass

I *thought* ProxyPass was

ProxyPass /mirror/foo/ http://foo.com/
cause a local request for the
<http://wibble.org/mirror/foo/bar> to be internally converted into a proxy 
request to
<http://foo.com/bar>.

so..
ProxyPass   /HelloWorld   http://locahost:8009/

causes a local request for the
http://HelloWorld/HelloWorld

will yield
http://localhost:8009/HelloWorld

ajp is configured by enabling the AJP13 connector in Tomcat 
%CATALINA_HOME%/conf/server.xml on Port 8009
http://www.onjava.com/pub/a/onjava/2002/11/20/tomcat.html

HTH/
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.

----- Original Message ----- 
From: "Bill Doster" <bi...@umich.edu>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Cc: "Bill Doster" <bi...@umich.edu>
Sent: Wednesday, June 06, 2007 3:49 PM
Subject: passing user variable from apache2.2 via mod_proxy_ajp to 
tomcat5.5?


> On FC6 (intel), I need to have tomcat servlets know the user  associated 
> with each ajp request.
>
> After authenticating (I'm using mod_cosign), when I load https://host/ 
> cgi-bin/hi (a shell script which outputs html-ized "Hello  $REMOTE_USER" 
> the web-page returned is "Hello <user>" for whatever  user I authenticated 
> as.
>
> I've got mod_proxy_ajp set-up to:
>
> ProxyPass   /HelloWorld   ajp://locahost:8009/HelloWorld
>
> Since I have the entire host set-up to be cosign-authenticated, 
> accessing:
>
> https://host/HelloWorld/HelloWorld
>
> causes cosign to force authentication (iff I haven't already).  Then  the 
> request gets passed via mod_proxy_ajp
> to tomcat (running on the same host on port 8009).  HelloWorld  happily 
> executes, but all the ways that I've coded that I thought  would receive 
> the connection user... haven't.
>
> Since I'm very much a beginner Java person, I've tried googling and 
> FAQ'ing around but ended up following numerous dead ends.  I've read  over 
> the mod_proxy_ajp source and from ajp_header.c it certainly  seems like 
> "user" is always provided to tomcat as long as user is set  for the 
> connection (on the apache side).
>
> I'd really appreciate any tips on how to access this from a servlet 
> running under Tomcat.  Or any tips that would enable me to at least  prove 
> to myself that tomcat received it from mod_proxy_ajp (like how  to tinker 
> with tomcat logging).
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org