You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Omar Nafees <om...@cs.uwaterloo.ca> on 2007/08/28 21:34:21 UTC
Apache --> Tomcat SSL via mod_jk
Hi,
I recently posted under the thread "Apache authentication information
(remoteuser) not visible in Tomcat" and I am grateful to all that
responded with useful comments.
I learned the following about how Tomcat treats authentication
information received from Apache via AJP headers (mod_jk) - once told to
consider it by using "tomcatAuthentication=false" in the appropriate place:
1) request.getRemoteUser() only works on the "entry-point" servlet (e.g.
index.jsp) - it doesn't work if you forward immediately to another page.
It seems strange that Tomcat doesn't keep remote user around for later
use and forces me to keep it around explicitly in some form (such as a
hidden POST parameter).
2) The above is assuming SSL is turned off for my application. The
minute I turn it on in it's security constraint (in web.xml),
request.getRemoteUser() only returns null. Is there a particular setting
in security constraint or elsewhere to achieve the desired behavior?
Thanks in advance for any help.
Omar
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache --> Tomcat SSL via mod_jk
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rainer,
Rainer Jung wrote:
> We know that mod_jk forwards the info about the
> protocol used by Apache when accepting the original request and this
> info is handled by Tomcats security-constraint the same was, as if
> Tomcat had created it on its own connectors.
Oh, excellent. I didn't realize that HTTPS->mod_jk->Tomcat would satisfy
the CONFIDENTIAL constraint. Good to know.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1dcR9CaO5/Lv0PARAl+YAKCZDAXbKQvrcY0+MTIFoswbhDGmDwCghvc4
AO2r3HUgahmhoXue3axlWMA=
=/S6O
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache --> Tomcat SSL via mod_jk
Posted by Rainer Jung <ra...@kippdata.de>.
Christopher Schultz wrote:
> Omar Nafees wrote:
>> 1) request.getRemoteUser() only works on the "entry-point" servlet (e.g.
>> index.jsp) - it doesn't work if you forward immediately to another page.
>> It seems strange that Tomcat doesn't keep remote user around for later
>> use and forces me to keep it around explicitly in some form (such as a
>> hidden POST parameter).
>
> This doesn't sound right; getRemoteUser should return the REMOTE_USER
> each time, regardless of which request it is.
And it does. fwd.jsp is
<jsp:forward page="auth.jsp"/>
and auth.jsp is
<%@page session="false"%>
<HTML>
User: <%=request.getRemoteUser() %>
</HTML>
and I do get the correct user name when sending the request to an apache
with basic authentication configured and connected to Tomcat via mod_jk.
>> 2) The above is assuming SSL is turned off for my application. The
>> minute I turn it on in it's security constraint (in web.xml)
>
> You cannot "turn on" SSL in web.xml; all you can do is require that SSL
> be used in order for security to work.
>
> Since you're using mod_jk, you won't be able to use CONFIDENTIAL as a
> security constraint, since mod_jk doesn't communicate using a
> CONFIDENTIAL channel.
I added
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
to web.xml. If I contact the webapp via Apache with http, I get a
redirect to th https URL. If I talk to Apache via https, I can access
the application. We know that mod_jk forwards the info about the
protocol used by Apache when accepting the original request and this
info is handled by Tomcats security-constraint the same was, as if
Tomcat had created it on its own connectors.
>> request.getRemoteUser() only returns null. Is there a particular setting
>> in security constraint or elsewhere to achieve the desired behavior?
>
> I believe you are making a mistake by using CONFIDENTIAL in web.xml, and
> Tomcat is reacting correctly by refusing to accept the remote user as
> furnished by mod_jk because it is not being sent over SSL.
In my test case, it
- doesn't reject or redirect, it simply answers the request - if it was
sent via Apache/mod_jk using https in the original request
- the JSP correctly outputs the user name. I get it when requesting
fwd.jsp, and also when requesting auth.jsp.
Again I think you should try a simple example first.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache --> Tomcat SSL via mod_jk
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Omar,
Omar Nafees wrote:
> 1) request.getRemoteUser() only works on the "entry-point" servlet (e.g.
> index.jsp) - it doesn't work if you forward immediately to another page.
> It seems strange that Tomcat doesn't keep remote user around for later
> use and forces me to keep it around explicitly in some form (such as a
> hidden POST parameter).
This doesn't sound right; getRemoteUser should return the REMOTE_USER
each time, regardless of which request it is.
> 2) The above is assuming SSL is turned off for my application. The
> minute I turn it on in it's security constraint (in web.xml)
You cannot "turn on" SSL in web.xml; all you can do is require that SSL
be used in order for security to work.
Since you're using mod_jk, you won't be able to use CONFIDENTIAL as a
security constraint, since mod_jk doesn't communicate using a
CONFIDENTIAL channel.
> request.getRemoteUser() only returns null. Is there a particular setting
> in security constraint or elsewhere to achieve the desired behavior?
I believe you are making a mistake by using CONFIDENTIAL in web.xml, and
Tomcat is reacting correctly by refusing to accept the remote user as
furnished by mod_jk because it is not being sent over SSL.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1InC9CaO5/Lv0PARAqkcAJwMsTd5dGvxmer7u8nhXICXmz2JoQCdHrL6
VjheIXl2zzd21ob1/mkUfRk=
=NXlX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org