Accessing CoyoteRequest attributes in a Servlet

[Philip Kahle <ph...@gmail.com>]

Hi all,

I am trying to set up a Java Web Application using Servlets and JSPs in
Tomcat 7. User authentication should be done on a central Shibboleth
Identity Provider.
I have already configured Apache including mod_ssl, mod_proxy_ajp and
the shib2 module following these instructions:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
The redirect to the central login page works and, after entering my
credentials, the session is correctly created by the identity provider
and I am forwarded to my webapp.

At this point I should have different attributes in my session, such as
the user's email address, name and so on.
But these are stored in the coyoteRequest attributes, which I can
observe while debugging in Eclipse. As the coyoteRequest is a protected
field of org.apache.catalina.connector.Request which again is a field of
the RequestFacade I can not get any of these values.
What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
in the instructions above).
By setting "ShibUseHeaders On" in apache I get all of the attributes in
the request headers, but this is not recommended for security reasons.

Is there any way to access the coyoteRequest in a servlet or at least
configure tomcat to transfer more attributes to the servletRequest?

My current connector configuration in server.xml looks like this:
<Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8081"
protocol="HTTP/1.1" redirectPort="8444"/>
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false"
maxThreads="150" port="8444" protocol="HTTP/1.1" scheme="https"
secure="true" sslProtocol="TLS"/>
<Connector URIEncoding="UTF-8" port="8010" protocol="AJP/1.3"
redirectPort="8444" tomcatAuthentication="false" packetSize="65536"/>


Many thanks and best regards,
Philip

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing CoyoteRequest attributes in a Servlet

[Mark Thomas <ma...@apache.org>]

On 18/09/2012 17:13, Philip Kahle wrote:
> Am 18.09.2012 15:47, schrieb André Warnier:
>> André Warnier wrote:
>>> Philip Kahle wrote:
>>>> Hi all,
>>>>
>>>> I am trying to set up a Java Web Application using Servlets and JSPs in
>>>> Tomcat 7. User authentication should be done on a central Shibboleth
>>>> Identity Provider.
>>>> I have already configured Apache including mod_ssl, mod_proxy_ajp and
>>>> the shib2 module following these instructions:
>>>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
>>>>
>>>> The redirect to the central login page works and, after entering my
>>>> credentials, the session is correctly created by the identity provider
>>>> and I am forwarded to my webapp.
>>>>
>>>> At this point I should have different attributes in my session, such as
>>>> the user's email address, name and so on.
>>>> But these are stored in the coyoteRequest attributes, which I can
>>>> observe while debugging in Eclipse. As the coyoteRequest is a protected
>>>> field of org.apache.catalina.connector.Request which again is a
>>>> field of
>>>> the RequestFacade I can not get any of these values.
>>>> What I get is ONE of the attributes in the REMOTE_USER field
>>>> (compare 2.
>>>> in the instructions above).
>>>> By setting "ShibUseHeaders On" in apache I get all of the attributes in
>>>> the request headers, but this is not recommended for security reasons.
>>>>
>>>
>>> Why ?  That is a generic recommendation, but it does not apply if :
>>> - all the requests to Tomcat go through httpd first
>>> - the link between httpd and Tomcat is "secure" (not accessible by
>>> anyone)
>>>
>>> If e.g. httpd and Tomcat live on the same host, and you configure the
>>> Tomcat AJP Connector to only accept requests from localhost, then it
>>> would be ok to pass private information through headers.
>>>
>>> Simplify your life if possible.
>>>
>>>
>>>> Is there any way to access the coyoteRequest in a servlet or at least
>>>> configure tomcat to transfer more attributes to the servletRequest?
>>>>
>>>
>>> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a
>>> bunch of things from Apache httpd to Tomcat (including Apache httpd's
>>> "variables" e.g.).  I do not know mod_proxy_ajp well enough to
>>> confirm that this is possible with it also, but I would imagine so.
>>>
>> Addendum : sorry, that was not a direct answer to your question.
>> The direct answer is that HttpServletRequest (and ServletRequest)
>> already provide a bunch of methods to access request attributes. See
>> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
>> These are part of the specification, so you do not need to configure
>> anything at the Tomcat level for that.
>> As long as the request already contains attributes of course.
>>
>> Still talking about mod_jk, basically anything you set in Apache httpd
>> using "SetEnv" for example, gets passed to Tomcat as a request
>> attribute, through the AJP protocol.
>> Someone else would need to confirm if this is also the case using
>> mod_proxy_ajp.
> 
> Thanks for your answer!
> I already studied the methods exposed by HttpServletRequest (and
> ServletRequest from within a filter) but neither these objects nor the
> attached session objects directly include these attributes. Only the
> (invisible) coyoteRequest object inside does so.
> 
> I will further investigate the mod_env approach though.
> As Tomcat and httpd indeed remain on the same host and both the
> exceptions you named apply, I will just stick to the header approach for
> now.

A Valve will probably get you what you need but it is Tomcat specific.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing CoyoteRequest attributes in a Servlet

[Philip Kahle <ph...@gmail.com>]

Am 18.09.2012 15:47, schrieb André Warnier:
> André Warnier wrote:
>> Philip Kahle wrote:
>>> Hi all,
>>>
>>> I am trying to set up a Java Web Application using Servlets and JSPs in
>>> Tomcat 7. User authentication should be done on a central Shibboleth
>>> Identity Provider.
>>> I have already configured Apache including mod_ssl, mod_proxy_ajp and
>>> the shib2 module following these instructions:
>>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
>>>
>>> The redirect to the central login page works and, after entering my
>>> credentials, the session is correctly created by the identity provider
>>> and I am forwarded to my webapp.
>>>
>>> At this point I should have different attributes in my session, such as
>>> the user's email address, name and so on.
>>> But these are stored in the coyoteRequest attributes, which I can
>>> observe while debugging in Eclipse. As the coyoteRequest is a protected
>>> field of org.apache.catalina.connector.Request which again is a
>>> field of
>>> the RequestFacade I can not get any of these values.
>>> What I get is ONE of the attributes in the REMOTE_USER field
>>> (compare 2.
>>> in the instructions above).
>>> By setting "ShibUseHeaders On" in apache I get all of the attributes in
>>> the request headers, but this is not recommended for security reasons.
>>>
>>
>> Why ?  That is a generic recommendation, but it does not apply if :
>> - all the requests to Tomcat go through httpd first
>> - the link between httpd and Tomcat is "secure" (not accessible by
>> anyone)
>>
>> If e.g. httpd and Tomcat live on the same host, and you configure the
>> Tomcat AJP Connector to only accept requests from localhost, then it
>> would be ok to pass private information through headers.
>>
>> Simplify your life if possible.
>>
>>
>>> Is there any way to access the coyoteRequest in a servlet or at least
>>> configure tomcat to transfer more attributes to the servletRequest?
>>>
>>
>> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a
>> bunch of things from Apache httpd to Tomcat (including Apache httpd's
>> "variables" e.g.).  I do not know mod_proxy_ajp well enough to
>> confirm that this is possible with it also, but I would imagine so.
>>
> Addendum : sorry, that was not a direct answer to your question.
> The direct answer is that HttpServletRequest (and ServletRequest)
> already provide a bunch of methods to access request attributes. See
> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
> These are part of the specification, so you do not need to configure
> anything at the Tomcat level for that.
> As long as the request already contains attributes of course.
>
> Still talking about mod_jk, basically anything you set in Apache httpd
> using "SetEnv" for example, gets passed to Tomcat as a request
> attribute, through the AJP protocol.
> Someone else would need to confirm if this is also the case using
> mod_proxy_ajp.

Thanks for your answer!
I already studied the methods exposed by HttpServletRequest (and
ServletRequest from within a filter) but neither these objects nor the
attached session objects directly include these attributes. Only the
(invisible) coyoteRequest object inside does so.

I will further investigate the mod_env approach though.
As Tomcat and httpd indeed remain on the same host and both the
exceptions you named apply, I will just stick to the header approach for
now.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing CoyoteRequest attributes in a Servlet

[André Warnier <aw...@ice-sa.com>]

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> André,
> 
> On 9/18/12 9:47 AM, André Warnier wrote:
>> Still talking about mod_jk, basically anything you set in Apache
>> httpd using "SetEnv" for example, gets passed to Tomcat as a
>> request attribute, through the AJP protocol.
> 
> You need to use JkEnvVar if it's something non-standard (which I
> suspect Phillip's variables are).
> 

You are right, my apologies.  I was a bit quick answering the OP's questions.

So, with correction applied : if you are using mod_jk as the Apache/Tomcat connector, then 
any Apache httpd "environment variable" (that's what Apache httpd doc calls the values set 
via e.g. "SetEnv") /can/ be passed to Tomcat, as a request attribute, by using the 
JkEnvVar directive in the Apache httpd configuration.

See here : http://tomcat.apache.org/connectors-doc/reference/apache.html
(and read the whole JkEnvVar paragraph carefully, for some limitations)

Since I am not frequently using the mod_proxy_ajp connector, I do not know if a similar 
capability exists with it.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing CoyoteRequest attributes in a Servlet

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 9/18/12 9:47 AM, André Warnier wrote:
> Still talking about mod_jk, basically anything you set in Apache
> httpd using "SetEnv" for example, gets passed to Tomcat as a
> request attribute, through the AJP protocol.

You need to use JkEnvVar if it's something non-standard (which I
suspect Phillip's variables are).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBY/VcACgkQ9CaO5/Lv0PBvAQCfZY525WGXNiuIwhn3YarwkMPL
TpoAoMFv1UkSOoOUkSiQwHH8PSoJ+mCN
=4RDL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing CoyoteRequest attributes in a Servlet

[André Warnier <aw...@ice-sa.com>]

André Warnier wrote:
> Philip Kahle wrote:
>> Hi all,
>>
>> I am trying to set up a Java Web Application using Servlets and JSPs in
>> Tomcat 7. User authentication should be done on a central Shibboleth
>> Identity Provider.
>> I have already configured Apache including mod_ssl, mod_proxy_ajp and
>> the shib2 module following these instructions:
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
>> The redirect to the central login page works and, after entering my
>> credentials, the session is correctly created by the identity provider
>> and I am forwarded to my webapp.
>>
>> At this point I should have different attributes in my session, such as
>> the user's email address, name and so on.
>> But these are stored in the coyoteRequest attributes, which I can
>> observe while debugging in Eclipse. As the coyoteRequest is a protected
>> field of org.apache.catalina.connector.Request which again is a field of
>> the RequestFacade I can not get any of these values.
>> What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
>> in the instructions above).
>> By setting "ShibUseHeaders On" in apache I get all of the attributes in
>> the request headers, but this is not recommended for security reasons.
>>
> 
> Why ?  That is a generic recommendation, but it does not apply if :
> - all the requests to Tomcat go through httpd first
> - the link between httpd and Tomcat is "secure" (not accessible by anyone)
> 
> If e.g. httpd and Tomcat live on the same host, and you configure the 
> Tomcat AJP Connector to only accept requests from localhost, then it 
> would be ok to pass private information through headers.
> 
> Simplify your life if possible.
> 
> 
>> Is there any way to access the coyoteRequest in a servlet or at least
>> configure tomcat to transfer more attributes to the servletRequest?
>>
> 
> At least by using mod_jk instead of mod_proxy_ajp, you can transmit a 
> bunch of things from Apache httpd to Tomcat (including Apache httpd's 
> "variables" e.g.).  I do not know mod_proxy_ajp well enough to confirm 
> that this is possible with it also, but I would imagine so.
> 
Addendum : sorry, that was not a direct answer to your question.
The direct answer is that HttpServletRequest (and ServletRequest) already provide a bunch 
of methods to access request attributes. See 
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
These are part of the specification, so you do not need to configure anything at the 
Tomcat level for that.
As long as the request already contains attributes of course.

Still talking about mod_jk, basically anything you set in Apache httpd using "SetEnv" for 
example, gets passed to Tomcat as a request attribute, through the AJP protocol.
Someone else would need to confirm if this is also the case using mod_proxy_ajp.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Accessing CoyoteRequest attributes in a Servlet

[André Warnier <aw...@ice-sa.com>]

Philip Kahle wrote:
> Hi all,
> 
> I am trying to set up a Java Web Application using Servlets and JSPs in
> Tomcat 7. User authentication should be done on a central Shibboleth
> Identity Provider.
> I have already configured Apache including mod_ssl, mod_proxy_ajp and
> the shib2 module following these instructions:
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
> The redirect to the central login page works and, after entering my
> credentials, the session is correctly created by the identity provider
> and I am forwarded to my webapp.
> 
> At this point I should have different attributes in my session, such as
> the user's email address, name and so on.
> But these are stored in the coyoteRequest attributes, which I can
> observe while debugging in Eclipse. As the coyoteRequest is a protected
> field of org.apache.catalina.connector.Request which again is a field of
> the RequestFacade I can not get any of these values.
> What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
> in the instructions above).
> By setting "ShibUseHeaders On" in apache I get all of the attributes in
> the request headers, but this is not recommended for security reasons.
> 

Why ?  That is a generic recommendation, but it does not apply if :
- all the requests to Tomcat go through httpd first
- the link between httpd and Tomcat is "secure" (not accessible by anyone)

If e.g. httpd and Tomcat live on the same host, and you configure the Tomcat AJP Connector 
to only accept requests from localhost, then it would be ok to pass private information 
through headers.

Simplify your life if possible.


> Is there any way to access the coyoteRequest in a servlet or at least
> configure tomcat to transfer more attributes to the servletRequest?
> 

At least by using mod_jk instead of mod_proxy_ajp, you can transmit a bunch of things from 
Apache httpd to Tomcat (including Apache httpd's "variables" e.g.).  I do not know 
mod_proxy_ajp well enough to confirm that this is possible with it also, but I would 
imagine so.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org