You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Magosányi Árpád <m4...@gmail.com> on 2019/10/07 14:37:17 UTC
user and certificate info is not passed to tomcat
I intend to use the user and certificate info in a Filter.
I think I have configured everything to do that, but the information does not get passed along. Based on various documentations and howtos, SSLVerifyClient require, SSLOptions +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On should be enough to pass certificate data, and Require valid-user should be enough to pass the authenticated username.
I see the following debug output (also contains the various info logged by the filter), which clearly lacks the information needed.
I have a cgi in the cgi-bin directory, which prints out the environment, and I see both REMOTE_USER and all relevant certificate related information there.
debug log:
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.554 2019] [7885:139750518257408] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/servlet/servlet' from 1 maps
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount'
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (993): Found a wildchar match '/servlet*=worker1'
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2823): Into handler jakarta-servlet worker=worker1 r->proxyreq=0
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] wc_get_worker_for_name::jk_worker.c (120): found a worker worker1
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] wc_get_name_for_type::jk_worker.c (304): Found worker type 'ajp13'
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] init_ws_service::mod_jk.c (1196): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=94.62.142.229 name=repository.kodekonveyor.com port=443 auth=(null) user=(null) laddr=217.61.105.99 raddr=94.62.142.229 uaddr=94.62.142.229 uri=/servlet/servlet
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.558 2019] [7885:139750518257408] [debug] ajp_get_endpoint::jk_ajp_common.c (3356): (worker1) acquired connection pool slot=0 after 0 retries
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_marshal_into_msgb::jk_ajp_common.c (684): (worker1) ajp marshaling done
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_service::jk_ajp_common.c (2591): processing worker1 with 2 retries
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.560 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1722): (worker1) no usable connection found, will create a new one.
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (675): socket TCP_NODELAY set to On
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (799): trying to connect socket 24 to ::1:8009
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.565 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (825): socket 24 [:::51520 -> ::a00:c940:0:0:8009] connected
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): sending to ajp13 pos=4 len=620 max=8192
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0000 12 34 02 68 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4.h....HTTP/1.1
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0010 00 00 10 2F 73 65 72 76 6C 65 74 2F 73 65 72 76 - .../servlet/serv
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0020 6C 65 74 00 00 0D 39 34 2E 36 32 2E 31 34 32 2E - let...94.62.142.
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0030 32 32 39 00 FF FF 00 1B 72 65 70 6F 73 69 74 6F - 229.....reposito
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0040 72 79 2E 6B 6F 64 65 6B 6F 6E 76 65 79 6F 72 2E - ry.kodekonveyor.
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0050 63 6F 6D 00 01 BB 01 00 09 A0 0B 00 1B 72 65 70 - com..........rep
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0060 6F 73 69 74 6F 72 79 2E 6B 6F 64 65 6B 6F 6E 76 - ository.kodekonv
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0070 65 79 6F 72 2E 63 6F 6D 00 A0 0E 00 4C 4D 6F 7A - eyor.com....LMoz
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0080 69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 - illa/5.0.(X11;.U
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0090 62 75 6E 74 75 3B 20 4C 69 6E 75 78 20 78 38 36 - buntu;.Linux.x86
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00a0 5F 36 34 3B 20 72 76 3A 36 39 2E 30 29 20 47 65 - _64;.rv:69.0).Ge
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00b0 63 6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 - cko/20100101.Fir
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00c0 65 66 6F 78 2F 36 39 2E 30 00 A0 01 00 3F 74 65 - efox/69.0....?te
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00d0 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 61 74 - xt/html,applicat
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00e0 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 - ion/xhtml+xml,ap
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00f0 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D - plication/xml;q=
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0100 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 00 0F - 0.9,*/*;q=0.8...
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0110 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 00 - Accept-Language.
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0120 00 17 68 75 2C 65 6E 2D 55 53 3B 71 3D 30 2E 37 - ..hu,en-US;q=0.7
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0130 2C 65 6E 3B 71 3D 30 2E 33 00 00 0F 41 63 63 65 - ,en;q=0.3...Acce
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0140 70 74 2D 45 6E 63 6F 64 69 6E 67 00 00 11 67 7A - pt-Encoding...gz
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0150 69 70 2C 20 64 65 66 6C 61 74 65 2C 20 62 72 00 - ip,.deflate,.br.
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0160 A0 06 00 0A 6B 65 65 70 2D 61 6C 69 76 65 00 A0 - ....keep-alive..
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0170 09 00 6A 4A 53 45 53 53 49 4F 4E 49 44 3D 35 46 - ..jJSESSIONID=5F
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0180 43 44 31 35 39 34 45 42 35 42 32 41 44 38 39 30 - CD1594EB5B2AD890
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0190 37 44 37 32 42 46 31 39 44 39 39 31 31 30 3B 20 - 7D72BF19D99110;.
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01a0 6D 6F 64 5F 61 75 74 68 5F 6F 70 65 6E 69 64 63 - mod_auth_openidc
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01b0 5F 73 65 73 73 69 6F 6E 3D 30 30 65 35 31 61 66 - _session=00e51af
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01c0 63 2D 35 39 33 65 2D 34 32 33 37 2D 39 37 35 61 - c-593e-4237-975a
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01d0 2D 38 35 30 36 63 30 30 66 61 66 38 65 00 00 19 - -8506c00faf8e...
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01e0 55 70 67 72 61 64 65 2D 49 6E 73 65 63 75 72 65 - Upgrade-Insecure
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01f0 2D 52 65 71 75 65 73 74 73 00 00 01 31 00 A0 08 - -Requests...1...
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0200 00 01 30 00 0A 00 0F 41 4A 50 5F 52 45 4D 4F 54 - ..0....AJP_REMOT
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0210 45 5F 50 4F 52 54 00 00 05 34 32 38 36 38 00 0A - E_PORT...42868..
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0220 00 0E 41 4A 50 5F 4C 4F 43 41 4C 5F 41 44 44 52 - ..AJP_LOCAL_ADDR
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0230 00 00 0D 32 31 37 2E 36 31 2E 31 30 35 2E 39 39 - ...217.61.105.99
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0240 00 0A 00 10 4A 4B 5F 4C 42 5F 41 43 54 49 56 41 - ....JK_LB_ACTIVA
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0250 54 49 4F 4E 00 00 03 41 43 54 00 0A 00 05 48 45 - TION...ACT....HE
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0260 4C 4C 4F 00 00 04 53 7A 69 61 00 FF 00 00 00 00 - LLO...Szia......
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.575 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1782): (worker1) request body to send 0 - request body to resend 0
05-Oct-2019 19:46:13.580 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header host:repository.kodekonveyor.com
05-Oct-2019 19:46:13.585 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
05-Oct-2019 19:46:13.585 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
05-Oct-2019 19:46:13.586 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Accept-Language:hu,en-US;q=0.7,en;q=0.3
05-Oct-2019 19:46:13.587 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Accept-Encoding:gzip, deflate, br
05-Oct-2019 19:46:13.593 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header connection:keep-alive
05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header cookie:JSESSIONID=5FCD1594EB5B2AD8907D72BF19D99110; mod_auth_openidc_session=00e51afc-593e-4237-975a-8506c00faf8e
05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Upgrade-Insecure-Requests:1
05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header content-length:0
05-Oct-2019 19:46:13.615 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log session:org.apache.catalina.session.StandardSessionFacade@71e6f5f
05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr javax.servlet.context.tempdir=/var/lib/tomcat9/work/Catalina/localhost/servlet
05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.catalina.resources=org.apache.catalina.webresources.StandardRoot@d61f78d
05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.tomcat.InstanceManager=org.apache.catalina.core.DefaultInstanceManager@67361395
05-Oct-2019 19:46:13.617 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.catalina.jsp_classpath=/var/lib/tomcat9/lib/:/var/lib/tomcat9/lib/realm-0.0.1-feature_toolchain.c76b4af.jar:/usr/share/tomcat9/lib/:/usr/share/java/tomcat9-coyote-9.0.16.jar:/usr/share/java/tomcat9-jdbc-9.0.16.jar:/usr/share/java/tomcat9-catalina-9.0.16.jar:/usr/share/java/tomcat9-servlet-api-9.0.16.jar:/usr/share/java/tomcat9-catalina-ha-9.0.16.jar:/usr/share/java/tomcat9-websocket-api-9.0.16.jar:/usr/share/java/tomcat9-jsp-api-9.0.16.jar:/usr/share/java/tomcat9-el-api-9.0.16.jar:/usr/share/java/tomcat9-jaspic-api-9.0.16.jar:/usr/share/java/tomcat9-util-scan-9.0.16.jar:/usr/share/java/tomcat9-i18n-fr-9.0.16.jar:/usr/share/java/tomcat9-annotations-api-9.0.16.jar:/usr/share/java/tomcat9-jasper-9.0.16.jar:/usr/share/java/tomcat9-jasper-el-9.0.16.jar:/usr/share/java/tomcat9-i18n-ru-9.0.16.jar:/usr/share/java/tomcat9-api-9.0.16.jar:/usr/share/java/tomcat9-util-9.0.16.jar:/usr/share/java/tomcat9-dbcp-9.0.16.jar:/usr/share/java/tomcat9-storeconfig-9.0.16.jar:/usr/share/java/tomcat9-catalina-ant-9.0.16.jar:/usr/share/java/tomcat9-i18n-es-9.0.16.jar:/usr/share/java/tomcat9-jni-9.0.16.jar:/usr/share/java/tomcat9-tribes-9.0.16.jar:/usr/share/java/tomcat9-websocket-9.0.16.jar:/usr/share/java/tomcat9-i18n-ja-9.0.16.jar:/usr/share/tomcat9/bin/bootstrap.jar:/usr/share/tomcat9/bin/tomcat-juli.jar
05-Oct-2019 19:46:13.617 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr javax.websocket.server.ServerContainer=org.apache.tomcat.websocket.server.WsServerContainer@4c5e5f6a
05-Oct-2019 19:46:13.618 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.jasper.compiler.TldCache=org.apache.jasper.compiler.TldCache@69db0ce8
05-Oct-2019 19:46:13.618 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.tomcat.JarScanner=org.apache.tomcat.util.scan.StandardJarScanner@6b8453c1
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log user:null
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log cert:null
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log authType:null
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getContextPath:/servlet
05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getProtocol:HTTP/1.1
05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getRemoteHost:94.62.142.229
05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getServerInfo:Apache Tomcat/9.0.16 (Ubuntu)
05-Oct-2019 19:46:13.621 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getServletContextName:null
05-Oct-2019 19:46:13.621 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getRemoteHost:/servlet/servlet
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=99 max=8192
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000 04 00 C8 00 03 32 30 30 00 00 02 A0 07 00 4C 4A - .....200......LJ
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0010 53 45 53 53 49 4F 4E 49 44 3D 35 43 31 42 39 38 - SESSIONID=5C1B98
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0020 39 44 33 41 35 33 38 41 45 39 30 33 43 45 32 39 - 9D3A538AE903CE29
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0030 31 36 43 34 46 43 41 44 44 41 3B 20 50 61 74 68 - 16C4FCADDA;.Path
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0040 3D 2F 73 65 72 76 6C 65 74 3B 20 53 65 63 75 72 - =/servlet;.Secur
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0050 65 3B 20 48 74 74 70 4F 6E 6C 79 00 A0 03 00 02 - e;.HttpOnly.....
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0060 34 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 42..............
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (739): (worker1) status = 200
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (746): Number of headers is = 2
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (802): (worker1) Header[0] [Set-Cookie] = [JSESSIONID=5C1B989D3A538AE903CE2916C4FCADDA; Path=/servlet; Secure; HttpOnly]
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (802): (worker1) Header[1] [Content-Length] = [42]
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=46 max=8192
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000 03 00 2A 53 65 72 76 65 64 20 61 74 3A 20 2F 73 - ..*Served.at:./s
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0010 65 72 76 6C 65 74 0A 48 65 6C 6C 6F 2C 20 66 72 - ervlet.Hello,.fr
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0020 6F 6D 20 61 20 53 65 72 76 6C 65 74 21 00 00 00 - om.a.Servlet!...
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ws_write::mod_jk.c (552): written 42 out of 42
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=2 max=8192
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_process_callback::jk_ajp_common.c (2135): (worker1) AJP13 protocol: Reuse is OK
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_reset_endpoint::jk_ajp_common.c (851): (worker1) resetting endpoint with socket 24
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_done::jk_ajp_common.c (3287): recycling connection pool for worker worker1 and socket 24
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2979): Service finished with status=200 for worker=worker1
Oct 5 19:46:13 s_src@repo apache[7879]: repository.kodekonveyor.com:443 94.62.142.229 - - [05/Oct/2019:19:46:13 +0200] "GET /servlet/servlet HTTP/1.1" 200 3605 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/favicon.ico' from 1 maps
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount'
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] jk_translate::mod_jk.c (3977): no match for /favicon.ico found
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/favicon.ico' from 1 maps
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount'
Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] jk_map_to_storage::mod_jk.c (4052): no match for /favicon.ico found
Oct 5 19:46:13 s_src@repo apache[7879]: repository.kodekonveyor.com:443 94.62.142.229 - - [05/Oct/2019:19:46:13 +0200] "GET /favicon.ico HTTP/1.1" 302 1699 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.046 2019] [7886:139750673094400] [debug] jk_watchdog_func::mod_jk.c (3425): Watchdog thread running
Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.046 2019] [7886:139750673094400] [debug] wc_maintain::jk_worker.c (353): Maintaining worker worker1
Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.047 2019] [7885:139750673094400] [debug] jk_watchdog_func::mod_jk.c (3425): Watchdog thread running
Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.047 2019] [7885:139750673094400] [debug] wc_maintain::jk_worker.c (353): Maintaining worker worker1
Relevant apache config:
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
JkLogFile "||/usr/bin/logger -t apache-jk -i -p local5.notice"
JkLogLevel debug
JkShmFile /var/log/apache2/jk-runtime-status
JkWatchdogInterval 60
DocumentRoot /var/www/repo
OIDCProviderMetadataURL https://kode-konveyor.eu.auth0.com/.well-known/openid-configuration
OIDCClientID <correct client id>
OIDCClientSecret '<working client secret>'
OIDCScope "openid name email"
OIDCRedirectURI https://repository.kodekonveyor.com/auth
OIDCCryptoPassphrase <a pass phrase>
DBDriver pgsql
DBDParams "dbname=users user=repo host=infra.kodekonveyor.com"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
#JkMount /manager* worker1
IncludeOptional /etc/repo/apache-directories/*.conf
JkEnvVar SSL_CLIENT_S_DN
JkEnvVar HELLO "Szia"
JkExtractSSL On
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin/">
AuthType openid-connect
SSLVerifyClient require
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
Options +ExecCGI
AddHandler cgi-script .cgi
Require valid-user
</Directory>
SSLCACertificateFile "/keys/repo/ca.crt"
<Location "/servlet*">
JkMount worker1
AuthType openid-connect
SSLVerifyClient require
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
#Require valid-user
Require dbd-group foobar
AuthzDBDQuery "select r.rolename as group from roles r, users u, users_roles map where r.id=map.role and u.id=map.userid and u.auth0id=%s"
</Location>
<Directory /var/www/repo/auth>
DirectoryIndex off
RewriteEngine Off
AuthType openid-connect
AllowOverride None
AuthzDBDQuery "select r.rolename as group from roles r, users u, users_roles map where r.id=map.role and u.id=map.userid and u.auth0id=%s"
Require dbd-group allrepo
Require dbd-group business
</Directory>
<Directory /var/www/repo>
DirectoryIndex off
RewriteEngine Off
AllowOverride None
AuthType openid-connect
Require valid-user
</Directory>
/etc/libapache2-mod-jk/workers.properties:
# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
Re: user and certificate info is not passed to tomcat
Posted by Mark Thomas <ma...@apache.org>.
There is no Tomcat, mod_jk nor httpd bug here.
The root cause of this thread is a configuration error.
From the httpd docs for Location:
<quote>
The URL may use wildcards. In a wild-card string, ? matches any single
character, and * matches any sequences of characters. Neither wildcard
character matches a / in the URL-path.
</quote>
Note - in particular - the final sentence.
From the JkMount docs:
<quote>
Inside Location, one omits the first argument (path), which gets
inherited verbatim from the Location argument. Whereas <Location /myapp>
matches any URI beginning with "/myapp", any JkMount nested in such a
Location block will only match for requests with exact URI /myapp.
Therefore nesting JkMount in Location is typically not the right thing
to do.
</quote>
Again, note - in particular - the final sentence.
The original configuration was:
<Location "/servlet*">
JkMount worker1
SSLVerifyClient require
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
...
</Location>
As per the documentation, configuration in the Location block and the
JkMount DO NOT apply to the same set of URLs as the matching rules are
different. Hence the behaviour that is observed.
For example "/servlet/foo" will match the JkMount directive but NOT the
location block.
It isn't clear what the intended configuration is but I suspect it is
something along these lines:
<Location "/servlet">
SSLVerifyClient require
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
...
</Location>
JkMount /servlet worker1
JkMount /servlet/* worker1
Mark
On 08/10/2019 02:09, André Warnier (tomcat) wrote:
> On 08.10.2019 00:50, Magosányi Árpád wrote:
>> On 10/7/19 11:29 PM, André Warnier (tomcat) wrote:
>>> <LocationMatch /servlet.*>
>>> DirectoryIndex off
>>> RewriteEngine Off
>>> AuthType openid-connect
>>> AllowOverride None
>>> AuthzDBDQuery "a correct database query"
>>> Require dbd-group allrepo
>>> LogLevel debug
>>> </LocationMatch>
>>
>> Nice. It have solved the problem, thank you very much. By adding the ssl
>> related directives here I could pass the ssl info as well. So basically
>> we have put the JkMount in a Location, and the other directives in
>> another similar directive, as a kind of workaround?
>
> Think of it as follows :
> When httpd gets a request,
> - step 1 : it first looks only at the request URL, and it applies any
> directives that it finds in <Location> or <LocationMatch> sections which
> match that URL.
> - step 2 : then it tries to match the URL, with the filesystem on disk,
> and IF it finds a file that corresponds to that URL
> - step 3 : then it applies any <Directory(Match)> or <Files(Match)> that
> apply to that file
> - step 4 : httpd serves the file back to the browser
>
> If you have JkMount directives that match the URL, then step 2, 3 and 4
> above never happen, because the request will be passed to tomcat anyway,
> so it will never map to a file on the httpd filesystem. And if you have
> JkUnmount directives, that also match the URL, then they partially
> negate the matching JkMount, and they /force/ step 2, 3 and 4.
>
> The combination of JkMount/JkUnmount directives, with the httpd
> <Location(Match)> and <Directory(Match)> sections, is sometimes a bit
> unclear, specially when they overlap.
>
> There is another syntax applicable to the proxying via mod_jk, which I
> prefer because I find that it makes the httpd URL mapping clearer, in a
> httpd configuration logic sense.
> You can find it here :
> http://tomcat.apache.org/connectors-doc/reference/apache.html
> section : Using SetHandler and Environment Variables
>
> Using that form, you do NOT use any "JkMount/JkUnmount" directives, you
> use only <Location(Match)> blocks, like :
>
> <LocationMatch /servlet.*>
> SetHandler jakarta-servlet
> SetEnv JK_WORKER_NAME worker1
> DirectoryIndex off
> RewriteEngine Off
> AuthType openid-connect
> AllowOverride None
> AuthzDBDQuery "a correct database query"
> Require dbd-group allrepo
> LogLevel debug
> </LocationMatch>
>
> The combination of the <LocationMatch /servlet.*>, SetHandler and
> SetEnv, does the same as a separate "JkMount /servlet* worker1" and (in
> my view) it makes it clearer in the Apache httpd configuration file, to
> know which URLs get proxied to tomcat and which do not get proxied.
> Look at the example "<Location /apps/>" to see how you can have some
> static documents served by the httpd front-end directly (= not proxied
> to tomcat), and the real calls to tomcat servlets being proxied to tomcat.
>
>
>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 08.10.2019 00:50, Magosányi Árpád wrote:
> On 10/7/19 11:29 PM, André Warnier (tomcat) wrote:
>> <LocationMatch /servlet.*>
>> DirectoryIndex off
>> RewriteEngine Off
>> AuthType openid-connect
>> AllowOverride None
>> AuthzDBDQuery "a correct database query"
>> Require dbd-group allrepo
>> LogLevel debug
>> </LocationMatch>
>
> Nice. It have solved the problem, thank you very much. By adding the ssl
> related directives here I could pass the ssl info as well. So basically
> we have put the JkMount in a Location, and the other directives in
> another similar directive, as a kind of workaround?
Think of it as follows :
When httpd gets a request,
- step 1 : it first looks only at the request URL, and it applies any directives that it
finds in <Location> or <LocationMatch> sections which match that URL.
- step 2 : then it tries to match the URL, with the filesystem on disk, and IF it finds a
file that corresponds to that URL
- step 3 : then it applies any <Directory(Match)> or <Files(Match)> that apply to that file
- step 4 : httpd serves the file back to the browser
If you have JkMount directives that match the URL, then step 2, 3 and 4 above never
happen, because the request will be passed to tomcat anyway, so it will never map to a
file on the httpd filesystem. And if you have JkUnmount directives, that also match the
URL, then they partially negate the matching JkMount, and they /force/ step 2, 3 and 4.
The combination of JkMount/JkUnmount directives, with the httpd <Location(Match)> and
<Directory(Match)> sections, is sometimes a bit unclear, specially when they overlap.
There is another syntax applicable to the proxying via mod_jk, which I prefer because I
find that it makes the httpd URL mapping clearer, in a httpd configuration logic sense.
You can find it here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
section : Using SetHandler and Environment Variables
Using that form, you do NOT use any "JkMount/JkUnmount" directives, you use only
<Location(Match)> blocks, like :
<LocationMatch /servlet.*>
SetHandler jakarta-servlet
SetEnv JK_WORKER_NAME worker1
DirectoryIndex off
RewriteEngine Off
AuthType openid-connect
AllowOverride None
AuthzDBDQuery "a correct database query"
Require dbd-group allrepo
LogLevel debug
</LocationMatch>
The combination of the <LocationMatch /servlet.*>, SetHandler and SetEnv, does the same as
a separate "JkMount /servlet* worker1" and (in my view) it makes it clearer in the Apache
httpd configuration file, to know which URLs get proxied to tomcat and which do not get
proxied.
Look at the example "<Location /apps/>" to see how you can have some static documents
served by the httpd front-end directly (= not proxied to tomcat), and the real calls to
tomcat servlets being proxied to tomcat.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by Magosányi Árpád <m4...@gmail.com>.
On 10/7/19 11:29 PM, André Warnier (tomcat) wrote:
> <LocationMatch /servlet.*>
> DirectoryIndex off
> RewriteEngine Off
> AuthType openid-connect
> AllowOverride None
> AuthzDBDQuery "a correct database query"
> Require dbd-group allrepo
> LogLevel debug
> </LocationMatch>
Nice. It have solved the problem, thank you very much. By adding the ssl
related directives here I could pass the ssl info as well. So basically
we have put the JkMount in a Location, and the other directives in
another similar directive, as a kind of workaround?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Adding to my own previous post :
A posteriori, I saw a question here :
https://stackoverflow.com/questions/58240796/pass-username-and-client-certificate-from-apache-to-tomcat-using-mod-jk
that may be related to your question on this list.
Examining the above, you problem may be in the httpd configuration :
As I interpret it, the <Directory> section that you mention, will not be taken into
account for the URLs that you are proxying to tomcat.
That is because <Directory> sections only apply if the URL ultimately maps to a local file
for httpd. In this case, it does not, because you are proxying this request to tomcat. For
such URLs, you should use a <Location> or <LocationMatch> in httpd, not a <Directory>.
For example, *add* this to your httpd configuration :
<LocationMatch /servlet.*>
DirectoryIndex off
RewriteEngine Off
AuthType openid-connect
AllowOverride None
AuthzDBDQuery "a correct database query"
Require dbd-group allrepo
LogLevel debug
</LocationMatch>
Note: the above is very rough, and you may need to tune the regex a bit better.
On 08.10.2019 00:11, André Warnier (tomcat) wrote:
> On 07.10.2019 23:24, Magosányi Árpád wrote:
>> On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:
>>>
>>> Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?
>>>
>>
>> Yes, I did, however adding it back did not improve the situation.
>
> Ok. I just mentioned that, because it is one piece of the puzzle, and you might have
> forgotten it.
> What this piece really does is :
> - IF the front-end Apache httpd authenticates the HTTP request which it later passes on to
> tomcat
> - IF the protocol used between Apache httpd and tomcat is AJP
> - IF the AJP Connector in tomcat has the attribute set as above
> - THEN tomcat will retrieve the user-id of the httpd-authenticated user, and save it
> internally as the tomcat-authenticated user-id for this request
>
> So now you have the two last IF's answered positively.
> What about the first IF ?
>
> Info : in the default format of the Apache httpd access log, it will show the
> authenticated user (if any) for each request, for example like this :
>
> 127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...
> (where "THEUSER" is the httpd-authenticated user)
>
> while if the request is not authenticated by httpd, it will show a "-" instead of the
> user-id, like this :
> 127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...
>
> (and, of course, if httpd has not authenticated the request which it later passes on to
> tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot retrieve
> this user-id, and thus the request, at the tomcat level, is not authenticated).
>
>
> Next comes the question of how the tomcat application retrieves this user-id, from tomcat
> itself. I suppose that this would be a question for the developers of the
> "com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your configuration below.
> (if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses some other
> method, then you are out of luck for this front-end/back-end combination)(or you may need
> to do something additional at the front-end httpd level).
>
>>
>>
>> My server.xml now:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <Server port="-1" shutdown="SHUTDOWN">
>> <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
>> <Listener className="org.apache.catalina.core.AprLifecycleListener"
>> SSLEngine="on" />
>> <Listener
>> className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
>> <Listener
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>> <Listener
>> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
>>
>> <GlobalNamingResources>
>> <Resource name="UserDatabase" auth="Container"
>> type="org.apache.catalina.UserDatabase"
>> description="User database that can be updated and saved"
>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>> pathname="conf/tomcat-users.xml" />
>> </GlobalNamingResources>
>>
>> <Service name="Catalina">
>>
>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>> tomcatAuthentication="false"/>
>>
>>
>> <Engine name="Catalina" defaultHost="localhost">
>>
>> <Realm className="org.apache.catalina.realm.LockOutRealm">
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>> </Realm>
>>
>> <Host name="localhost" appBase="webapps"
>> unpackWARs="true" autoDeploy="true">
>>
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs"
>> prefix="localhost_access_log" suffix=".txt"
>> pattern="%h %l %u %t "%r" %s %b" />
>>
>> </Host>
>> </Engine>
>> </Service>
>> </Server>
>>
>> and my web.xml until mime mappings:
>>
>> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
>> http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
>> version="4.0">
>>
>>
>> <servlet>
>> <servlet-name>default</servlet-name>
>>
>> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
>> <init-param>
>> <param-name>debug</param-name>
>> <param-value>0</param-value>
>> </init-param>
>> <init-param>
>> <param-name>listings</param-name>
>> <param-value>false</param-value>
>> </init-param>
>> <load-on-startup>1</load-on-startup>
>> </servlet>
>>
>>
>> <servlet>
>> <servlet-name>jsp</servlet-name>
>> <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
>> <init-param>
>> <param-name>fork</param-name>
>> <param-value>false</param-value>
>> </init-param>
>> <init-param>
>> <param-name>xpoweredBy</param-name>
>> <param-value>false</param-value>
>> </init-param>
>> <load-on-startup>3</load-on-startup>
>> </servlet>
>>
>>
>> <servlet-mapping>
>> <servlet-name>default</servlet-name>
>> <url-pattern>/</url-pattern>
>> </servlet-mapping>
>>
>> <servlet-mapping>
>> <servlet-name>jsp</servlet-name>
>> <url-pattern>*.jsp</url-pattern>
>> <url-pattern>*.jspx</url-pattern>
>> </servlet-mapping>
>>
>> <filter>
>> <filter-name>KKAuthorizationFilter</filter-name>
>>
>> <filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>KKAuthorizationFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> <dispatcher>REQUEST</dispatcher>
>> </filter-mapping>
>>
>> <session-config>
>> <session-timeout>30</session-timeout>
>> </session-config>
>>
>>
>>
>>
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 07.10.2019 23:24, Magosányi Árpád wrote:
> On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:
>>
>> Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?
>>
>
> Yes, I did, however adding it back did not improve the situation.
Ok. I just mentioned that, because it is one piece of the puzzle, and you might have
forgotten it.
What this piece really does is :
- IF the front-end Apache httpd authenticates the HTTP request which it later passes on to
tomcat
- IF the protocol used between Apache httpd and tomcat is AJP
- IF the AJP Connector in tomcat has the attribute set as above
- THEN tomcat will retrieve the user-id of the httpd-authenticated user, and save it
internally as the tomcat-authenticated user-id for this request
So now you have the two last IF's answered positively.
What about the first IF ?
Info : in the default format of the Apache httpd access log, it will show the
authenticated user (if any) for each request, for example like this :
127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...
(where "THEUSER" is the httpd-authenticated user)
while if the request is not authenticated by httpd, it will show a "-" instead of the
user-id, like this :
127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...
(and, of course, if httpd has not authenticated the request which it later passes on to
tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot retrieve
this user-id, and thus the request, at the tomcat level, is not authenticated).
Next comes the question of how the tomcat application retrieves this user-id, from tomcat
itself. I suppose that this would be a question for the developers of the
"com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your configuration below.
(if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses some other
method, then you are out of luck for this front-end/back-end combination)(or you may need
to do something additional at the front-end httpd level).
>
>
> My server.xml now:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Server port="-1" shutdown="SHUTDOWN">
> <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
> <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
>
> <GlobalNamingResources>
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> pathname="conf/tomcat-users.xml" />
> </GlobalNamingResources>
>
> <Service name="Catalina">
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> tomcatAuthentication="false"/>
>
>
> <Engine name="Catalina" defaultHost="localhost">
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
> </Realm>
>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
> prefix="localhost_access_log" suffix=".txt"
> pattern="%h %l %u %t "%r" %s %b" />
>
> </Host>
> </Engine>
> </Service>
> </Server>
>
> and my web.xml until mime mappings:
>
> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
> http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
> version="4.0">
>
>
> <servlet>
> <servlet-name>default</servlet-name>
>
> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
> <init-param>
> <param-name>debug</param-name>
> <param-value>0</param-value>
> </init-param>
> <init-param>
> <param-name>listings</param-name>
> <param-value>false</param-value>
> </init-param>
> <load-on-startup>1</load-on-startup>
> </servlet>
>
>
> <servlet>
> <servlet-name>jsp</servlet-name>
> <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
> <init-param>
> <param-name>fork</param-name>
> <param-value>false</param-value>
> </init-param>
> <init-param>
> <param-name>xpoweredBy</param-name>
> <param-value>false</param-value>
> </init-param>
> <load-on-startup>3</load-on-startup>
> </servlet>
>
>
> <servlet-mapping>
> <servlet-name>default</servlet-name>
> <url-pattern>/</url-pattern>
> </servlet-mapping>
>
> <servlet-mapping>
> <servlet-name>jsp</servlet-name>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.jspx</url-pattern>
> </servlet-mapping>
>
> <filter>
> <filter-name>KKAuthorizationFilter</filter-name>
>
> <filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>KKAuthorizationFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
>
>
>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by Magosányi Árpád <m4...@gmail.com>.
On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:
>
> Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?
>
Yes, I did, however adding it back did not improve the situation.
My server.xml now:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="-1" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
and my web.xml until mime mappings:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
<filter>
<filter-name>KKAuthorizationFilter</filter-name>
<filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>KKAuthorizationFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 07.10.2019 17:36, Magosányi Árpád wrote:
>> Magosányi,
>>
>>>> How are you getting the attributes from the request?
>>
>>> This is the filter code:
>>
>>
>>> String user = httpRequest.getRemoteUser(); Object cert =
>>> httpRequest.getAttribute("javax.servlet.request.X509Certificate");
>>> this.context.log("user:"+user);
>>
>> This won't show any username unless the user has logged-in using HTTP
>> Basic/Digest authentication. Are you using those?
>
> I am using openid right now in the apache side, but also tested with
> basic auth to make sure that it is not an interaction with mod_openidc.
>
> The user information does not get passed along either in the remoteUser
> attribute or anywhere, in either of those cases, in spite that the
> documentation states that the authenticated user name should be
> retrievable using httpRequest.getRemoteUser(), and the CGI clearly shows
> that we indeed have a REMOTE_USER in the apache side.
>
>
>>
>> To get the certificate chain, I think you also need this in your httpd
>> configuration:
>>
>> JkOptions +ForwardSSLCertChain
>>
> I have added this now, though as I understand this is only needed if I
> want to get the full chain.
>
> Unfortunately this did not improve the situation in any way.
>
Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by Magosányi Árpád <m4...@gmail.com>.
> Magosányi,
>
> >> How are you getting the attributes from the request?
>
> > This is the filter code:
>
>
> > String user = httpRequest.getRemoteUser(); Object cert =
> > httpRequest.getAttribute("javax.servlet.request.X509Certificate");
> > this.context.log("user:"+user);
>
> This won't show any username unless the user has logged-in using HTTP
> Basic/Digest authentication. Are you using those?
I am using openid right now in the apache side, but also tested with
basic auth to make sure that it is not an interaction with mod_openidc.
The user information does not get passed along either in the remoteUser
attribute or anywhere, in either of those cases, in spite that the
documentation states that the authenticated user name should be
retrievable using httpRequest.getRemoteUser(), and the CGI clearly shows
that we indeed have a REMOTE_USER in the apache side.
>
> To get the certificate chain, I think you also need this in your httpd
> configuration:
>
> JkOptions +ForwardSSLCertChain
>
I have added this now, though as I understand this is only needed if I
want to get the full chain.
Unfortunately this did not improve the situation in any way.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Magosányi,
On 10/7/19 11:16, Magosányi Árpád wrote:
>> Magosányi,
>>
>> On 10/7/19 10:37, Magosányi Árpád wrote:
>>> I intend to use the user and certificate info in a Filter.
>>
>>> I think I have configured everything to do that, but the
>>> information does not get passed along. Based on various
>>> documentations and howtos, SSLVerifyClient require, SSLOptions
>>> +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On
>>> should be enough to pass certificate data, and Require
>>> valid-user should be enough to pass the authenticated
>>> username.
>>
>>> I see the following debug output (also contains the various
>>> info logged by the filter), which clearly lacks the information
>>> needed.
>> How are you getting the attributes from the request?
>
> This is the filter code:
>
>
> String user = httpRequest.getRemoteUser(); Object cert =
> httpRequest.getAttribute("javax.servlet.request.X509Certificate");
> this.context.log("user:"+user);
This won't show any username unless the user has logged-in using HTTP
Basic/Digest authentication. Are you using those?
To get the certificate chain, I think you also need this in your httpd
configuration:
JkOptions +ForwardSSLCertChain
>> Is the CGI being executed by Tomcat or is it being executed by
>> httpd?
>
> Executed by Apache httpd.
Okay.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bWSkACgkQHPApP6U8
pFgkdQ/+O3c3y8QZaBSyQk0do9nCyVl1os/GBGnBTmPYio7C3L/DHQ78LaERjJwl
DHvElopUxA5T7Jcbrg8mAN41lv3oLkoZqBv1htXxL/6JliRGG5DkH8ZCXbIBIH36
a2kVIJ2B4fbPryZ0kjZ+dmiHfJUYRr41NNZ0Ejrs93VEsV4+A8JZna74z4Wh0nRN
AwctTF/PTZuPrgEAVx7s9zxGFAasHWv5h3UIHXUmHKCmFQxY8bP8GUWXyAZ0pdtg
PiDJf3xAZeG2joB7n2M44VohGyFhG0i+x4fKYn212n8zq7bs++TbWiknrUAUQqMS
LFc6qXw85CxeKoJva4Q1F228HmtXJXLYw/6esjQHWdKqChU2IPUutrTFwxeb2hlf
ZBWHby77FyDQtErakxyVlv9Qi4bwmPeH4bR86ovarxhFYQ7bEcEyEAxdsY6HPnpj
we/pvHXWhb1Rs6MAthZyXzyhmGHu4nZyHbedQnsgX9hBAXerSqs0u8AQaAkmQLtd
dYDNQZ2jL5scN8jB951BMTlgskpxuWGyxG6xbBPM6/YdGTN9Qfgem7TRPzhDImO8
C53AheJwAK/RQGAoNaXIHK66p1bTR33IH3ycvmzsDhBxdtQcCRSpABL6Xm8LGxzS
PU2zKywcD5dqKu9Btd1+PECVy1MIPUkvl++Qv9TwTdqxwGoas3s=
=PCeu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Posted by Magosányi Árpád <m4...@gmail.com>.
> Magosányi,
>
> On 10/7/19 10:37, Magosányi Árpád wrote:
> > I intend to use the user and certificate info in a Filter.
>
> > I think I have configured everything to do that, but the
> > information does not get passed along. Based on various
> > documentations and howtos, SSLVerifyClient require, SSLOptions
> > +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On
> > should be enough to pass certificate data, and Require valid-user
> > should be enough to pass the authenticated username.
>
> > I see the following debug output (also contains the various info
> > logged by the filter), which clearly lacks the information needed.
> How are you getting the attributes from the request?
This is the filter code:
package com.kodekonveyor.realm;
import java.io.IOException;
import java.util.Collections;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public class KKAuthorizationFilter implements Filter {
private ServletContext context;
@Override
public void init(FilterConfig fConfig) throws ServletException {
this.context = fConfig.getServletContext();
this.context.log("KKAuthorizationFilter initialized");
}
@Override
public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String user = httpRequest.getRemoteUser();
String authType = httpRequest.getAuthType();
for ( String attributeName:
Collections.list(httpRequest.getAttributeNames())) {
this.context.log("attr
"+attributeName+"="+httpRequest.getAttribute(attributeName));
}
for ( String name:
Collections.list(httpRequest.getParameterNames())) {
this.context.log("param
"+name+"="+httpRequest.getParameterValues(name));
}
for ( String headerName:
Collections.list(httpRequest.getHeaderNames())) {
for (String value:
Collections.list(httpRequest.getHeaders(headerName)))
this.context.log("header "+headerName+":"+value);
}
HttpSession session = httpRequest.getSession();
this.context.log("session:"+session);
if(null != session)
for (String sessionAttName:
Collections.list(session.getAttributeNames())) {
this.context.log("session attribute
"+sessionAttName+":"+session.getAttribute(sessionAttName));
}
for ( String attributeName:
Collections.list(context.getAttributeNames())) {
this.context.log("context attr
"+attributeName+"="+context.getAttribute(attributeName));
}
Object cert =
httpRequest.getAttribute("javax.servlet.request.X509Certificate");
this.context.log("user:"+user);
this.context.log("cert:"+cert);
this.context.log("authType:"+authType);
this.context.log("getContextPath:"+httpRequest.getContextPath());
this.context.log("getProtocol:"+httpRequest.getProtocol());
this.context.log("getRemoteHost:"+httpRequest.getRemoteHost());
this.context.log("getServerInfo:"+context.getServerInfo());
this.context.log("getServletContextName:"+context.getServletContextName());
this.context.log("getRemoteHost:"+httpRequest.getRequestURI());
chain.doFilter(request, response);
}
}
>
> > I have a cgi in the cgi-bin directory, which prints out the
> > environment, and I see both REMOTE_USER and all relevant
> > certificate related information there.
> Is the CGI being executed by Tomcat or is it being executed by httpd?
Executed by Apache httpd. As you can see in the logs, mod_jk does not
pass any of that information through to tomcat, which is exactly my problem.
For reference, here is the code of the CGI (not my code, copied from the
internet):
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<pre>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
print "</pre>\n";
and relevant parts of the output:
REMOTE_USER = github|756838@kode-konveyor.eu.auth0.com/
SSL_CLIENT_S_DN = emailAddress=mag@kodekonveyor.com,CN=mag
>
> -chris
> > ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For
additional commands, e-mail: users-help@tomcat.apache.org >
Re: user and certificate info is not passed to tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Magosányi,
On 10/7/19 10:37, Magosányi Árpád wrote:
> I intend to use the user and certificate info in a Filter.
>
> I think I have configured everything to do that, but the
> information does not get passed along. Based on various
> documentations and howtos, SSLVerifyClient require, SSLOptions
> +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On
> should be enough to pass certificate data, and Require valid-user
> should be enough to pass the authenticated username.
>
> I see the following debug output (also contains the various info
> logged by the filter), which clearly lacks the information needed.
How are you getting the attributes from the request?
> I have a cgi in the cgi-bin directory, which prints out the
> environment, and I see both REMOTE_USER and all relevant
> certificate related information there.
Is the CGI being executed by Tomcat or is it being executed by httpd?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bVNYACgkQHPApP6U8
pFj/EBAAxOTOVnx/BoxXCtzkCTk4VH5WUrGi1iwwJODJ6h8d4jEz6Jm241gdNA4Q
m6+x1vFHxjnvgdmVxo7RxrIjx0StLECRGk/dNbiRTKbx6uA4PpR+4DWB1X9HJ+pE
NIkURRM33h/ywcwLEw0I3ar2qGJQuXPBktaYxyjdRQUgZHzKRdcZP9wLRCIkRskN
qMkLGia7v4lIpmBN4EVTISJmFzFRwmgkxruFh8XG/1vecFbxuKr8N8U3fuW8ATnf
9zHWXbrjrqzWDBZGkNgFRNql0s6TS08CWivO6yeSk4BaiIqVvAuozrQzgKXPvDrS
MeYa8X6G1L7XPxTKM563dFza6ohoaWDNZ7ylFYuGGlB3CYCZDPns22sXedfYWjrg
FHbRuz+qdh5/+aWOtRKOniBT5HctOU14LTNBehX6TBwHimicLQ+nLd0wR1YMbO4Q
W8C7XglralnGRzissW9/u+qAanXGW2jEILlLiubgTxNYWvSg4AJ5Dy4xeiUuYva/
WHGBWxTLoGc3gPYOKXbpk9m3d4kRejEiNrHtaYux3zOnjpjvSBjEalavhyN57J28
Wvs7JfCgOlzbEQXj6xaBUpoOxdZiiK3+jSByETXWd8n445xab59uC7RRcjD2g3L7
bVFlrQnxo4dUbM2Wf2+2Wrgm80+5wxgB/+YsfTXoHIZmLTX/tBY=
=ejIn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org