You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sylvain Goulmy <sy...@gmail.com> on 2011/09/16 10:44:33 UTC
Http connector and remote user information
Hi everyone,
I'm actually using Tomcat on my environment platform (Tomcat 5.5 / Tomcat 6
and soon Tomcat 7). I have a frontend Apache http Server using the jk
connector to communicate with Tomcat instance.
I'd like to change this connector and use the mod_proxy one for several
reasons. The main difficulty to handle is relative to the remote-user
information. Indeed the jk connector automatically transmits the information
so that the application can retrieve it using a request.getRemoteUser()
method call.
If i'm not using the ajp connector anymore, i need to handle something on
the tomcat side to set the remote user in the request object. I thought i
could use a valve to do this. And that's where the road ends, i have watched
the ajp conenctor code in order to see how the remote user is set in the
request but i can't find it.
Could you please tell me how i can do this ?
Best regards.
Sylvain
Re: Http connector and remote user information
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/19/2011 8:43 AM, André Warnier wrote:
> If your Tomcat server is accessible via other channels than from
> the Apache front-end, then this is of course a security hole, since
> anyone can forge such a HTTP header and send it to Tomcat.
+1
> So I would only use this in conjunction with a RemoteAddress Valve,
> or by having Tomcat listening only on a IP address which only the
> Apache host can access. (Or encrypting/decrypting the header, but
> that is more of a hassle).
You could also use mod_headers to remove any X-Forwarded-User headers
that come from the client before adding it yourself, but then you only
protect against connections actually coming from your trusted servers.
André's solution is better.
> Essentially mod_jk and mod_proxy_ajp have the same issue, but the
> AJP protocol is a bit more difficult to handle and play with, than
> straight HTTP.
Correct. You can't spoof trusted AJP info the way you can put just
anything you want in the HTTP headers (at least, once you upgrade to
the latest Tomcat that fixes CVE-2011-3190).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk53XL0ACgkQ9CaO5/Lv0PCq2QCeP+JrYvtXQERoJ2y0bR+cqcPS
paAAoJBVNlaEj1xXVPVRfX8/PGLckvST
=hsix
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http connector and remote user information
Posted by Sylvain Goulmy <sy...@gmail.com>.
On Mon, Sep 19, 2011 at 4:31 PM, Sylvain Goulmy <sy...@gmail.com> wrote:
> On Mon, Sep 19, 2011 at 2:43 PM, André Warnier <aw...@ice-sa.com> wrote:
>
>> Hi.
>>
>> I am not knowledgeable enough in Java code to tell if there is something
>> wrong with the method, but if it works for you, that's the most important
>> aspect.
>>
>> By curiosity, how are you telling Apache to add this header ?
>>
>
> I'm using the RequestHeader directive :
>
> RequestHeader set X-Forwarded-User ...
>
Our authentification module (siteminder agent) set the remote user in the
apache request, then we use this information in a second step to
systemacally set the X-Forwarded header.
>
>
>>
>> And one more thing, which I am sure you must have considered, but maybe
>> worth mentioning anyway :
>>
>> If your Tomcat server is accessible via other channels than from the
>> Apache front-end, then this is of course a security hole, since anyone can
>> forge such a HTTP header and send it to Tomcat. So I would only use this in
>> conjunction with a RemoteAddress Valve, or by having Tomcat listening only
>> on a IP address which only the Apache host can access.
>> (Or encrypting/decrypting the header, but that is more of a hassle).
>>
>> Essentially mod_jk and mod_proxy_ajp have the same issue, but the AJP
>> protocol is a bit more difficult to handle and play with, than straight
>> HTTP.
>>
>
> I have taken this aspect in consideration, but as you said, it worths
> mentionning it ;-)
>
>
>>
>>
>>
>> Sylvain Goulmy wrote:
>>
>>> Thank you André for your contribution which was very helpful.
>>>
>>> If you are using the first one (HTTP), then one way would be to force
>>> Apache
>>>
>>>> to add a HTTP header to the request, containing the user-id; and on the
>>>> Tomcat side, have something that picks up this HTTP header, and stuffs
>>>> its
>>>> content in the UserPrincipal object.
>>>> I don't know if something like that exists ready-made, but a custom
>>>> Valve
>>>> or servlet filter should be able to do that.
>>>>
>>>
>>>
>>> This is effectively the solution i had chosen, i should have mentionned
>>> it.
>>> Actually i was looking for the implementation on the tomcat side that's
>>> why
>>> i was looking how the ajp connector was using the user-id data to set the
>>> remote user. You gave me the solution by mentionning the UserPrincipal
>>> object as i was on the wrong place looking for a setRemoteUser() method.
>>>
>>> Here is the code of the valve which give me the expected result :
>>>
>>> public class RemoteUserValve extends ValveBase {
>>>
>>>> public void invoke(Request request, Response response) throws
>>>> IOException, ServletException {
>>>> String remoteUser = request.getHeader("X-**
>>>> Forwarded-User");
>>>> Principal userPrincipal = request.getPrincipal();
>>>> if (userPrincipal != null) {
>>>> System.out.println("Principal getName : " +
>>>> userPrincipal.getName() + ".");
>>>> System.out.println("Principal toString : " +
>>>> userPrincipal.toString() + ".");
>>>> } else {
>>>> System.out.println("**userPrincipal is null.");
>>>> request.setUserPrincipal(new
>>>> CoyotePrincipal(remoteUser));
>>>> }
>>>> getNext().invoke(request, response);
>>>> }
>>>> }
>>>>
>>>
>>>
>>> Please, feel free to comment this code if something looks improvable.
>>>
>>> Thx again for your help.
>>>
>>> Sylvain
>>>
>>> On Fri, Sep 16, 2011 at 11:33 AM, André Warnier <aw...@ice-sa.com> wrote:
>>>
>>> Sylvain Goulmy wrote:
>>>>
>>>> Hi everyone,
>>>>>
>>>>> I'm actually using Tomcat on my environment platform (Tomcat 5.5 /
>>>>> Tomcat
>>>>> 6
>>>>> and soon Tomcat 7). I have a frontend Apache http Server using the jk
>>>>> connector to communicate with Tomcat instance.
>>>>>
>>>>> I'd like to change this connector and use the mod_proxy one for several
>>>>> reasons. The main difficulty to handle is relative to the remote-user
>>>>> information. Indeed the jk connector automatically transmits the
>>>>> information
>>>>> so that the application can retrieve it using a request.getRemoteUser()
>>>>> method call.
>>>>>
>>>>> If i'm not using the ajp connector anymore, i need to handle something
>>>>> on
>>>>> the tomcat side to set the remote user in the request object. I thought
>>>>> i
>>>>> could use a valve to do this. And that's where the road ends, i have
>>>>> watched
>>>>> the ajp conenctor code in order to see how the remote user is set in
>>>>> the
>>>>> request but i can't find it.
>>>>>
>>>>>
>>>>> You are not finding it, because you are looking in the wrong place.
>>>> If mod_jk can pass the authenticated user to Tomcat, via the AJP
>>>> channel,
>>>> it is because the user (or request) has been authenticated on the Apache
>>>> side, before the request is forwarded through mod_jk to Tomcat.
>>>> The AJP connector on the Tomcat side then picks up this user-id from the
>>>> request coming in on the AJP channel, and sets the UserPrincipal in
>>>> Tomcat
>>>> accordingly.
>>>> That's why a subsequent getRemoteUser() can pick it up in Tomcat.
>>>>
>>>> If you want to switch to mod_proxy instead of mod_jk, the question is :
>>>> can
>>>> mod_proxy forward the Apache user-id to Tomcat ?
>>>> The question is slightly more complicated, because there are two methods
>>>> of
>>>> connecting Apache to Tomcat using mod_proxy :
>>>> a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
>>>> b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same
>>>> as
>>>> the one used with mod_jk)
>>>>
>>>> If you are using the second one (AJP), then we know that the AJP
>>>> protocol
>>>> /can/ carry the Apache user-id to Tomcat (because that is what mod_jk
>>>> does).
>>>> The question is whether mod_proxy_ajp has some setting to tell it to do
>>>> that (or does it by default).
>>>>
>>>> If you are using the first one (HTTP), then one way would be to force
>>>> Apache to add a HTTP header to the request, containing the user-id; and
>>>> on
>>>> the Tomcat side, have something that picks up this HTTP header, and
>>>> stuffs
>>>> its content in the UserPrincipal object.
>>>> I don't know if something like that exists ready-made, but a custom
>>>> Valve
>>>> or servlet filter should be able to do that.
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------****----------------------------**
>>>> --**---------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>>> <us...@tomcat.apache.org>
>>>> >
>>>>
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Http connector and remote user information
Posted by Sylvain Goulmy <sy...@gmail.com>.
On Mon, Sep 19, 2011 at 2:43 PM, André Warnier <aw...@ice-sa.com> wrote:
> Hi.
>
> I am not knowledgeable enough in Java code to tell if there is something
> wrong with the method, but if it works for you, that's the most important
> aspect.
>
> By curiosity, how are you telling Apache to add this header ?
>
I'm using the RequestHeader directive :
RequestHeader set X-Forwarded-User ...
>
> And one more thing, which I am sure you must have considered, but maybe
> worth mentioning anyway :
>
> If your Tomcat server is accessible via other channels than from the Apache
> front-end, then this is of course a security hole, since anyone can forge
> such a HTTP header and send it to Tomcat. So I would only use this in
> conjunction with a RemoteAddress Valve, or by having Tomcat listening only
> on a IP address which only the Apache host can access.
> (Or encrypting/decrypting the header, but that is more of a hassle).
>
> Essentially mod_jk and mod_proxy_ajp have the same issue, but the AJP
> protocol is a bit more difficult to handle and play with, than straight
> HTTP.
>
I have taken this aspect in consideration, but as you said, it worths
mentionning it ;-)
>
>
>
> Sylvain Goulmy wrote:
>
>> Thank you André for your contribution which was very helpful.
>>
>> If you are using the first one (HTTP), then one way would be to force
>> Apache
>>
>>> to add a HTTP header to the request, containing the user-id; and on the
>>> Tomcat side, have something that picks up this HTTP header, and stuffs
>>> its
>>> content in the UserPrincipal object.
>>> I don't know if something like that exists ready-made, but a custom Valve
>>> or servlet filter should be able to do that.
>>>
>>
>>
>> This is effectively the solution i had chosen, i should have mentionned
>> it.
>> Actually i was looking for the implementation on the tomcat side that's
>> why
>> i was looking how the ajp connector was using the user-id data to set the
>> remote user. You gave me the solution by mentionning the UserPrincipal
>> object as i was on the wrong place looking for a setRemoteUser() method.
>>
>> Here is the code of the valve which give me the expected result :
>>
>> public class RemoteUserValve extends ValveBase {
>>
>>> public void invoke(Request request, Response response) throws
>>> IOException, ServletException {
>>> String remoteUser = request.getHeader("X-**
>>> Forwarded-User");
>>> Principal userPrincipal = request.getPrincipal();
>>> if (userPrincipal != null) {
>>> System.out.println("Principal getName : " +
>>> userPrincipal.getName() + ".");
>>> System.out.println("Principal toString : " +
>>> userPrincipal.toString() + ".");
>>> } else {
>>> System.out.println("**userPrincipal is null.");
>>> request.setUserPrincipal(new
>>> CoyotePrincipal(remoteUser));
>>> }
>>> getNext().invoke(request, response);
>>> }
>>> }
>>>
>>
>>
>> Please, feel free to comment this code if something looks improvable.
>>
>> Thx again for your help.
>>
>> Sylvain
>>
>> On Fri, Sep 16, 2011 at 11:33 AM, André Warnier <aw...@ice-sa.com> wrote:
>>
>> Sylvain Goulmy wrote:
>>>
>>> Hi everyone,
>>>>
>>>> I'm actually using Tomcat on my environment platform (Tomcat 5.5 /
>>>> Tomcat
>>>> 6
>>>> and soon Tomcat 7). I have a frontend Apache http Server using the jk
>>>> connector to communicate with Tomcat instance.
>>>>
>>>> I'd like to change this connector and use the mod_proxy one for several
>>>> reasons. The main difficulty to handle is relative to the remote-user
>>>> information. Indeed the jk connector automatically transmits the
>>>> information
>>>> so that the application can retrieve it using a request.getRemoteUser()
>>>> method call.
>>>>
>>>> If i'm not using the ajp connector anymore, i need to handle something
>>>> on
>>>> the tomcat side to set the remote user in the request object. I thought
>>>> i
>>>> could use a valve to do this. And that's where the road ends, i have
>>>> watched
>>>> the ajp conenctor code in order to see how the remote user is set in the
>>>> request but i can't find it.
>>>>
>>>>
>>>> You are not finding it, because you are looking in the wrong place.
>>> If mod_jk can pass the authenticated user to Tomcat, via the AJP channel,
>>> it is because the user (or request) has been authenticated on the Apache
>>> side, before the request is forwarded through mod_jk to Tomcat.
>>> The AJP connector on the Tomcat side then picks up this user-id from the
>>> request coming in on the AJP channel, and sets the UserPrincipal in
>>> Tomcat
>>> accordingly.
>>> That's why a subsequent getRemoteUser() can pick it up in Tomcat.
>>>
>>> If you want to switch to mod_proxy instead of mod_jk, the question is :
>>> can
>>> mod_proxy forward the Apache user-id to Tomcat ?
>>> The question is slightly more complicated, because there are two methods
>>> of
>>> connecting Apache to Tomcat using mod_proxy :
>>> a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
>>> b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same
>>> as
>>> the one used with mod_jk)
>>>
>>> If you are using the second one (AJP), then we know that the AJP protocol
>>> /can/ carry the Apache user-id to Tomcat (because that is what mod_jk
>>> does).
>>> The question is whether mod_proxy_ajp has some setting to tell it to do
>>> that (or does it by default).
>>>
>>> If you are using the first one (HTTP), then one way would be to force
>>> Apache to add a HTTP header to the request, containing the user-id; and
>>> on
>>> the Tomcat side, have something that picks up this HTTP header, and
>>> stuffs
>>> its content in the UserPrincipal object.
>>> I don't know if something like that exists ready-made, but a custom Valve
>>> or servlet filter should be able to do that.
>>>
>>>
>>>
>>>
>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>> <us...@tomcat.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Http connector and remote user information
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
I am not knowledgeable enough in Java code to tell if there is something wrong with the
method, but if it works for you, that's the most important aspect.
By curiosity, how are you telling Apache to add this header ?
And one more thing, which I am sure you must have considered, but maybe worth mentioning
anyway :
If your Tomcat server is accessible via other channels than from the Apache front-end,
then this is of course a security hole, since anyone can forge such a HTTP header and send
it to Tomcat. So I would only use this in conjunction with a RemoteAddress Valve, or by
having Tomcat listening only on a IP address which only the Apache host can access.
(Or encrypting/decrypting the header, but that is more of a hassle).
Essentially mod_jk and mod_proxy_ajp have the same issue, but the AJP protocol is a bit
more difficult to handle and play with, than straight HTTP.
Sylvain Goulmy wrote:
> Thank you André for your contribution which was very helpful.
>
> If you are using the first one (HTTP), then one way would be to force Apache
>> to add a HTTP header to the request, containing the user-id; and on the
>> Tomcat side, have something that picks up this HTTP header, and stuffs its
>> content in the UserPrincipal object.
>> I don't know if something like that exists ready-made, but a custom Valve
>> or servlet filter should be able to do that.
>
>
> This is effectively the solution i had chosen, i should have mentionned it.
> Actually i was looking for the implementation on the tomcat side that's why
> i was looking how the ajp connector was using the user-id data to set the
> remote user. You gave me the solution by mentionning the UserPrincipal
> object as i was on the wrong place looking for a setRemoteUser() method.
>
> Here is the code of the valve which give me the expected result :
>
> public class RemoteUserValve extends ValveBase {
>> public void invoke(Request request, Response response) throws
>> IOException, ServletException {
>> String remoteUser = request.getHeader("X-Forwarded-User");
>> Principal userPrincipal = request.getPrincipal();
>> if (userPrincipal != null) {
>> System.out.println("Principal getName : " +
>> userPrincipal.getName() + ".");
>> System.out.println("Principal toString : " +
>> userPrincipal.toString() + ".");
>> } else {
>> System.out.println("userPrincipal is null.");
>> request.setUserPrincipal(new
>> CoyotePrincipal(remoteUser));
>> }
>> getNext().invoke(request, response);
>> }
>> }
>
>
> Please, feel free to comment this code if something looks improvable.
>
> Thx again for your help.
>
> Sylvain
>
> On Fri, Sep 16, 2011 at 11:33 AM, André Warnier <aw...@ice-sa.com> wrote:
>
>> Sylvain Goulmy wrote:
>>
>>> Hi everyone,
>>>
>>> I'm actually using Tomcat on my environment platform (Tomcat 5.5 / Tomcat
>>> 6
>>> and soon Tomcat 7). I have a frontend Apache http Server using the jk
>>> connector to communicate with Tomcat instance.
>>>
>>> I'd like to change this connector and use the mod_proxy one for several
>>> reasons. The main difficulty to handle is relative to the remote-user
>>> information. Indeed the jk connector automatically transmits the
>>> information
>>> so that the application can retrieve it using a request.getRemoteUser()
>>> method call.
>>>
>>> If i'm not using the ajp connector anymore, i need to handle something on
>>> the tomcat side to set the remote user in the request object. I thought i
>>> could use a valve to do this. And that's where the road ends, i have
>>> watched
>>> the ajp conenctor code in order to see how the remote user is set in the
>>> request but i can't find it.
>>>
>>>
>> You are not finding it, because you are looking in the wrong place.
>> If mod_jk can pass the authenticated user to Tomcat, via the AJP channel,
>> it is because the user (or request) has been authenticated on the Apache
>> side, before the request is forwarded through mod_jk to Tomcat.
>> The AJP connector on the Tomcat side then picks up this user-id from the
>> request coming in on the AJP channel, and sets the UserPrincipal in Tomcat
>> accordingly.
>> That's why a subsequent getRemoteUser() can pick it up in Tomcat.
>>
>> If you want to switch to mod_proxy instead of mod_jk, the question is : can
>> mod_proxy forward the Apache user-id to Tomcat ?
>> The question is slightly more complicated, because there are two methods of
>> connecting Apache to Tomcat using mod_proxy :
>> a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
>> b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same as
>> the one used with mod_jk)
>>
>> If you are using the second one (AJP), then we know that the AJP protocol
>> /can/ carry the Apache user-id to Tomcat (because that is what mod_jk does).
>> The question is whether mod_proxy_ajp has some setting to tell it to do
>> that (or does it by default).
>>
>> If you are using the first one (HTTP), then one way would be to force
>> Apache to add a HTTP header to the request, containing the user-id; and on
>> the Tomcat side, have something that picks up this HTTP header, and stuffs
>> its content in the UserPrincipal object.
>> I don't know if something like that exists ready-made, but a custom Valve
>> or servlet filter should be able to do that.
>>
>>
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http connector and remote user information
Posted by Sylvain Goulmy <sy...@gmail.com>.
Thank you André for your contribution which was very helpful.
If you are using the first one (HTTP), then one way would be to force Apache
> to add a HTTP header to the request, containing the user-id; and on the
> Tomcat side, have something that picks up this HTTP header, and stuffs its
> content in the UserPrincipal object.
> I don't know if something like that exists ready-made, but a custom Valve
> or servlet filter should be able to do that.
This is effectively the solution i had chosen, i should have mentionned it.
Actually i was looking for the implementation on the tomcat side that's why
i was looking how the ajp connector was using the user-id data to set the
remote user. You gave me the solution by mentionning the UserPrincipal
object as i was on the wrong place looking for a setRemoteUser() method.
Here is the code of the valve which give me the expected result :
public class RemoteUserValve extends ValveBase {
> public void invoke(Request request, Response response) throws
> IOException, ServletException {
> String remoteUser = request.getHeader("X-Forwarded-User");
> Principal userPrincipal = request.getPrincipal();
> if (userPrincipal != null) {
> System.out.println("Principal getName : " +
> userPrincipal.getName() + ".");
> System.out.println("Principal toString : " +
> userPrincipal.toString() + ".");
> } else {
> System.out.println("userPrincipal is null.");
> request.setUserPrincipal(new
> CoyotePrincipal(remoteUser));
> }
> getNext().invoke(request, response);
> }
> }
Please, feel free to comment this code if something looks improvable.
Thx again for your help.
Sylvain
On Fri, Sep 16, 2011 at 11:33 AM, André Warnier <aw...@ice-sa.com> wrote:
> Sylvain Goulmy wrote:
>
>> Hi everyone,
>>
>> I'm actually using Tomcat on my environment platform (Tomcat 5.5 / Tomcat
>> 6
>> and soon Tomcat 7). I have a frontend Apache http Server using the jk
>> connector to communicate with Tomcat instance.
>>
>> I'd like to change this connector and use the mod_proxy one for several
>> reasons. The main difficulty to handle is relative to the remote-user
>> information. Indeed the jk connector automatically transmits the
>> information
>> so that the application can retrieve it using a request.getRemoteUser()
>> method call.
>>
>> If i'm not using the ajp connector anymore, i need to handle something on
>> the tomcat side to set the remote user in the request object. I thought i
>> could use a valve to do this. And that's where the road ends, i have
>> watched
>> the ajp conenctor code in order to see how the remote user is set in the
>> request but i can't find it.
>>
>>
> You are not finding it, because you are looking in the wrong place.
> If mod_jk can pass the authenticated user to Tomcat, via the AJP channel,
> it is because the user (or request) has been authenticated on the Apache
> side, before the request is forwarded through mod_jk to Tomcat.
> The AJP connector on the Tomcat side then picks up this user-id from the
> request coming in on the AJP channel, and sets the UserPrincipal in Tomcat
> accordingly.
> That's why a subsequent getRemoteUser() can pick it up in Tomcat.
>
> If you want to switch to mod_proxy instead of mod_jk, the question is : can
> mod_proxy forward the Apache user-id to Tomcat ?
> The question is slightly more complicated, because there are two methods of
> connecting Apache to Tomcat using mod_proxy :
> a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
> b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same as
> the one used with mod_jk)
>
> If you are using the second one (AJP), then we know that the AJP protocol
> /can/ carry the Apache user-id to Tomcat (because that is what mod_jk does).
> The question is whether mod_proxy_ajp has some setting to tell it to do
> that (or does it by default).
>
> If you are using the first one (HTTP), then one way would be to force
> Apache to add a HTTP header to the request, containing the user-id; and on
> the Tomcat side, have something that picks up this HTTP header, and stuffs
> its content in the UserPrincipal object.
> I don't know if something like that exists ready-made, but a custom Valve
> or servlet filter should be able to do that.
>
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Http connector and remote user information
Posted by André Warnier <aw...@ice-sa.com>.
Sylvain Goulmy wrote:
> Hi everyone,
>
> I'm actually using Tomcat on my environment platform (Tomcat 5.5 / Tomcat 6
> and soon Tomcat 7). I have a frontend Apache http Server using the jk
> connector to communicate with Tomcat instance.
>
> I'd like to change this connector and use the mod_proxy one for several
> reasons. The main difficulty to handle is relative to the remote-user
> information. Indeed the jk connector automatically transmits the information
> so that the application can retrieve it using a request.getRemoteUser()
> method call.
>
> If i'm not using the ajp connector anymore, i need to handle something on
> the tomcat side to set the remote user in the request object. I thought i
> could use a valve to do this. And that's where the road ends, i have watched
> the ajp conenctor code in order to see how the remote user is set in the
> request but i can't find it.
>
You are not finding it, because you are looking in the wrong place.
If mod_jk can pass the authenticated user to Tomcat, via the AJP channel, it is because
the user (or request) has been authenticated on the Apache side, before the request is
forwarded through mod_jk to Tomcat.
The AJP connector on the Tomcat side then picks up this user-id from the request coming in
on the AJP channel, and sets the UserPrincipal in Tomcat accordingly.
That's why a subsequent getRemoteUser() can pick it up in Tomcat.
If you want to switch to mod_proxy instead of mod_jk, the question is : can mod_proxy
forward the Apache user-id to Tomcat ?
The question is slightly more complicated, because there are two methods of connecting
Apache to Tomcat using mod_proxy :
a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same as the one used
with mod_jk)
If you are using the second one (AJP), then we know that the AJP protocol /can/ carry the
Apache user-id to Tomcat (because that is what mod_jk does). The question is whether
mod_proxy_ajp has some setting to tell it to do that (or does it by default).
If you are using the first one (HTTP), then one way would be to force Apache to add a HTTP
header to the request, containing the user-id; and on the Tomcat side, have something that
picks up this HTTP header, and stuffs its content in the UserPrincipal object.
I don't know if something like that exists ready-made, but a custom Valve or servlet
filter should be able to do that.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org