You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Is...@ext.ec.europa.eu on 2012/03/23 13:43:35 UTC
AJP13: response message with container remote user
Hi All,
I have several web applications running on distinct tomcat instances. Apache httpd is in front of all the tomcat instances, running as a reverse proxy. Authentication is realized at the container side. Access log files are active on the httpd side.
What I am missing in the httpd log files is the remote user information. I know it is not available via mod_proxy. So I plan to switch to mod_jk. But it is not available in mod_jk either. And I would like to contribute on this. I know a possible work around would be to include the remote user information in the response headers and log this via httpd; but I am not sure I can count on the software owners to make the changes in a short time.
If there is not difficulty in tomcat for grabbing the remote user, I would like to add a new response message in AJP13.
The new response message would be as follow:
AJP13_CONTAINER_REMOTE_USER :=
prefix_code 7
remote_user (string)
Any comments before I start working on this ?
Thanks for your interest,
--
Issa Gorissen
RE: AJP13: response message with container remote user
Posted by Is...@ext.ec.europa.eu.
>
> Can't you just add a custom response header to your Tomcat responses like
>
> X-REMOTE-USER: MY_USER
>
> and then log the user name in your apache access log by adding
> %{X-REMOTE-USER}o?
Hi,
Yes, this is what Konstantin suggests. I guess I will drop my initial idea and follow this route. I will have to convince Atlassian to make changes in their apps, if I do not want to add custom code (filters) to their apps.
Have a nice day.
--
Issa
Re: AJP13: response message with container remote user
Posted by Rainer Jung <ra...@kippdata.de>.
On 23.03.2012 13:43, Issa.GORISSEN@ext.ec.europa.eu wrote:
> Hi All,
>
> I have several web applications running on distinct tomcat instances. Apache httpd is in front of all the tomcat instances, running as a reverse proxy. Authentication is realized at the container side. Access log files are active on the httpd side.
>
> What I am missing in the httpd log files is the remote user information. I know it is not available via mod_proxy. So I plan to switch to mod_jk. But it is not available in mod_jk either. And I would like to contribute on this. I know a possible work around would be to include the remote user information in the response headers and log this via httpd; but I am not sure I can count on the software owners to make the changes in a short time.
Can't you just add a custom response header to your Tomcat responses like
X-REMOTE-USER: MY_USER
and then log the user name in your apache access log by adding
%{X-REMOTE-USER}o?
Note that this would mean that the user name is sent out to the internet
(via the header), but it might already be part of the reponse pages anyhow.
If you want to strip a response header at Apache and still want to log
it, you would need to write a very simple Apache module, which copies
the header into an Apache environment variable, then removes the header
and you would log the environment variable instead of the original header.
HTH.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: AJP13: response message with container remote user
Posted by Is...@ext.ec.europa.eu.
> 3. You would need some additional work and configuration on httpd side
> to make the information provided by Tomcat be printed into the logs.
[1] Isn't it possible for to set the user for the current request in httpd context via mod_jk ? I guess this would be half good, as this info would only be known to httpd during the response handling, and not before. I guess this would introduce inconsistencies when httpd users expect that httpd must be aware of the user during a whole (tomcat) session, instead of just the http responses.
>
> 4. It is easier to pass the information back via AJP13_SEND_HEADERS
> message.instead of inventing a new message type and marshalling it
> over the wire.
This would imply to make the user info available in the response's headers, right ?
But anyway, if [1] is correct, then it would mean to let httpd be aware of servlet sessions, which might be a lot more work I guess.
Re: AJP13: response message with container remote user
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/3/23 <Is...@ext.ec.europa.eu>:
>>
>> That works only if authentication is done by Tomcat. In many cases
>> authentication is done by 3-rd party frameworks e.g. Spring Security,
>> inside the web application itself.
>>
>> I think patching the connectors and mod_jk is not a good idea here.
>>
>
>
> Well, I have indeed seen that this information can be printed by Tomcat. My goal is to have all the access information in one file, not two or more, because I have one httpd instance and five tomcat instances served by this httpd instance. This would mean having to process six access files... Not practical IMO.
>
>
> Can you explain for my understanding why you think it would be a bad idea to patch the connectors & mod_jk ?
1. I do not think that your amendment to the AJP protocol can be
contributed to official releases without much of work.
There is no protocol capabilities negotiation between httpd and
tomcat, so it has to be somehow explicitly enabled on both sides.
Note, that there are several independent server-side ajp
implementations (e.g. mod_proxy_ajp) and client-side implementations
(e.g. jetty).
There are 3 different implementations of Ajp connector in Tomcat itself.
2. In many cases Tomcat does not know how user is authenticated, as I
already mentioned.
3. You would need some additional work and configuration on httpd side
to make the information provided by Tomcat be printed into the logs.
4. It is easier to pass the information back via AJP13_SEND_HEADERS
message.instead of inventing a new message type and marshalling it
over the wire.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: AJP13: response message with container remote user
Posted by Is...@ext.ec.europa.eu.
> > I have several web applications running on distinct tomcat instances.
> Apache httpd is in front of all the tomcat instances, running as a reverse
> proxy. Authentication is realized at the container side. Access log files are
> active on the httpd side.
>
> "at the container side" = in Tomcat?
Yes container side being Tomcat.
>
> Just enable access logs (aka AccessLogValve) in Tomcat itself. It will
> print whatever user Tomcat authenticated.
>
> That works only if authentication is done by Tomcat. In many cases
> authentication is done by 3-rd party frameworks e.g. Spring Security,
> inside the web application itself.
>
> I think patching the connectors and mod_jk is not a good idea here.
>
Well, I have indeed seen that this information can be printed by Tomcat. My goal is to have all the access information in one file, not two or more, because I have one httpd instance and five tomcat instances served by this httpd instance. This would mean having to process six access files... Not practical IMO.
Can you explain for my understanding why you think it would be a bad idea to patch the connectors & mod_jk ?
Thx
--
Issa
Re: AJP13: response message with container remote user
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/3/23 <Is...@ext.ec.europa.eu>:
> Hi All,
>
> I have several web applications running on distinct tomcat instances. Apache httpd is in front of all the tomcat instances, running as a reverse proxy. Authentication is realized at the container side. Access log files are active on the httpd side.
"at the container side" = in Tomcat?
>
> What I am missing in the httpd log files is the remote user information. I know it is not available via mod_proxy. So I plan to switch to mod_jk. But it is not available in mod_jk either. And I would like to contribute on this. I know a possible work around would be to include the remote user information in the response headers and log this via httpd; but I am not sure I can count on the software owners to make the changes in a short time.
>
> If there is not difficulty in tomcat for grabbing the remote user, I would like to add a new response message in AJP13.
Just enable access logs (aka AccessLogValve) in Tomcat itself. It will
print whatever user Tomcat authenticated.
That works only if authentication is done by Tomcat. In many cases
authentication is done by 3-rd party frameworks e.g. Spring Security,
inside the web application itself.
I think patching the connectors and mod_jk is not a good idea here.
> The new response message would be as follow:
>
> AJP13_CONTAINER_REMOTE_USER :=
> prefix_code 7
> remote_user (string)
>
>
> Any comments before I start working on this ?
>
> Thanks for your interest,
> --
> Issa Gorissen
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org