You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Omar Nafees <om...@cs.uwaterloo.ca> on 2007/08/24 18:58:11 UTC
Apache authentication information (remoteuser) not visible in Tomcat
Hello,
request.getRemoteUser() returns null in my servlet.
request.getAttribute("REMOTE_USER") also returns null. I have even
checked the headers that are being sent to the AJP connector in Tomcat.
Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via
mod_jk-ap2-1.2.23 on FreeBSD 6.2
Snippet of AJP13 header:
0180 6c 61 74 65 00 a0 02 00 07 55 54 46 2d 38 2c 2a late.... .UTF-8,*
0190 00 00 0a 4b 65 65 70 2d 41 6c 69 76 65 00 00 03 ...Keep- Alive...
01a0 33 30 30 00 a0 06 00 0a 6b 65 65 70 2d 61 6c 69 300..... keep-ali
01b0 76 65 00 a0 05 00 22 42 61 73 69 63 20 62 32 31 ve...."B asic b21
01c0 75 59 57 5a 6c 5a 58 4d 36 5a 6d 46 79 61 54 67 uYWZlZXM 6ZmFyaTg
01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.....0.
01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf ees....B
01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic.... REMOTE_U
0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees..
How do I get Tomcat servlet to read remote user as sent above??
Below I reproduce three relevant configuration files:
*********************************************************************************
The mod_jk.conf that is included in apache 2's httpd.conf:
ServerName localhost
JkMount /webdav ajp13
JkMount /webdav/* ajp13
JkMount /servlets-examples ajp13
JkMount /servlets-examples/* ajp13
JkMount /jsp-examples ajp13
JkMount /jsp-examples/* ajp13
JkMount /balancer ajp13
JkMount /balancer/* ajp13
JkMount /~omnafees ajp13
JkMount /~omnafees/* ajp13
JkMount /tomcat-docs ajp13
JkMount /tomcat-docs/* ajp13
JkMount /submitServer ajp13
JkMount /submitServer/* ajp13
### Customizations
# Where to put jk logs
JkLogFile /var/log/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel error
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
#JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%b %w %V %T %r"
# environment variable?
JkEnvVar REMOTE_USER
### Omar's authentication testing
<Location "/submitServer/*">
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/etc/apache/passwd/passwords
Require valid-user
</Location>
***********************************************************************************************************
***********************************************************************************************************
The worker.properties file:
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
***********************************************************************************************************
***********************************************************************************************************
Tomcat's server.xml:
<!-- Note that component elements are nested corresponding to their
parent-child relationships with each other -->
<!-- A "Server" is a singleton element that represents the entire JVM,
which may contain one or more "Service" instances. The Server
listens for a shutdown command on the indicated port.
Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" or "Loggers" at this level.
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- Comment these entries out to disable JMX MBeans support used for the
administration web application -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" />
<Listener
className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" (and therefore the web applications visible
within that Container). Normally, that Container is an "Engine",
but this is not required.
Note: A "Service" is not itself a "Container", so you may not
define subcomponents such as "Valves" or "Loggers" at this level.
-->
<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Catalina">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Each Connector passes requests on
to the
associated "Container" (normally an Engine) for processing.
By default, a non-SSL HTTP/1.1 Connector is established on port
8080.
You can also enable an SSL HTTP/1.1 Connector on port 8443 by
following the instructions below and uncommenting the second
Connector
entry. SSL support requires the following steps (see the SSL
Config
HOWTO in the Tomcat 5 documentation bundle for more detailed
instructions):
* If your JDK version 1.3 or prior, download and install JSSE
1.0.2 or
later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
(Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
(Unix)
with a password value of "changeit" for both the certificate and
the keystore itself.
By default, DNS lookups are enabled when a web application calls
request.getRemoteHost(). This can have an adverse impact on
performance, so you can disable it by setting the
"enableLookups" attribute to "false". When DNS lookups are
disabled,
request.getRemoteHost() will return the String version of the
IP address of the remote client.
-->
<!-- Define a non-SSL HTTP/1.1 Connector -->
<Connector port="8180" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Note : To use gzip compression you could set the following
properties :
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/usr/local/apache-tomcat6.0/conf/ssl/marmosetKeystore"
clientAuth="false" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector -->
<Connector port="8009"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" tomcatAuthentication="false" />
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
<!-- See proxy documentation for more information about using this. -->
<!--
<Connector port="8082"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" acceptCount="100"
connectionTimeout="20000"
proxyPort="80" disableUploadTimeout="true" />
-->
<!-- An Engine represents the entry point (within Catalina) that
processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes
them
on to the appropriate Host (virtual host). -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Standalone" defaultHost="localhost"
jvmRoute="jvm1">
-->
<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost">
<!-- The request dumper valve dumps useful debugging information about
the request headers and cookies that were received, and the
response
headers and cookies that were sent, for all requests received by
this instance of Tomcat. If you care only about requests to a
particular virtual host, or a particular application, nest this
element inside the corresponding <Host> or <Context> entry
instead.
For a similar mechanism that is portable to all Servlet 2.4
containers, check out the "RequestDumperFilter" Filter in the
example application (the source for this filter may be found in
"$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters").
Note that this Valve uses the platform's default character
encoding.
This may cause problems for developers in another encoding, e.g.
UTF-8. Use the RequestDumperFilter instead.
Also note that enabling this Valve will write a ton of stuff
to your
logs. They are likely to grow quite large. This extensive
log writing
will definitely slow down your server.
Request dumping is disabled by default. Uncomment the following
element to enable it. -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<!-- Because this Realm is here, an instance will be shared
globally -->
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!-- Comment out the old realm but leave here for now in case we
need to go back quickly -->
<!--
<Realm className="org.apache.catalina.realm.MemoryRealm" />
-->
<!-- Replace the above Realm with one of the following to get a Realm
stored in a database and accessed via JDBC -->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/authority"
connectionName="test" connectionPassword="test"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
connectionName="scott" connectionPassword="tiger"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:CATALINA"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!-- Defines a cluster for this node,
By defining this element, means that every manager will be
changed.
So when running a cluster, only make sure that you have
webapps in there
that need to be clustered and remove the other ones.
A cluster has the following parameters:
className = the fully qualified name of the cluster class
clusterName = a descriptive name for your cluster, can be
anything
mcastAddr = the multicast address, has to be the same for
all the nodes
mcastPort = the multicast port, has to be the same for all
the nodes
mcastBindAddress = bind the multicast socket to a specific
address
mcastTTL = the multicast TTL if you want to limit your
broadcast
mcastSoTimeout = the multicast readtimeout
mcastFrequency = the number of milliseconds in between
sending a "I'm alive" heartbeat
mcastDropTime = the number a milliseconds before a node is
considered "dead" if no heartbeat is received
tcpThreadCount = the number of threads to handle incoming
replication requests, optimal would be the same amount of threads as nodes
tcpListenAddress = the listen address (bind address) for
TCP cluster request on this host,
in case of multiple ethernet cards.
auto means that address becomes
InetAddress.getLocalHost().getHostAddress()
tcpListenPort = the tcp listen port
tcpSelectorTimeout = the timeout (ms) for the
Selector.select() method in case the OS
has a wakup bug in java.nio. Set to 0
for no timeout
printToScreen = true means that managers will also print to
std.out
expireSessionsOnShutdown = true means that
useDirtyFlag = true means that we only replicate a session
after setAttribute,removeAttribute has been called.
false means to replicate the session after
each request.
false means that replication would work for
the following piece of code: (only for SimpleTcpReplicationManager)
<%
HashMap map =
(HashMap)session.getAttribute("map");
map.put("key","value");
%>
replicationMode = can be either 'pooled', 'synchronous' or
'asynchronous'.
* Pooled means that the replication
happens using several sockets in a synchronous way. Ie, the data gets
replicated, then the request return. This is the same as the
'synchronous' setting except it uses a pool of sockets, hence it is
multithreaded. This is the fastest and safest configuration. To use
this, also increase the nr of tcp threads that you have dealing with
replication.
* Synchronous means that the thread that
executes the request, is also the
thread the replicates the data to the
other nodes, and will not return until all
nodes have received the information.
* Asynchronous means that there is a
specific 'sender' thread for each cluster node,
so the request thread will queue the
replication request into a "smart" queue,
and then return to the client.
The "smart" queue is a queue where when a
session is added to the queue, and the same session
already exists in the queue from a
previous request, that session will be replaced
in the queue instead of replicating two
requests. This almost never happens, unless there is a
large network delay.
-->
<!--
When configuring for clustering, you also add in a valve to
catch all the requests
coming in, at the end of the request, the session may or may
not be replicated.
A session is replicated if and only if all the conditions
are met:
1. useDirtyFlag is true or setAttribute or removeAttribute
has been called AND
2. a session exists (has been created)
3. the request is not trapped by the "filter" attribute
The filter attribute is to filter out requests that could
not modify the session,
hence we don't replicate the session after the end of this
request.
The filter is negative, ie, anything you put in the filter,
you mean to filter out,
ie, no replication will be done on requests that match one
of the filters.
The filter attribute is delimited by ;, so you can't escape
out ; even if you wanted to.
filter=".*\.gif;.*\.js;" means that we will not replicate
the session after requests with the URI
ending with .gif and .js are intercepted.
The deployer element can be used to deploy apps cluster wide.
Currently the deployment only deploys/undeploys to working
members in the cluster
so no WARs are copied upons startup of a broken node.
The deployer watches a directory (watchDir) for WAR files
when watchEnabled="true"
When a new war file is added the war gets deployed to the
local instance,
and then deployed to the other instances in the cluster.
When a war file is deleted from the watchDir the war is
undeployed locally
and cluster wide
-->
<!--
<Cluster
className="org.apache.catalina.cluster.tcp.SimpleTcpCluster"
managerClassName="org.apache.catalina.cluster.session.DeltaManager"
expireSessionsOnShutdown="false"
useDirtyFlag="true"
notifyListenersOnReplication="true">
<Membership
className="org.apache.catalina.cluster.mcast.McastService"
mcastAddr="228.0.0.4"
mcastPort="45564"
mcastFrequency="500"
mcastDropTime="3000"/>
<Receiver
className="org.apache.catalina.cluster.tcp.ReplicationListener"
tcpListenAddress="auto"
tcpListenPort="4001"
tcpSelectorTimeout="100"
tcpThreadCount="6"/>
<Sender
className="org.apache.catalina.cluster.tcp.ReplicationTransmitter"
replicationMode="pooled"
ackTimeout="15000"
waitForAck="true"/>
<Valve
className="org.apache.catalina.cluster.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
<Deployer
className="org.apache.catalina.cluster.deploy.FarmWarDeployer"
tempDir="/tmp/war-temp/"
deployDir="/tmp/war-deploy/"
watchDir="/tmp/war-listen/"
watchEnabled="false"/>
<ClusterListener
className="org.apache.catalina.cluster.session.ClusterSessionListener"/>
</Cluster>
-->
<!-- Normally, users must authenticate themselves to each web app
individually. Uncomment the following entry if you would like
a user to be authenticated the first time they encounter a
resource protected by a security constraint, and then have that
user identity maintained across *all* web applications
contained
in this virtual host. -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory
relative to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a
relative
(to $CATALINA_HOME) or absolute path to the desired directory.
-->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log."
suffix=".txt"
pattern="common" resolveHosts="false"/>
-->
<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory
relative to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a
relative
(to $CATALINA_HOME) or absolute path to the desired directory.
This access log implementation is optimized for maximum
performance,
but is hardcoded to support only the "common" and
"combined" patterns.
-->
<!--
<Valve
className="org.apache.catalina.valves.FastCommonAccessLogValve"
directory="logs" prefix="localhost_access_log."
suffix=".txt"
pattern="common" resolveHosts="false"/>
-->
<!-- customized user directories -->
<Listener className="org.apache.catalina.startup.UserConfig"
directoryName="public_html"
userClass="org.apache.catalina.startup.PasswdUserDatabase"/>
<!-- Apache Web Server Auto Configuration -->
<Listener className="org.apache.jk.config.ApacheConfig"
modJk="/usr/local/libexec/apache2/mod_jk.so"
workersConfig="/usr/local/tomcat5.5/conf/jk/workers.properties"
jkLog="/var/log/mod_jk.log"
jKDebug="error"
jkWorker="ajp13" />
</Host>
</Engine>
</Service>
</Server>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Omar Nafees <om...@cs.uwaterloo.ca>.
Hi Rainer,
Thanks for the response. I should have thought of testing the relevant
methods in a simpler servlet. This has revealed the following:
If I turn off the SSL requirement in my application's web.xml (i.e., in
the security constraint of web.xml), request.getRemoteUser() works fine.
As soon as I flip it back on (by adding
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>),
I get null as before.
I need to have tomcat working over SSL with the client. Is there I way I
can get it to trust the information its obtained from the apache
web-server via AJP?
Thanks,
Omar
Rainer Jung wrote:
> Hi Omar,
>
> Omar Nafees schrieb:
>
>> request.getRemoteUser() returns null in my servlet.
>> request.getAttribute("REMOTE_USER") also returns null. I have even
>> checked the headers that are being sent to the AJP connector in Tomcat.
>>
>>
>
> request.getRemoteUser() works for me (mod_jk 1.2.25 and TC 5.5.23)
> 1) remove the JkEnvVar REMOTE_USER. It's not an Apache environment
> variable, and it will be forwarded by mod_jk automatically
>
> 2) Set log level to debug in a dev system. The request should produce a
> line similar to
>
> [Sun Aug 26 01:12:03.482 2007] [27669:0] [debug]
> init_ws_service::mod_jk.c (782): Service protocol=HTTP/1.1 method=GET
> host=(null) addr=127.0.0.1 name=fraxinus.entenhausen.zz port=8080
> auth=Basic user=jung laddr=127.0.0.1 raddr=127.0.0.1 uri=/auth.jsp
>
> Here you can see, that mod_jk found Basic authentication and User "jung"
> in the Apache repesentation of the request.
>
>
>> Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via
>> mod_jk-ap2-1.2.23 on FreeBSD 6.2
>>
>>
>> Snippet of AJP13 header:
>>
>>
> ...
>
>
>> 01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.....0.
>> 01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf ees....B
>> 01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic.... REMOTE_U
>> 0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees..
>>
>
> Starting from 01e0 we have "03" for "remote_user", then "0008" for 8
> Bytes, then the name of the remote user "omnafees" and a terminating
> "00", then "04" for authentication type, "0005" for length 5, and
> "Basic" as the authentication type. That looks fine!
>
>
>> How do I get Tomcat servlet to read remote user as sent above??
>>
>
>
>> <!-- Define an AJP 1.3 Connector -->
>> <Connector port="8009"
>> enableLookups="false" redirectPort="8443"
>> protocol="AJP/1.3" tomcatAuthentication="false" />
>>
>
> Looks good to me.
>
> Try with a very simple servlet first. Maybe put in in the root context
> to isolate it from alle complex things in your webapp:
>
> <HTML>
> User: <%=request.getRemoteUser() %>
> </HTML>
>
> Regards,
>
> Rainer
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Omar,
Omar Nafees schrieb:
> request.getRemoteUser() returns null in my servlet.
> request.getAttribute("REMOTE_USER") also returns null. I have even
> checked the headers that are being sent to the AJP connector in Tomcat.
>
request.getRemoteUser() works for me (mod_jk 1.2.25 and TC 5.5.23)
1) remove the JkEnvVar REMOTE_USER. It's not an Apache environment
variable, and it will be forwarded by mod_jk automatically
2) Set log level to debug in a dev system. The request should produce a
line similar to
[Sun Aug 26 01:12:03.482 2007] [27669:0] [debug]
init_ws_service::mod_jk.c (782): Service protocol=HTTP/1.1 method=GET
host=(null) addr=127.0.0.1 name=fraxinus.entenhausen.zz port=8080
auth=Basic user=jung laddr=127.0.0.1 raddr=127.0.0.1 uri=/auth.jsp
Here you can see, that mod_jk found Basic authentication and User "jung"
in the Apache repesentation of the request.
> Here's what I'm running: apache-2.0.59 in front of tomcat-5.5.23_1 via
> mod_jk-ap2-1.2.23 on FreeBSD 6.2
>
>
> Snippet of AJP13 header:
>
...
> 01d0 35 4f 44 41 32 4e 7a 67 3d 00 a0 08 00 01 30 00 5ODA2Nzg =.....0.
> 01e0 03 00 08 6f 6d 6e 61 66 65 65 73 00 04 00 05 42 ...omnaf ees....B
> 01f0 61 73 69 63 00 0a 00 0b 52 45 4d 4f 54 45 5f 55 asic.... REMOTE_U
> 0200 53 45 52 00 00 08 6f 6d 6e 61 66 65 65 73 00 ff SER...om nafees..
Starting from 01e0 we have "03" for "remote_user", then "0008" for 8
Bytes, then the name of the remote user "omnafees" and a terminating
"00", then "04" for authentication type, "0005" for length 5, and
"Basic" as the authentication type. That looks fine!
> How do I get Tomcat servlet to read remote user as sent above??
> <!-- Define an AJP 1.3 Connector -->
> <Connector port="8009"
> enableLookups="false" redirectPort="8443"
> protocol="AJP/1.3" tomcatAuthentication="false" />
Looks good to me.
Try with a very simple servlet first. Maybe put in in the root context
to isolate it from alle complex things in your webapp:
<HTML>
User: <%=request.getRemoteUser() %>
</HTML>
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Gabriel Wong <ga...@webappcabaret.com>.
Omar,
Try the following utility with Principal and let us know:
String r = request.getRemoteUser();
if (r == null)
{
java.security.Principal pr = request.getUserPrincipal();
if (pr != null){
r = pr.getName();
}
}
Omar Nafees wrote:
> Thank you for the tips David. The JkEnvVar was just a shot at passing
> the REMOTE_USER explicitly. I read about it in one of the mod_jk
> documents. I was unable to get this to work without it either.
>
> Oh and my apologies for a cluttered server.xml on the list.
>
> I have restarted tomcat and apache several times. I was actually
> trying to get it to work with tomcat 6.0 and switched to 5.5 to see if
> that would make a difference.
>
> I've also tried to get this to work with apache 1.3 to no avail. I now
> suspect mod_jk itself...
>
> May I ask what versions of each software you are using? What form of
> Apache authentication are you using (some in house authorization
> software)? Did you first test your setup with Apache's Basic
> authentication?
>
> Sorry for the many questions - but I'd like to know what you've done
> differently as I'd like to be where you are with this right now =)
>
>
> Thanks,
> Omar
>
>
> David Smith wrote:
>> Hi.
>>
>> I'm in the same boat as you in using an apache httpd module to
>> authenticate users and have had it working for a few years now. Your
>> configuration looked good as far as I could tell. Here are a couple
>> of suggestions though.
>>
>> 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
>> config. I've never used it and have what you are working on working
>> flawlessly.
>>
>> 2. Drop all those documenting comments and example configuration from
>> your server.xml. You could make a copy of it named
>> server.xml.original if you want. The commented parts are excellent
>> documentation, but hamper readability of the active parts.
>>
>> 3. Restart Tomcat. I'm not sure if you restarted after you added
>> tomcatAuthentication="false" to the connector, but it needs to happen.
>>
>> --David
>>
>> Omar Nafees wrote:
>>> Hi Robert,
>>>
>>> Thanks for the response.
>>>
>>> So I've come to believe that its possible to avoid using Tomcat
>>> authentication altogether, i.e., without specifying realms and using
>>> tomcat user/roles in an application's web.xml. Given my context (a
>>> University environment with over several hundreds of students
>>> hitting an apache web server and a small subset needing tomcat), I
>>> need to completely separate authentication from the Tomcat server. I
>>> guess this approach of using JNDI or even JAAS is a last resort...
>>> but I would really like to see what everyone else seems to have
>>> already accomplished - the REMOTE_USER variable being read from the
>>> first AJP header that is sent to tomcat.
>>>
>>>
>>> Thanks,
>>>
>>> Omar
>>>
>>>
>>> Robert Segal wrote:
>>>> Omar I actually had this exact same problem early today although I'm
>>>> sure my environment is slightly different from your perhaps I can
>>>> offer
>>>> some help. In my case I have LDAP authentication configured for my
>>>> servlet. I
>>>> believe this step should be the same regardless of the authentication
>>>> scheme you are using....
>>>> First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
>>>> define
>>>> roles and constraints for what pages can be accessed...
>>>>
>>>> <login-config>
>>>> <auth-method>BASIC</auth-method>
>>>> </login-config>
>>>>
>>>> <security-role>
>>>> <role-name>GRP-myGroup </role-name>
>>>> </security-role>
>>>>
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>my Authentication</web-resource-name>
>>>> <url-pattern>/*</url-pattern>
>>>> </web-resource-collection>
>>>>
>>>> <auth-constraint>
>>>> <role-name>GRP-myGroup</role-name>
>>>> </auth-constraint>
>>>> </security-constraint>
>>>>
>>>>
>>>> The other file I change sets up all the LDAP machine details. I've
>>>> placed it in Context.xml because there are several servlets that make
>>>> use of this authentication...
>>>>
>>>> $CATALINA_HOME/conf/Context.xml
>>>>
>>>> <Context>
>>>> <Realm className ="org.apache.catalina.realm.JNDIRealm"
>>>> debug ="99"
>>>> connectionURL ="ldap://ldapMachine:3268"
>>>> connectionName ="CRYPTOLOGIC\myUser"
>>>> connectionPassword="myPassword"
>>>> userBase ="dc=myDomain,dc=com"
>>>> userSearch ="(sAMAccountName={0})"
>>>> userSubtree ="true"
>>>> userRoleName ="memberOf"
>>>> roleBase ="OU=Groups,DC=myDomain,DC=com"
>>>> roleSubtree="false"
>>>> roleName ="cn"
>>>> roleSearch ="(member={0})"/>
>>>> </Context>
>>>>
>>>> This has worked for me. Hope it is of some use to you. We also have
>>>> Apache over top of Tomcat in our environment and found it necessary to
>>>> configure authentication both in Apache and in Tomcat to get things to
>>>> work properly.
>>>>
>>>> Robert Segal
>>>> Tools Developer
>>>> CryptoLogic Inc.
>>>> 55 St. Clair Ave W., 3rd Floor
>>>> Toronto, Ontario
>>>> Canada M4V 2Y7
>>>> tel. + 1.416.545.1455 x5896
>>>> fax. + 1.416.545.1454
>>>>
>>>> This message, including any attachments, is confidential and/or
>>>> privileged and contains information intended only for the person(s)
>>>> named above. Any other distribution, copying or disclosure is strictly
>>>> prohibited. If you are not the intended recipient or have received
>>>> this
>>>> message in error, please notify us immediately by reply email and
>>>> permanently delete the original transmission from all of your systems
>>>> and hard drives, including any attachments, without making a copy.
>>>>
>>>> -----Original Message-----
>>>> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca] Sent: Friday,
>>>> August 24, 2007 2:30 PM
>>>> To: Tomcat Users List
>>>> Subject: Re: Apache authentication information (remoteuser) not
>>>> visible
>>>> in Tomcat
>>>>
>>>> Thanks for the response Christopher... although I had very early
>>>> on, already tried what is suggested in the link you have referred
>>>> to, i.e., setting tomcatAuthentication="false" in the appropriate
>>>> server.xml line (see the config listing I produced earlier in the
>>>> thread).
>>>>
>>>> Oh I hope its not some obscure bug in mod_jk!! :)
>>>>
>>>> Thanks,
>>>> Omar
>>>>
>>>>
>>>>
>>>> Christopher Schultz wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Omar,
>>>>>
>>>>> Omar Nafees wrote:
>>>>>
>>>>>> request.getRemoteUser() returns null in my servlet.
>>>>>> request.getAttribute("REMOTE_USER") also returns null. I have even
>>>>>> checked the headers that are being sent to the AJP connector in
>>>>>>
>>>> Tomcat.
>>>>
>>>>>>
>>>>> This is a FAQ. The answer is easily findable in the archives:
>>>>>
>>>>> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>>>>>
>>>>> - -chris
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.7 (MingW32)
>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>>>
>>>>> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
>>>>> OPTfCFM5pLAQ0jH0i+BCkis=
>>>>> =+c/H
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>>
>>>> ______________________________________________________________________
>>>> This email has been scanned by the MessageLabs Email Security System.
>>>> For more information please visit http://www.messagelabs.com/email
>>>> ______________________________________________________________________
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
Regards
Gabriel Wong
Beyond Private JVM JAVA Hosting
http://www.webappcabaret.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by David Smith <dn...@cornell.edu>.
Hi Omar.
1. Removing the comments from server.xml is more for your sanity than
mine. I started doing it to my server.xml's and it's made life so much
easier.
2. The current production mod_jk is 1.2.14 in my system. I have to
upgrade my server soon and will probably upgrade that when I do. I'm
using it with both tomcat 5.0.28 and tomcat 5.5.23 without issue. For
those out there scratching your heads on this one, the tomcat 5.5
instance is a dev/test environment while the 5.0 is production. Apache
Httpd is version 2.0.48
3. The auth module is Cornell's mod_cuwebauth.so which off-loads the
authentication to the universities authentication service. There's no
Tomcat realm version if it.
4. I never tested with BASIC first. I needed to get the mod_cuwebauth
REMOTE_USER header and found a brief reference to it in the archives.
Set it, restarted, and it started working instantly. When you access
pages in /submitServer, are you challenged for a username and password?
--David
Omar Nafees wrote:
> Thank you for the tips David. The JkEnvVar was just a shot at passing
> the REMOTE_USER explicitly. I read about it in one of the mod_jk
> documents. I was unable to get this to work without it either.
>
> Oh and my apologies for a cluttered server.xml on the list.
>
> I have restarted tomcat and apache several times. I was actually
> trying to get it to work with tomcat 6.0 and switched to 5.5 to see if
> that would make a difference.
>
> I've also tried to get this to work with apache 1.3 to no avail. I now
> suspect mod_jk itself...
>
> May I ask what versions of each software you are using? What form of
> Apache authentication are you using (some in house authorization
> software)? Did you first test your setup with Apache's Basic
> authentication?
>
> Sorry for the many questions - but I'd like to know what you've done
> differently as I'd like to be where you are with this right now =)
>
>
> Thanks,
> Omar
>
>
> David Smith wrote:
>> Hi.
>>
>> I'm in the same boat as you in using an apache httpd module to
>> authenticate users and have had it working for a few years now. Your
>> configuration looked good as far as I could tell. Here are a couple
>> of suggestions though.
>>
>> 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
>> config. I've never used it and have what you are working on working
>> flawlessly.
>>
>> 2. Drop all those documenting comments and example configuration from
>> your server.xml. You could make a copy of it named
>> server.xml.original if you want. The commented parts are excellent
>> documentation, but hamper readability of the active parts.
>>
>> 3. Restart Tomcat. I'm not sure if you restarted after you added
>> tomcatAuthentication="false" to the connector, but it needs to happen.
>>
>> --David
>>
>> Omar Nafees wrote:
>>> Hi Robert,
>>>
>>> Thanks for the response.
>>>
>>> So I've come to believe that its possible to avoid using Tomcat
>>> authentication altogether, i.e., without specifying realms and using
>>> tomcat user/roles in an application's web.xml. Given my context (a
>>> University environment with over several hundreds of students
>>> hitting an apache web server and a small subset needing tomcat), I
>>> need to completely separate authentication from the Tomcat server. I
>>> guess this approach of using JNDI or even JAAS is a last resort...
>>> but I would really like to see what everyone else seems to have
>>> already accomplished - the REMOTE_USER variable being read from the
>>> first AJP header that is sent to tomcat.
>>>
>>>
>>> Thanks,
>>>
>>> Omar
>>>
>>>
>>> Robert Segal wrote:
>>>> Omar I actually had this exact same problem early today although I'm
>>>> sure my environment is slightly different from your perhaps I can
>>>> offer
>>>> some help. In my case I have LDAP authentication configured for my
>>>> servlet. I
>>>> believe this step should be the same regardless of the authentication
>>>> scheme you are using....
>>>> First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
>>>> define
>>>> roles and constraints for what pages can be accessed...
>>>>
>>>> <login-config>
>>>> <auth-method>BASIC</auth-method>
>>>> </login-config>
>>>>
>>>> <security-role>
>>>> <role-name>GRP-myGroup </role-name>
>>>> </security-role>
>>>>
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>my Authentication</web-resource-name>
>>>> <url-pattern>/*</url-pattern>
>>>> </web-resource-collection>
>>>>
>>>> <auth-constraint>
>>>> <role-name>GRP-myGroup</role-name>
>>>> </auth-constraint>
>>>> </security-constraint>
>>>>
>>>>
>>>> The other file I change sets up all the LDAP machine details. I've
>>>> placed it in Context.xml because there are several servlets that make
>>>> use of this authentication...
>>>>
>>>> $CATALINA_HOME/conf/Context.xml
>>>>
>>>> <Context>
>>>> <Realm className ="org.apache.catalina.realm.JNDIRealm"
>>>> debug ="99"
>>>> connectionURL ="ldap://ldapMachine:3268"
>>>> connectionName ="CRYPTOLOGIC\myUser"
>>>> connectionPassword="myPassword"
>>>> userBase ="dc=myDomain,dc=com"
>>>> userSearch ="(sAMAccountName={0})"
>>>> userSubtree ="true"
>>>> userRoleName ="memberOf"
>>>> roleBase ="OU=Groups,DC=myDomain,DC=com"
>>>> roleSubtree="false"
>>>> roleName ="cn"
>>>> roleSearch ="(member={0})"/>
>>>> </Context>
>>>>
>>>> This has worked for me. Hope it is of some use to you. We also have
>>>> Apache over top of Tomcat in our environment and found it necessary to
>>>> configure authentication both in Apache and in Tomcat to get things to
>>>> work properly.
>>>>
>>>> Robert Segal
>>>> Tools Developer
>>>> CryptoLogic Inc.
>>>> 55 St. Clair Ave W., 3rd Floor
>>>> Toronto, Ontario
>>>> Canada M4V 2Y7
>>>> tel. + 1.416.545.1455 x5896
>>>> fax. + 1.416.545.1454
>>>>
>>>> This message, including any attachments, is confidential and/or
>>>> privileged and contains information intended only for the person(s)
>>>> named above. Any other distribution, copying or disclosure is strictly
>>>> prohibited. If you are not the intended recipient or have received
>>>> this
>>>> message in error, please notify us immediately by reply email and
>>>> permanently delete the original transmission from all of your systems
>>>> and hard drives, including any attachments, without making a copy.
>>>>
>>>> -----Original Message-----
>>>> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca] Sent: Friday,
>>>> August 24, 2007 2:30 PM
>>>> To: Tomcat Users List
>>>> Subject: Re: Apache authentication information (remoteuser) not
>>>> visible
>>>> in Tomcat
>>>>
>>>> Thanks for the response Christopher... although I had very early
>>>> on, already tried what is suggested in the link you have referred
>>>> to, i.e., setting tomcatAuthentication="false" in the appropriate
>>>> server.xml line (see the config listing I produced earlier in the
>>>> thread).
>>>>
>>>> Oh I hope its not some obscure bug in mod_jk!! :)
>>>>
>>>> Thanks,
>>>> Omar
>>>>
>>>>
>>>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Omar Nafees <om...@cs.uwaterloo.ca>.
Thank you for the tips David. The JkEnvVar was just a shot at passing
the REMOTE_USER explicitly. I read about it in one of the mod_jk
documents. I was unable to get this to work without it either.
Oh and my apologies for a cluttered server.xml on the list.
I have restarted tomcat and apache several times. I was actually trying
to get it to work with tomcat 6.0 and switched to 5.5 to see if that
would make a difference.
I've also tried to get this to work with apache 1.3 to no avail. I now
suspect mod_jk itself...
May I ask what versions of each software you are using? What form of
Apache authentication are you using (some in house authorization
software)? Did you first test your setup with Apache's Basic authentication?
Sorry for the many questions - but I'd like to know what you've done
differently as I'd like to be where you are with this right now =)
Thanks,
Omar
David Smith wrote:
> Hi.
>
> I'm in the same boat as you in using an apache httpd module to
> authenticate users and have had it working for a few years now. Your
> configuration looked good as far as I could tell. Here are a couple
> of suggestions though.
>
> 1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
> config. I've never used it and have what you are working on working
> flawlessly.
>
> 2. Drop all those documenting comments and example configuration from
> your server.xml. You could make a copy of it named
> server.xml.original if you want. The commented parts are excellent
> documentation, but hamper readability of the active parts.
>
> 3. Restart Tomcat. I'm not sure if you restarted after you added
> tomcatAuthentication="false" to the connector, but it needs to happen.
>
> --David
>
> Omar Nafees wrote:
>> Hi Robert,
>>
>> Thanks for the response.
>>
>> So I've come to believe that its possible to avoid using Tomcat
>> authentication altogether, i.e., without specifying realms and using
>> tomcat user/roles in an application's web.xml. Given my context (a
>> University environment with over several hundreds of students hitting
>> an apache web server and a small subset needing tomcat), I need to
>> completely separate authentication from the Tomcat server. I guess
>> this approach of using JNDI or even JAAS is a last resort... but I
>> would really like to see what everyone else seems to have already
>> accomplished - the REMOTE_USER variable being read from the first AJP
>> header that is sent to tomcat.
>>
>>
>> Thanks,
>>
>> Omar
>>
>>
>> Robert Segal wrote:
>>> Omar I actually had this exact same problem early today although I'm
>>> sure my environment is slightly different from your perhaps I can offer
>>> some help. In my case I have LDAP authentication configured for my
>>> servlet. I
>>> believe this step should be the same regardless of the authentication
>>> scheme you are using....
>>> First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
>>> define
>>> roles and constraints for what pages can be accessed...
>>>
>>> <login-config>
>>> <auth-method>BASIC</auth-method>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>GRP-myGroup </role-name>
>>> </security-role>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>my Authentication</web-resource-name>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>>
>>> <auth-constraint>
>>> <role-name>GRP-myGroup</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>>
>>> The other file I change sets up all the LDAP machine details. I've
>>> placed it in Context.xml because there are several servlets that make
>>> use of this authentication...
>>>
>>> $CATALINA_HOME/conf/Context.xml
>>>
>>> <Context>
>>> <Realm className ="org.apache.catalina.realm.JNDIRealm"
>>> debug ="99"
>>> connectionURL ="ldap://ldapMachine:3268"
>>> connectionName ="CRYPTOLOGIC\myUser"
>>> connectionPassword="myPassword"
>>> userBase ="dc=myDomain,dc=com"
>>> userSearch ="(sAMAccountName={0})"
>>> userSubtree ="true"
>>> userRoleName ="memberOf"
>>> roleBase ="OU=Groups,DC=myDomain,DC=com"
>>> roleSubtree="false"
>>> roleName ="cn"
>>> roleSearch ="(member={0})"/>
>>> </Context>
>>>
>>> This has worked for me. Hope it is of some use to you. We also have
>>> Apache over top of Tomcat in our environment and found it necessary to
>>> configure authentication both in Apache and in Tomcat to get things to
>>> work properly.
>>>
>>> Robert Segal
>>> Tools Developer
>>> CryptoLogic Inc.
>>> 55 St. Clair Ave W., 3rd Floor
>>> Toronto, Ontario
>>> Canada M4V 2Y7
>>> tel. + 1.416.545.1455 x5896
>>> fax. + 1.416.545.1454
>>>
>>> This message, including any attachments, is confidential and/or
>>> privileged and contains information intended only for the person(s)
>>> named above. Any other distribution, copying or disclosure is strictly
>>> prohibited. If you are not the intended recipient or have received this
>>> message in error, please notify us immediately by reply email and
>>> permanently delete the original transmission from all of your systems
>>> and hard drives, including any attachments, without making a copy.
>>>
>>> -----Original Message-----
>>> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca] Sent: Friday,
>>> August 24, 2007 2:30 PM
>>> To: Tomcat Users List
>>> Subject: Re: Apache authentication information (remoteuser) not visible
>>> in Tomcat
>>>
>>> Thanks for the response Christopher... although I had very early on,
>>> already tried what is suggested in the link you have referred to,
>>> i.e., setting tomcatAuthentication="false" in the appropriate
>>> server.xml line (see the config listing I produced earlier in the
>>> thread).
>>>
>>> Oh I hope its not some obscure bug in mod_jk!! :)
>>>
>>> Thanks,
>>> Omar
>>>
>>>
>>>
>>> Christopher Schultz wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Omar,
>>>>
>>>> Omar Nafees wrote:
>>>>
>>>>> request.getRemoteUser() returns null in my servlet.
>>>>> request.getAttribute("REMOTE_USER") also returns null. I have even
>>>>> checked the headers that are being sent to the AJP connector in
>>>>>
>>> Tomcat.
>>>
>>>>>
>>>> This is a FAQ. The answer is easily findable in the archives:
>>>>
>>>> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>>>>
>>>> - -chris
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.7 (MingW32)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>>
>>>> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
>>>> OPTfCFM5pLAQ0jH0i+BCkis=
>>>> =+c/H
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the MessageLabs Email Security System.
>>> For more information please visit http://www.messagelabs.com/email
>>> ______________________________________________________________________
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by David Smith <dn...@cornell.edu>.
Hi.
I'm in the same boat as you in using an apache httpd module to
authenticate users and have had it working for a few years now. Your
configuration looked good as far as I could tell. Here are a couple of
suggestions though.
1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
config. I've never used it and have what you are working on working
flawlessly.
2. Drop all those documenting comments and example configuration from
your server.xml. You could make a copy of it named server.xml.original
if you want. The commented parts are excellent documentation, but
hamper readability of the active parts.
3. Restart Tomcat. I'm not sure if you restarted after you added
tomcatAuthentication="false" to the connector, but it needs to happen.
--David
Omar Nafees wrote:
> Hi Robert,
>
> Thanks for the response.
>
> So I've come to believe that its possible to avoid using Tomcat
> authentication altogether, i.e., without specifying realms and using
> tomcat user/roles in an application's web.xml. Given my context (a
> University environment with over several hundreds of students hitting
> an apache web server and a small subset needing tomcat), I need to
> completely separate authentication from the Tomcat server. I guess
> this approach of using JNDI or even JAAS is a last resort... but I
> would really like to see what everyone else seems to have already
> accomplished - the REMOTE_USER variable being read from the first AJP
> header that is sent to tomcat.
>
>
> Thanks,
>
> Omar
>
>
> Robert Segal wrote:
>> Omar I actually had this exact same problem early today although I'm
>> sure my environment is slightly different from your perhaps I can offer
>> some help.
>> In my case I have LDAP authentication configured for my servlet. I
>> believe this step should be the same regardless of the authentication
>> scheme you are using....
>> First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
>> define
>> roles and constraints for what pages can be accessed...
>>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> </login-config>
>>
>> <security-role>
>> <role-name>GRP-myGroup </role-name>
>> </security-role>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>my Authentication</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>>
>> <auth-constraint>
>> <role-name>GRP-myGroup</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>>
>> The other file I change sets up all the LDAP machine details. I've
>> placed it in Context.xml because there are several servlets that make
>> use of this authentication...
>>
>> $CATALINA_HOME/conf/Context.xml
>>
>> <Context>
>> <Realm className ="org.apache.catalina.realm.JNDIRealm"
>> debug ="99"
>> connectionURL ="ldap://ldapMachine:3268"
>> connectionName ="CRYPTOLOGIC\myUser"
>> connectionPassword="myPassword"
>> userBase ="dc=myDomain,dc=com"
>> userSearch ="(sAMAccountName={0})"
>> userSubtree ="true"
>> userRoleName ="memberOf"
>> roleBase ="OU=Groups,DC=myDomain,DC=com"
>> roleSubtree="false"
>> roleName ="cn"
>> roleSearch ="(member={0})"/>
>> </Context>
>>
>> This has worked for me. Hope it is of some use to you. We also have
>> Apache over top of Tomcat in our environment and found it necessary to
>> configure authentication both in Apache and in Tomcat to get things to
>> work properly.
>>
>> Robert Segal
>> Tools Developer
>> CryptoLogic Inc.
>> 55 St. Clair Ave W., 3rd Floor
>> Toronto, Ontario
>> Canada M4V 2Y7
>> tel. + 1.416.545.1455 x5896
>> fax. + 1.416.545.1454
>>
>> This message, including any attachments, is confidential and/or
>> privileged and contains information intended only for the person(s)
>> named above. Any other distribution, copying or disclosure is strictly
>> prohibited. If you are not the intended recipient or have received this
>> message in error, please notify us immediately by reply email and
>> permanently delete the original transmission from all of your systems
>> and hard drives, including any attachments, without making a copy.
>>
>> -----Original Message-----
>> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca] Sent: Friday,
>> August 24, 2007 2:30 PM
>> To: Tomcat Users List
>> Subject: Re: Apache authentication information (remoteuser) not visible
>> in Tomcat
>>
>> Thanks for the response Christopher... although I had very early on,
>> already tried what is suggested in the link you have referred to,
>> i.e., setting tomcatAuthentication="false" in the appropriate
>> server.xml line (see the config listing I produced earlier in the
>> thread).
>>
>> Oh I hope its not some obscure bug in mod_jk!! :)
>>
>> Thanks,
>> Omar
>>
>>
>>
>> Christopher Schultz wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Omar,
>>>
>>> Omar Nafees wrote:
>>>
>>>> request.getRemoteUser() returns null in my servlet.
>>>> request.getAttribute("REMOTE_USER") also returns null. I have even
>>>> checked the headers that are being sent to the AJP connector in
>>>>
>> Tomcat.
>>
>>>>
>>> This is a FAQ. The answer is easily findable in the archives:
>>>
>>> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>>>
>>> - -chris
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.7 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>
>>> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
>>> OPTfCFM5pLAQ0jH0i+BCkis=
>>> =+c/H
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email
>> ______________________________________________________________________
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Omar Nafees <om...@cs.uwaterloo.ca>.
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students hitting an
apache web server and a small subset needing tomcat), I need to
completely separate authentication from the Tomcat server. I guess this
approach of using JNDI or even JAAS is a last resort... but I would
really like to see what everyone else seems to have already accomplished
- the REMOTE_USER variable being read from the first AJP header that is
sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
> Omar I actually had this exact same problem early today although I'm
> sure my environment is slightly different from your perhaps I can offer
> some help.
>
> In my case I have LDAP authentication configured for my servlet. I
> believe this step should be the same regardless of the authentication
> scheme you are using....
>
> First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define
> roles and constraints for what pages can be accessed...
>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
>
> <security-role>
> <role-name>GRP-myGroup </role-name>
> </security-role>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>my Authentication</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>GRP-myGroup</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> The other file I change sets up all the LDAP machine details. I've
> placed it in Context.xml because there are several servlets that make
> use of this authentication...
>
> $CATALINA_HOME/conf/Context.xml
>
> <Context>
> <Realm className ="org.apache.catalina.realm.JNDIRealm"
> debug ="99"
> connectionURL ="ldap://ldapMachine:3268"
> connectionName ="CRYPTOLOGIC\myUser"
> connectionPassword="myPassword"
>
> userBase ="dc=myDomain,dc=com"
> userSearch ="(sAMAccountName={0})"
> userSubtree ="true"
> userRoleName ="memberOf"
>
> roleBase ="OU=Groups,DC=myDomain,DC=com"
> roleSubtree="false"
> roleName ="cn"
> roleSearch ="(member={0})"/>
> </Context>
>
> This has worked for me. Hope it is of some use to you. We also have
> Apache over top of Tomcat in our environment and found it necessary to
> configure authentication both in Apache and in Tomcat to get things to
> work properly.
>
> Robert Segal
> Tools Developer
> CryptoLogic Inc.
> 55 St. Clair Ave W., 3rd Floor
> Toronto, Ontario
> Canada M4V 2Y7
> tel. + 1.416.545.1455 x5896
> fax. + 1.416.545.1454
>
> This message, including any attachments, is confidential and/or
> privileged and contains information intended only for the person(s)
> named above. Any other distribution, copying or disclosure is strictly
> prohibited. If you are not the intended recipient or have received this
> message in error, please notify us immediately by reply email and
> permanently delete the original transmission from all of your systems
> and hard drives, including any attachments, without making a copy.
>
> -----Original Message-----
> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca]
> Sent: Friday, August 24, 2007 2:30 PM
> To: Tomcat Users List
> Subject: Re: Apache authentication information (remoteuser) not visible
> in Tomcat
>
> Thanks for the response Christopher... although I had very early on,
> already tried what is suggested in the link you have referred to, i.e.,
> setting tomcatAuthentication="false" in the appropriate server.xml line
> (see the config listing I produced earlier in the thread).
>
> Oh I hope its not some obscure bug in mod_jk!! :)
>
> Thanks,
> Omar
>
>
>
> Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Omar,
>>
>> Omar Nafees wrote:
>>
>>
>>> request.getRemoteUser() returns null in my servlet.
>>> request.getAttribute("REMOTE_USER") also returns null. I have even
>>> checked the headers that are being sent to the AJP connector in
>>>
> Tomcat.
>
>>>
>>>
>> This is a FAQ. The answer is easily findable in the archives:
>>
>> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>>
>> - -chris
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
>> OPTfCFM5pLAQ0jH0i+BCkis=
>> =+c/H
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Omar Nafees <om...@cs.uwaterloo.ca>.
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students hitting an
apache web server and a small subset needing tomcat), I need to
completely separate authentication from the Tomcat server. I guess this
approach of using JNDI or even JAAS is a last resort... but I would
really like to see what everyone else seems to have already accomplished
- the REMOTE_USER variable being read from the first AJP header that is
sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
> Omar I actually had this exact same problem early today although I'm
> sure my environment is slightly different from your perhaps I can offer
> some help.
>
> In my case I have LDAP authentication configured for my servlet. I
> believe this step should be the same regardless of the authentication
> scheme you are using....
>
> First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define
> roles and constraints for what pages can be accessed...
>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
>
> <security-role>
> <role-name>GRP-myGroup </role-name>
> </security-role>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>my Authentication</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>GRP-myGroup</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> The other file I change sets up all the LDAP machine details. I've
> placed it in Context.xml because there are several servlets that make
> use of this authentication...
>
> $CATALINA_HOME/conf/Context.xml
>
> <Context>
> <Realm className ="org.apache.catalina.realm.JNDIRealm"
> debug ="99"
> connectionURL ="ldap://ldapMachine:3268"
> connectionName ="CRYPTOLOGIC\myUser"
> connectionPassword="myPassword"
>
> userBase ="dc=myDomain,dc=com"
> userSearch ="(sAMAccountName={0})"
> userSubtree ="true"
> userRoleName ="memberOf"
>
> roleBase ="OU=Groups,DC=myDomain,DC=com"
> roleSubtree="false"
> roleName ="cn"
> roleSearch ="(member={0})"/>
> </Context>
>
> This has worked for me. Hope it is of some use to you. We also have
> Apache over top of Tomcat in our environment and found it necessary to
> configure authentication both in Apache and in Tomcat to get things to
> work properly.
>
> Robert Segal
> Tools Developer
> CryptoLogic Inc.
> 55 St. Clair Ave W., 3rd Floor
> Toronto, Ontario
> Canada M4V 2Y7
> tel. + 1.416.545.1455 x5896
> fax. + 1.416.545.1454
>
> This message, including any attachments, is confidential and/or
> privileged and contains information intended only for the person(s)
> named above. Any other distribution, copying or disclosure is strictly
> prohibited. If you are not the intended recipient or have received this
> message in error, please notify us immediately by reply email and
> permanently delete the original transmission from all of your systems
> and hard drives, including any attachments, without making a copy.
>
> -----Original Message-----
> From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca]
> Sent: Friday, August 24, 2007 2:30 PM
> To: Tomcat Users List
> Subject: Re: Apache authentication information (remoteuser) not visible
> in Tomcat
>
> Thanks for the response Christopher... although I had very early on,
> already tried what is suggested in the link you have referred to, i.e.,
> setting tomcatAuthentication="false" in the appropriate server.xml line
> (see the config listing I produced earlier in the thread).
>
> Oh I hope its not some obscure bug in mod_jk!! :)
>
> Thanks,
> Omar
>
>
>
> Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Omar,
>>
>> Omar Nafees wrote:
>>
>>
>>> request.getRemoteUser() returns null in my servlet.
>>> request.getAttribute("REMOTE_USER") also returns null. I have even
>>> checked the headers that are being sent to the AJP connector in
>>>
> Tomcat.
>
>>>
>>>
>> This is a FAQ. The answer is easily findable in the archives:
>>
>> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>>
>> - -chris
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
>> OPTfCFM5pLAQ0jH0i+BCkis=
>> =+c/H
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: Apache authentication information (remoteuser) not visible in Tomcat
Posted by Robert Segal <Ro...@cryptologic.com>.
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can offer
some help.
In my case I have LDAP authentication configured for my servlet. I
believe this step should be the same regardless of the authentication
scheme you are using....
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to define
roles and constraints for what pages can be accessed...
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>GRP-myGroup </role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>my Authentication</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>GRP-myGroup</role-name>
</auth-constraint>
</security-constraint>
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
<Context>
<Realm className ="org.apache.catalina.realm.JNDIRealm"
debug ="99"
connectionURL ="ldap://ldapMachine:3268"
connectionName ="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch ="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
</Context>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-----Original Message-----
From: Omar Nafees [mailto:omnafees@cs.uwaterloo.ca]
Sent: Friday, August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not visible
in Tomcat
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to, i.e.,
setting tomcatAuthentication="false" in the appropriate server.xml line
(see the config listing I produced earlier in the thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Omar,
>
> Omar Nafees wrote:
>
>> request.getRemoteUser() returns null in my servlet.
>> request.getAttribute("REMOTE_USER") also returns null. I have even
>> checked the headers that are being sent to the AJP connector in
Tomcat.
>>
>
> This is a FAQ. The answer is easily findable in the archives:
>
> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
> OPTfCFM5pLAQ0jH0i+BCkis=
> =+c/H
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Omar Nafees <om...@cs.uwaterloo.ca>.
Thanks for the response Christopher... although I had very early on,
already tried what is suggested in the link you have referred to, i.e.,
setting tomcatAuthentication="false" in the appropriate server.xml line
(see the config listing I produced earlier in the thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Omar,
>
> Omar Nafees wrote:
>
>> request.getRemoteUser() returns null in my servlet.
>> request.getAttribute("REMOTE_USER") also returns null. I have even
>> checked the headers that are being sent to the AJP connector in Tomcat.
>>
>
> This is a FAQ. The answer is easily findable in the archives:
>
> http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
> OPTfCFM5pLAQ0jH0i+BCkis=
> =+c/H
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Apache authentication information (remoteuser) not visible in
Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Omar,
Omar Nafees wrote:
> request.getRemoteUser() returns null in my servlet.
> request.getAttribute("REMOTE_USER") also returns null. I have even
> checked the headers that are being sent to the AJP connector in Tomcat.
This is a FAQ. The answer is easily findable in the archives:
http://www.nabble.com/forum/ViewPost.jtp?post=3132974&framed=y
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzxDY9CaO5/Lv0PARAi0fAKC+7Rb+k5E3fEPFGhhiXvXumpz9QwCgwgss
OPTfCFM5pLAQ0jH0i+BCkis=
=+c/H
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org