[Bug 68677] no support for enviroment variables/request attributes

Wed, 28 Feb 2024 12:44:45 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=68677

--- Comment #10 from dub...@gmail.com ---
First off, what I'm asking for already exists in mod_jk via the JkEnvVar
directive.  I just want the same thing for jk_isapi_plugin (the IIS equivalent
of mod_jk).

This request stemmed from a deep dive into an issue I've been researching
related to IIS and Adobe ColdFusion.  ColdFusion installs the Tomcat connector
for the server that its set up to run within.  I think you run it by itself
(basically running Tomcat by itself) but its recommended to run within a web
server for additional security (lord knows its a target vector) and ease of
setup.  For my organization, that server is IIS so it installs the IIS
connector (isapi_redirect.dll) and requests get sent through IIS to
ColdFusion/Tomcat via AJP.  This is an out-of-the-box install.

Now - we have another module/filter installed in IIS which handles SAML
authentication called Shibboleth Service Provider.  By default, the Shibboleth
SP software manipulates the request and after its performed authentication of
the user, it stores REMOTE_USER and information about how they authenticated in
request attributes/variables. Those attributes are made available to
applications as part of the environment.  For things like PHP, you can access
them via $_SERVER["some_var"].  For ASP, its
request.ServerVariables("some_var") for Java/JSP its
httpServletRequest.getAttribute("some_var").

Because the IIS connector doesn't pass any of this information on to Tomcat, I
cannot access it within my ColdFusion code.  Luckily the Shibboleth SP software
has an option to store the information in request headers, but it strongly
recommended to not do this because those can be spoofed by the client.

So long story short, I absolutely need REMOTE_USER from IIS so I need AJP.  The
jk_isapi_plugin provides this (yay).  However I cannot access the request
variables that other modules/filters may set in IIS.  For Shibboleth SP, I'm
forced to tell it to store the information in headers - a security risk
arguably more severe than using AJP.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to