On 15.05.20 09:06, oh...@yahoo.com.INVALID wrote: > Hi, > > I am using an Apache proxy in front of Tomcat 9, and I am using AJP > connection to connect from the Apache to Tomcat, and I have the Apache > sending a username to the Tomcat in a REMOTE_USER header. > > In the Tomcat server.xml I have: > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" > tomcatAuthentication="false"/> > > In the Apache httpd.conf, to test, this I have: > > <LocationMatch /myapp*> > ProxyPass ajp://192.168.218.XX:8009 > ProxyPassReverse ajp://192.168.XX.224:8009 > </LocationMatch> > > But when I access the app via the Apache, it is not automatically logging me > into the app. > > Is there anything else that I have to do to get this to work besides what I > did above? Is there something that I have to modify in the app itself to get > this to work?
Hi Jim, which exact version of Tomcat 9 are you using? Note that there were significant changes for the default and required configuration for the AJP connector, in order to use it. Best to find all of them: Search for AJP in the change log tomcat.apache.org/tomcat-9.0-doc/changelog.html Notable among them: Everything to do with "secret", and the default bind address, "localhost", for the AJP connector. i.e. I'd expect this configuration to be insufficient for any of the latest releases. I haven't ever used this REMOTE_USER authentication, but nothing in the configuration that you've posted gives any clue about what you do and what you send. I would expect Tomcat to *not* blindly accept any REMOTE_USER header by default, unless it's whitelisted and explicitly asked for - it otherwise would be a great way to exploit servers that don't have a remote proxy (or one where the remote proxy is configured to remove this header). Nothing in the configuration you post gives me a hint about what you do to make tomcat accept and trust this header. Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
