On 05.12.2011 10:42, oh...@cox.net wrote:
---- "André Warnier"<a...@ice-sa.com> wrote:
oh...@cox.net wrote:
...
---- Rainer Jung<rainer.j...@kippdata.de> wrote:
Although this thread has moved forward towards the role topic, I want to
give some infos about the user forwarding by mod_jk. Some of it was
already present in previous posts.
1) In order to let Tomcat accept the user, you need to set
tomcatAuthentication to "false"
2) mod_jk will always forward the user as detected by the
following logic:
- the user as authenticated by Apache
- if this doesn't exist it will forward the value of
an Apache environment variable. The default name of the
variable is "JK_REMOTE_USER", but it can be changed using
the configuration directive "JkRemoteUserIndicator"
3) The user ID will *not* be forwarded in the form of a request header
4) The forwarded user id is logged in the JK log file on level debug
as the "user" field in the line:
Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
auth=%s user=%s laddr=%s raddr=%s uri=%s
5) There is no need to use JkEnvVar
6) When not using a real Apache authentication, you can instead
set the Apache environment variable JK_REMOTE_USER
e.g. via mod_setenvif or the E= syntax of mod_rewrite.
If you change the name of the env var using JkRemoteUserIndicator
use the variable name given there instead.
7) The Apache authenticated user can be logged in the Apache AccessLog
using "%u". Any environment variable XXX can be logged using
%{XXX}e.
8) The user can be logged in the Tomcat AccessLog using %u.
9) The user is returned by request.getRemoteUser() on the Tomcat side.
Regards,
Rainer
Hi Rainier,
Thanks for the great info above, esp. re. the JK_REMOTE_USER and
JkRemoteUserIndicator.
I'm kind of well along the way with my valve, but I still have mod_jk for one
proxy section, so I'll give those a try.
Hi Rainer.
Thanks also for the precise information. We've missed you..
Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM, /can/
you get the
authenticated user's user-id ? and how ?
Hi,
On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that gets
populated by the OAM agent, called "OAM_REMOTE_USER".
So if you want mod_jk to use the value of this header as the
authenticated user name and forward it to Tomcat, you either:
a) have to rely on the Oracle module to correctly set the Apache
internal request user field
b) or have to find a way to copy the value of this header into the
environment variable JK_REMOTE_USER
Concerning a): Usually there's %u in the default LogFormat used by
AccessLog. So have a look at the access log to check, whether Apache
outputs the correct user name. In that case mod_jk should automatically
forward it. This in turn can be checked by the mentioned "Service" debug
log line in the JK log.
If %u in the access log is empty, and the docs of the Oracle module do
not give a solution how to set the real Apache request user, we are up
to b).
First add %{OAM_REMOTE_USER} to the format/pattern configuration of your
Apache and Tomcat access logs, so you can easily check, what both think
about the value of that header. Check, that it is populated for both
with the right user id.
Now we try to copy the value of the header OAM_REMOTE_USER to the Apache
environment variable JK_REMOTE_USER.
As you can see in
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif
It works like this (assuming you have enabled/loaded mod_setenvif):
SetEnvIf OAM_REMOTE_USER (.*) JK_REMOTE_USER=$1
Unfortunately this will only work, if the Oracle module that populates
the header runs before mod_setenvif.
Check, whether the copying works by adding %{JK_REMOTE_USER}e to the
format of your Apache AccessLog.
Finally look at the "Service" line in the jk debug log to see, whether
the right user info is now being forwarded. If so, the rest is to be
done in Tomcat land.
Set tomcatAuthentication to "false" and check via
request.getRemoteUser() whether you received the right user id.
I would do all this first using a basic test webapp in Tomcat, not your
real app.
Finally: this is probably not secure, because
- everyone can send a request which already has a populated
OAM_REMOTE_USER header. You would rely on the implementation detail,
that the Oracle module might always overwrite that header. Not sure if
it does!
- everyone having access to the network port could start talking AJP13
directly to your Tomcat adding whatever remote user id she likes. The
protocol is easy to fake.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
