On November 12, 2013 at 16:04 , Shanti Suresh <sha...@umich.edu> wrote: > I have Apache HTTPD running mod_cosign protecting some Tomcat URIs in > a vendor application. Not all URIs are protected; only certain ones. > HTTPD basically sends everything over to Tomcat. [...] > > how do I paint a "Logout" button in only the protected URIs before the > pages get served to the user? The un-protected Tomcat URIs do not > need a "Logout" button. > > (1) Since HTTPD knows what it is protecting, one idea would be to > somehow have HTTPD "overlay" a Logout link that calls logout.jsp. > > (2) Another way would be to print a Logout button as part of the CSS > for "secure" channels. But is there a way for Tomcat to find out that > a URI is secure if HTTPD is the one that protects the URIs? I want to > say "no", because the web-application inside Tomcat is oblivious to > Cosign.
I would think very carefully before having a front-end (httpd) modify content generated by a back-end (Tomcat). While this is possible, it is fragile, inelegant, and potentially difficult to support. I'd be most concerned about the potential for breakage when something changes on the back-end (e.g., an upgrade). You ask, "is there a way for Tomcat to find out that a URI is secure if HTTPD is the one that protects the URIs?" The answer to this is "yes": use mod_headers to pass information to Tomcat as request headers. You can do this with any environment variable that is set by httpd -- here is an example from a web application that cares about both the user's identity as well as which factors the user was authenticated with: RewriteCond %{LA-F:REMOTE_USER} (.+) RewriteRule ^.*$ - [E=X_REMOTE_USER:%1] # Don't allow the client web browser to inject these headers. Also, # unsetting them and then setting them below with an env=... conditional # ensures that the headers will not get the value "(null)" when they # are passed to the proxy backend. RequestHeader unset X-Remote-User RequestHeader unset X-Cosign-Factor # Now set headers appropriately, if and only if values are available: RequestHeader set X-Remote-User %{X_REMOTE_USER}e env=X_REMOTE_USER RequestHeader set X-Cosign-Factor %{COSIGN_FACTOR}e env=COSIGN_FACTOR Most web applications would not care about the factors, only whether the user was authenticated. You would then have your Java code look to see if a request header named X-Remote-User was present and set to a non-empty value; if it is, the URI is being protected by cosign, and the Java code can add a logout button to the page it is generating. -- Mark Montague m...@catseye.org ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss