On Tue, Nov 12, 2013 at 10:17 PM, Andrew Mortensen <and...@weblogin.org>wrote:
>This should be possible using mod_substitute:
>
> <http://httpd.apache.org/docs/2.2/mod/mod_substitute.html>
>
Thanks, Andrew. Good to know of "mod_substitute".
On Wed, Nov 13, 2013 at 8:12 AM, Mark Montague <m...@catseye.org> wrote:
>
> I would think very carefully before having a front-end (httpd) modify
> content generated by a back-end (Tomcat). While this is possible, it is
> fragile, inelegant, and potentially difficult to support. I'd be most
> concerned about the potential for breakage when something changes on the
> back-end (e.g., an upgrade).
>
>
Yes. I would like to do it in Tomcat for sure.
> You ask, "is there a way for Tomcat to find out that a URI is secure if
> HTTPD is the one that protects the URIs?" The answer to this is "yes":
> use mod_headers to pass information to Tomcat as request headers. You can
> do this with any environment variable that is set by httpd -- here is an
> example from a web application that cares about both the user's identity as
> well as which factors the user was authenticated with:
>
> RewriteCond %{LA-F:REMOTE_USER} (.+)
> RewriteRule ^.*$ - [E=X_REMOTE_USER:%1]
> # Don't allow the client web browser to inject these headers. Also,
> # unsetting them and then setting them below with an env=...
> conditional
> # ensures that the headers will not get the value "(null)" when they
> # are passed to the proxy backend.
> RequestHeader unset X-Remote-User
> RequestHeader unset X-Cosign-Factor
> # Now set headers appropriately, if and only if values are available:
> RequestHeader set X-Remote-User %{X_REMOTE_USER}e env=X_REMOTE_USER
> RequestHeader set X-Cosign-Factor %{COSIGN_FACTOR}e env=COSIGN_FACTOR
>
> Most web applications would not care about the factors, only whether the
> user was authenticated. You would then have your Java code look to see if
> a request header named X-Remote-User was present and set to a non-empty
> value; if it is, the URI is being protected by cosign, and the Java code
> can add a logout button to the page it is generating.
>
>
>
Perfect! Thanks for the directives, Mark.
-Shanti
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
