Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?
Hi Andre (and Christopher and Olaf),
I think that that is a good summary of where this is at this point.
Thanks!
Jim
On Saturday, May 16, 2020, 08:23:54 AM EDT, André Warnier (tomcat/perl)
wrote:
In summary, yes, I think you're right in your final conclusion below.
If the tomcat access log shows the authenticated user, it means that tomcat got
it, and I
see no other way than from Apache and through that "tomcatAuthentication=false"
option of
the tomcat AJP connector.
And that in turn means that, for Apache, this request was authenticated, which
in turn
means that OAM /did/ also set the Apache-internal R->user variable.
The values printed by your Apache cgi-bin script are maybe a bit confusing
regarding what
is going on, because they are the result of a different (and parallel) process
: when
Apache runs a cgi-bin script, it does this in a separate child process, and
when it
creates this process, it provides it with an environment. And that is what your
cgi-bin
script is showing (it's own environment values).
That in this environment, Apache creates a "remote-user" variable and populates
it with
the Apache authenticated user-id, is fortuitous but unrelated to the fact that
Apache+mod_proxy_ajp *also* passes this authenticated user-id via AJP to tomcat.
So now indeed, you have to figure out why this tomcat webapp wants the browser
to retrieve
a login page, despite the fact that this access is already authenticated.
But indeed this is no longer an Apache or a tomcat or tomcat Connector issue,
it is a
webapp logic or configuration issue.
On 16.05.2020 08:40, ohaya wrote:
> Hi,
>
> When I configure the OAM protection, they have the ability to configure
> values that go into HTTP headers (among other things) upon successful
> authentication (to OAM).
>
> I usually test this by protecting /cgi-bin/printenv on the Apache. printenv
> has this :
>
> ##
> ## printenv -- demo CGI program which just prints its environment
> ##
> use strict;
> use warnings;
>
> print "Content-type: text/plain; charset=iso-8859-1\n\n";
> foreach my $var (sort(keys(%ENV))) {
> my $val = $ENV{$var};
> $val =~ s|\n|\\n|g;
> $val =~ s|"|\\"|g;
> print "${var}=\"${val}\"\n";
>
> and when do that test, it does dump out remote_user (among others).
>
> Also FYI, I was just looking at the Tomcat localhost_access_log..txt
> file, and I am seeing lines like:
>
> xx.0.xx.xx - [16/May/2020:06:18:41 +] "GET /xxx/login
> HTTP/1.1" 302 -
>
> where is the username of the user that authenticated to
> OAM.
>
> I am not 100% about the format of that log, but does that line say that
> Tomcat thinks that the user that is logged INTO TOMCAT is that
> ?
>
> If so, then does that mean that I am already passing that user from Apache
> into Tomcat successfully?
>
> If so, I have thinking that maybe the webapp that I am trying to get logged
> into (it is Apache Syncope) is not leveraging the authentication mechanisms
> that are inbuilt in Tomcat?
>
> That kind of makes sense, because I know that I didn't have to add that user
> to the tomcat-users.xml.
>
> Finally if that is the case, this is no longer just a Tomcat-related issue.
>
> Jim
>
>
> On Friday, May 15, 2020, 09:38:19 AM EDT, Christopher Schultz
> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Jim,
>
> On 5/15/20 08:42, ohaya wrote:
>> Yes, I am using Oracle Access Manager (OAM) so we have what they
>> call an "OAM webgate" that is integrated with the Apache. That
>> webgate automatically populates an HTTP header named "remote_user"
>> with the user that OAM authenticated.
>>
>> So the problem I having is trying to figure out how to "integrate"
>> that with Tomcat.
>
> Okay.
>
>> So we have:
>>
>> Browser <==> Apache+webgate <==> Tomcat (webapp)
>
> Good.
>
> First thing's first: Do you get your pages from Tomcat, but you aren't
> authenticated, or do you get some other kind of error? Sounds like you
> see your application, just no authentication.
>
> If this is your first time doing this, I assume you mean you're trying
> to figure out how to get it done, not trying to move a working
> configuration from another environment./version to Tomcat 9, right?
>
> There is nothing in the configuration you have posted so far that
> leads me to believe you'll be sending any REMOTE_USER HTTP header to
> Tomcat. Apache httpd doesn't (usually) auto-forward anything to
> Tomcat. Your OAS module is more likely setting an environment variable
> (remote_user) than an HTTP header. But it might be setting a header.
> That would be good information to know.
>
> To send arbitrary headers (etc.) to Tomcat via mod_proxy_ajp, you need
> to configuration to do that. Let's take a look at the Tomcat
> documentation to see how tomcatAuthentication="false" works.
>
> Awesome, the documentation says nothing about how to tie-into it.
> Well, the code says that tomcatAuthentication="false" means that AJP
> can accept
Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?
In summary, yes, I think you're right in your final conclusion below.
If the tomcat access log shows the authenticated user, it means that tomcat got it, and I
see no other way than from Apache and through that "tomcatAuthentication=false" option of
the tomcat AJP connector.
And that in turn means that, for Apache, this request was authenticated, which in turn
means that OAM /did/ also set the Apache-internal R->user variable.
The values printed by your Apache cgi-bin script are maybe a bit confusing regarding what
is going on, because they are the result of a different (and parallel) process : when
Apache runs a cgi-bin script, it does this in a separate child process, and when it
creates this process, it provides it with an environment. And that is what your cgi-bin
script is showing (it's own environment values).
That in this environment, Apache creates a "remote-user" variable and populates it with
the Apache authenticated user-id, is fortuitous but unrelated to the fact that
Apache+mod_proxy_ajp *also* passes this authenticated user-id via AJP to tomcat.
So now indeed, you have to figure out why this tomcat webapp wants the browser to retrieve
a login page, despite the fact that this access is already authenticated.
But indeed this is no longer an Apache or a tomcat or tomcat Connector issue, it is a
webapp logic or configuration issue.
On 16.05.2020 08:40, ohaya wrote:
Hi,
When I configure the OAM protection, they have the ability to configure values
that go into HTTP headers (among other things) upon successful authentication
(to OAM).
I usually test this by protecting /cgi-bin/printenv on the Apache. printenv has
this :
##
## printenv -- demo CGI program which just prints its environment
##
use strict;
use warnings;
print "Content-type: text/plain; charset=iso-8859-1\n\n";
foreach my $var (sort(keys(%ENV))) {
my $val = $ENV{$var};
$val =~ s|\n|\\n|g;
$val =~ s|"|\\"|g;
print "${var}=\"${val}\"\n";
and when do that test, it does dump out remote_user (among others).
Also FYI, I was just looking at the Tomcat localhost_access_log..txt
file, and I am seeing lines like:
xx.0.xx.xx - [16/May/2020:06:18:41 +] "GET /xxx/login
HTTP/1.1" 302 -
where is the username of the user that authenticated to OAM.
I am not 100% about the format of that log, but does that line say that Tomcat thinks
that the user that is logged INTO TOMCAT is that ?
If so, then does that mean that I am already passing that user from Apache into
Tomcat successfully?
If so, I have thinking that maybe the webapp that I am trying to get logged
into (it is Apache Syncope) is not leveraging the authentication mechanisms
that are inbuilt in Tomcat?
That kind of makes sense, because I know that I didn't have to add that user to
the tomcat-users.xml.
Finally if that is the case, this is no longer just a Tomcat-related issue.
Jim
On Friday, May 15, 2020, 09:38:19 AM EDT, Christopher Schultz
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jim,
On 5/15/20 08:42, ohaya wrote:
Yes, I am using Oracle Access Manager (OAM) so we have what they
call an "OAM webgate" that is integrated with the Apache. That
webgate automatically populates an HTTP header named "remote_user"
with the user that OAM authenticated.
So the problem I having is trying to figure out how to "integrate"
that with Tomcat.
Okay.
So we have:
Browser <==> Apache+webgate <==> Tomcat (webapp)
Good.
First thing's first: Do you get your pages from Tomcat, but you aren't
authenticated, or do you get some other kind of error? Sounds like you
see your application, just no authentication.
If this is your first time doing this, I assume you mean you're trying
to figure out how to get it done, not trying to move a working
configuration from another environment./version to Tomcat 9, right?
There is nothing in the configuration you have posted so far that
leads me to believe you'll be sending any REMOTE_USER HTTP header to
Tomcat. Apache httpd doesn't (usually) auto-forward anything to
Tomcat. Your OAS module is more likely setting an environment variable
(remote_user) than an HTTP header. But it might be setting a header.
That would be good information to know.
To send arbitrary headers (etc.) to Tomcat via mod_proxy_ajp, you need
to configuration to do that. Let's take a look at the Tomcat
documentation to see how tomcatAuthentication="false" works.
Awesome, the documentation says nothing about how to tie-into it.
Well, the code says that tomcatAuthentication="false" means that AJP
can accept the REMOTE_USER /request attribute/ which is a special
servlet-thing which isn't the same as a header. So you have to arrange
for mod_proxy_ajp to send your "remote_user" (header or environment
variable) to Tomcat as a request attribute.
Here's how to do that. According to the mod_proxy_ajp docs:
"
Environment Variables
Environment variables whose names have the prefix AJP_ are forwarded
to the origin ser
