Re: tomcat, apache with mod_jk and mod_auth_kerb
On Wed, Jul 16, 2008 at 8:06 PM, Rainer Jung [EMAIL PROTECTED] wrote: Thanks Rainer. If I want to explicitly pass an environment variable from the httpd to the tomcat, I am using the RequestHeader, JkEnvVar, Setenv but unable to have them as it is passed in the tomcat... how do I go about that? While I am completely convinced to use getRemoteUser() method only for getting the authenticated principal... If you've already set a value in some variable xxx, then you configure JkEnvVar xxx On the Tomcat side, you retrieve the value by request.getAttribute(xxx); Regards, Rainer Thanks Rainer. SetHandler jakarta-servlet SetEnv JK_WORKER_NAME my-tomcat JkEnvVar REMOTE_USER This is working now... I am able to read the REMOTE_USER variable via getAttribute method. I was blindly using two arguments to JkEnvVar earlier. Thanks a lot for all the patience and help!. :-) Regards, Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote:
On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung [EMAIL PROTECTED]
wrote:
What do you expect to be the value of the 'REMOTE_USER' variable? Do you
expoect something else, than what you get from request.getRemoteUser()? What
do you mean by variable? Maybe an httpd environment Variable?
Precisely. I also need the httpd environment variable REMOTE_USER also
passed to the tomcat I have this in my httpd.conf ... and I am reading
all the environment variables(apart from the headers) in the jsp but have
these values set to null... am I missing anything specific with these
directives?
SetHandler jakarta-servlet
RequestHeader set X_REMOTE_USER %{RU}e
SetEnv SET_REMOTE_USER %{REMOTE_USER}e
JkEnvVar JK_REMOTE_USER %{remoteUser}e
As far as I know, REMOTE_USER is a *http header* of the request, added
automatically by the browser if the user is authenticated. And as all
http request headers, it is always passed on to Tomcat.
At the Tomcat level, you can retrieve it like any other http header (I
don't remember the precise way).
But this has nothing to do with environment values.
In other words, you do not really need to mess around with environment
values in Apache/Tomcat (like above), just retrieve the corresponding
http header, it should already be there.
No ?
André
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil schrieb:
On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung [EMAIL PROTECTED]
wrote:
What do you expect to be the value of the 'REMOTE_USER' variable? Do you
expoect something else, than what you get from request.getRemoteUser()? What
do you mean by variable? Maybe an httpd environment Variable?
Precisely. I also need the httpd environment variable REMOTE_USER also
passed to the tomcat I have this in my httpd.conf ... and I am reading
all the environment variables(apart from the headers) in the jsp but have
these values set to null... am I missing anything specific with these
directives?
SetHandler jakarta-servlet
RequestHeader set X_REMOTE_USER %{RU}e
SetEnv SET_REMOTE_USER %{REMOTE_USER}e
JkEnvVar JK_REMOTE_USER %{remoteUser}e
To repeat two of my questions:
What do you expect to be the value of the 'REMOTE_USER' variable?
Do you expect something else, than what you get from
request.getRemoteUser()?
After I understand that, we can find an appropriate solution.
Regards,
Rainer
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung [EMAIL PROTECTED] wrote: To repeat two of my questions: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expect something else, than what you get from request.getRemoteUser()? After I understand that, we can find an appropriate solution. Regards, Rainer Hi Rainer, REMOTE_USER variable value is always expected to be as set by the httpd process and passed onto the tomcat. Do you expect something else, than what you get from request.getRemoteUser()? No, but I would not want to have this method invoked everytime I want to know a logged in account instead an already set (global) variable value (preferrably by httpd and passed onto the tomcat) would do. Regards, Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
I tried using both getAttribute methods and getHeaderNames/getHeaders
methods but unfortunately the variables are set to null
On Wed, Jul 16, 2008 at 2:01 PM, André Warnier [EMAIL PROTECTED] wrote:
Nikhil wrote:
On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung [EMAIL PROTECTED]
wrote:
What do you expect to be the value of the 'REMOTE_USER' variable? Do you
expoect something else, than what you get from request.getRemoteUser()?
What
do you mean by variable? Maybe an httpd environment Variable?
Precisely. I also need the httpd environment variable REMOTE_USER also
passed to the tomcat I have this in my httpd.conf ... and I am
reading
all the environment variables(apart from the headers) in the jsp but have
these values set to null... am I missing anything specific with these
directives?
SetHandler jakarta-servlet
RequestHeader set X_REMOTE_USER %{RU}e
SetEnv SET_REMOTE_USER %{REMOTE_USER}e
JkEnvVar JK_REMOTE_USER %{remoteUser}e
As far as I know, REMOTE_USER is a *http header* of the request, added
automatically by the browser if the user is authenticated. And as all http
request headers, it is always passed on to Tomcat.
At the Tomcat level, you can retrieve it like any other http header (I
don't remember the precise way).
But this has nothing to do with environment values.
In other words, you do not really need to mess around with environment
values in Apache/Tomcat (like above), just retrieve the corresponding http
header, it should already be there.
No ?
André
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Nikhil
Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil schrieb: On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung [EMAIL PROTECTED] wrote: To repeat two of my questions: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expect something else, than what you get from request.getRemoteUser()? After I understand that, we can find an appropriate solution. Regards, Rainer Hi Rainer, REMOTE_USER variable value is always expected to be as set by the httpd process and passed onto the tomcat. Do you expect something else, than what you get from request.getRemoteUser()? No, but I would not want to have this method invoked everytime I want to know a logged in account instead an already set (global) variable value (preferrably by httpd and passed onto the tomcat) would do. OK. REMOTE_USER goes back to the times oF CGI. At that time the web server could only pass along information to the CGI process via environmnt variables, because it had to start an external process for doing CGI. The servlet spec tries to make the same information available in the context of a java web container. The correct way of retrieving the name of the authenticated user from the container *is* request.getRemoteUser(). In java you would nearly always implement a global variable as a member of some object, which you retrieve via a getter function. request.getRemoteUser() is the right and standards conforming way to do it. When the web container has a web server in front, e.g. Apache httpd and a connection component like mod_jk, usually the combination tries to hide the information, that the architecture is more complex, from the webapp developer. So Apache/mod_jk/Tomcat correctly configured provide the user name authenticated by httpd to the webapp in exactly the same way, as it would be seen without Apache and mod_jk. That way the developer doesn't have to know the details. So using request.gerRemoteUser() still is the correct way. The only thing to configure is tomcatAuthentiction=false in order to tell Tomcat to trust the authentication done by Apache and not try to do authentication itself. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
Thanks for the explanation, Rainer. Fine, I am going with using the method only then... Regards, Nikhil On Wed, Jul 16, 2008 at 3:22 PM, Rainer Jung [EMAIL PROTECTED] wrote: Nikhil schrieb: On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung [EMAIL PROTECTED] wrote: To repeat two of my questions: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expect something else, than what you get from request.getRemoteUser()? After I understand that, we can find an appropriate solution. Regards, Rainer Hi Rainer, REMOTE_USER variable value is always expected to be as set by the httpd process and passed onto the tomcat. Do you expect something else, than what you get from request.getRemoteUser()? No, but I would not want to have this method invoked everytime I want to know a logged in account instead an already set (global) variable value (preferrably by httpd and passed onto the tomcat) would do. OK. REMOTE_USER goes back to the times oF CGI. At that time the web server could only pass along information to the CGI process via environmnt variables, because it had to start an external process for doing CGI. The servlet spec tries to make the same information available in the context of a java web container. The correct way of retrieving the name of the authenticated user from the container *is* request.getRemoteUser(). In java you would nearly always implement a global variable as a member of some object, which you retrieve via a getter function. request.getRemoteUser() is the right and standards conforming way to do it. When the web container has a web server in front, e.g. Apache httpd and a connection component like mod_jk, usually the combination tries to hide the information, that the architecture is more complex, from the webapp developer. So Apache/mod_jk/Tomcat correctly configured provide the user name authenticated by httpd to the webapp in exactly the same way, as it would be seen without Apache and mod_jk. That way the developer doesn't have to know the details. So using request.gerRemoteUser() still is the correct way. The only thing to configure is tomcatAuthentiction=false in order to tell Tomcat to trust the authentication done by Apache and not try to do authentication itself. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Wed, Jul 16, 2008 at 3:22 PM, Rainer Jung [EMAIL PROTECTED] wrote: Nikhil schrieb: On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung [EMAIL PROTECTED] wrote: To repeat two of my questions: What do you expect to be the value of the 'REMOTE_USER' variable? Do you expect something else, than what you get from request.getRemoteUser()? After I understand that, we can find an appropriate solution. Regards, Rainer Hi Rainer, REMOTE_USER variable value is always expected to be as set by the httpd process and passed onto the tomcat. Do you expect something else, than what you get from request.getRemoteUser()? No, but I would not want to have this method invoked everytime I want to know a logged in account instead an already set (global) variable value (preferrably by httpd and passed onto the tomcat) would do. OK. REMOTE_USER goes back to the times oF CGI. At that time the web server could only pass along information to the CGI process via environmnt variables, because it had to start an external process for doing CGI. The servlet spec tries to make the same information available in the context of a java web container. The correct way of retrieving the name of the authenticated user from the container *is* request.getRemoteUser(). In java you would nearly always implement a global variable as a member of some object, which you retrieve via a getter function. request.getRemoteUser() is the right and standards conforming way to do it. When the web container has a web server in front, e.g. Apache httpd and a connection component like mod_jk, usually the combination tries to hide the information, that the architecture is more complex, from the webapp developer. So Apache/mod_jk/Tomcat correctly configured provide the user name authenticated by httpd to the webapp in exactly the same way, as it would be seen without Apache and mod_jk. That way the developer doesn't have to know the details. So using request.gerRemoteUser() still is the correct way. The only thing to configure is tomcatAuthentiction=false in order to tell Tomcat to trust the authentication done by Apache and not try to do authentication itself. Regards, Rainer Thanks Rainer. If I want to explicitly pass an environment variable from the httpd to the tomcat, I am using the RequestHeader, JkEnvVar, Setenv but unable to have them as it is passed in the tomcat... how do I go about that? While I am completely convinced to use getRemoteUser() method only for getting the authenticated principal...
Re: tomcat, apache with mod_jk and mod_auth_kerb
Thanks Rainer. If I want to explicitly pass an environment variable from the httpd to the tomcat, I am using the RequestHeader, JkEnvVar, Setenv but unable to have them as it is passed in the tomcat... how do I go about that? While I am completely convinced to use getRemoteUser() method only for getting the authenticated principal... If you've already set a value in some variable xxx, then you configure JkEnvVar xxx On the Tomcat side, you retrieve the value by request.getAttribute(xxx); Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
I am still not able to get this straight. Looking at the server.xml tells me there is a userDatabase resource that is looked which I may need to comment? Could you please confirm? I am posting my server.xml (tomcat-6.0.16) for thoroughness so I do not miss any points here : Please let me know if I need to make any changes to configuration file. Thanks, Nikhil - ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=64005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=64080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / !-- A Connector using the shared thread pool-- !-- Connector executor=tomcatThreadPool port=64080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- !-- Connector port=64083 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=64089 protocol=AJP/1.3 enableLookups=false tomcatAuthentication=false redirectPort=8443 / !-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -- !-- You should set jvmRoute to support load-balancing via AJP ie : Engine name=Standalone defaultHost=localhost jvmRoute=jvm1 -- Engine name=Catalina defaultHost=localhost !--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference
Re: tomcat, apache with mod_jk and mod_auth_kerb
While I am at it, I found this interesting information from the jk_logs: [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_uri_worker_map.c (589): Attempting to map URI '/examples/jsp/rheaders.jsp' from 0 maps [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_uri_worker_map.c (589): Attempting to map URI '/examples/jsp/rheaders.jsp' from 0 maps [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (2092): Single worker (default) configuration for /examples/jsp/rheaders.jsp [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (2111): Into handler jakarta-servlet worker=default r-proxyreq=0 [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_worker.c (114): found a worker default [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_worker.c (321): Maintaining worker default [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] jk_worker.c (290): Found worker type 'ajp13' [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (607): Service protocol=HTTP/1.1 method=GET host=(null) addr=149.77.175.155 name= is3.hyd.deshaw.com port=8080 auth=(null) user=(null) laddr=149.77.160.20raddr= 149.77.175.155 -- If noticed, auth=(null) and user=(null) are being set ... but I wonder why? Do I have to look somewhere else to make any changes too ? On Tue, Jul 15, 2008 at 12:39 PM, Nikhil [EMAIL PROTECTED] wrote: I am still not able to get this straight. Looking at the server.xml tells me there is a userDatabase resource that is looked which I may need to comment? Could you please confirm? I am posting my server.xml (tomcat-6.0.16) for thoroughness so I do not miss any points here : Please let me know if I need to make any changes to configuration file. Thanks, Nikhil - ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=64005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -- Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=64080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / !-- A Connector using the shared thread pool--
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil schrieb: [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (607): Service protocol=HTTP/1.1 method=GET host=(null) addr=149.77.175.155 name= is3.hyd.deshaw.com port=8080 auth=(null) user=(null) laddr=149.77.160.20raddr= 149.77.175.155 -- If noticed, auth=(null) and user=(null) are being set ... but I wonder why? Do I have to look somewhere else to make any changes too ? That means, Apache httpd did not provide any authentication information. Looks like your authentication setup doesn't even work inside httpd. If it does work, the user name should get logged in your access log. Usually the default log format for the access log of httpd is common, which contains the authenticated user name in the third column (%u). If it isn't shown in the httpd access log, then you need to fix your authentication setup in httpd first. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Tue, Jul 15, 2008 at 2:23 PM, Rainer Jung [EMAIL PROTECTED] wrote: Nikhil schrieb: [Tue Jul 15 12:57:40 2008] [20026:0001] [debug] mod_jk.c (607): Service protocol=HTTP/1.1 method=GET host=(null) addr=149.77.175.155 name= is3.hyd.deshaw.com port=8080 auth=(null) user=(null) laddr=149.77.160.20raddr= 149.77.175.155 -- If noticed, auth=(null) and user=(null) are being set ... but I wonder why? Do I have to look somewhere else to make any changes too ? That means, Apache httpd did not provide any authentication information. Looks like your authentication setup doesn't even work inside httpd. If it does work, the user name should get logged in your access log. Usually the default log format for the access log of httpd is common, which contains the authenticated user name in the third column (%u). If it isn't shown in the httpd access log, then you need to fix your authentication setup in httpd first. Regards, Rainer Thats right and clueful. Yes, I modifued my httpd.conf to include the webapp location that I was going through and it updated the remote user, I was able to use have the result now properly set from the request.getRemoteUser call. BUT, again, I was not able to pass the 'REMOTE_USER' variable. How can I do that in my httpd.conf.. any ideas what else do I need to add more in my httpd.conf ? Thanks again, Rainer.
Re: tomcat, apache with mod_jk and mod_auth_kerb
Thats right and clueful. Yes, I modifued my httpd.conf to include the webapp location that I was going through and it updated the remote user, I was able to use have the result now properly set from the request.getRemoteUser call. Fine. BUT, again, I was not able to pass the 'REMOTE_USER' variable. How can I do that in my httpd.conf.. any ideas what else do I need to add more in my httpd.conf ? I don't understand, what you mean by pass the 'REMOTE_USER' variable. If you want to pass the name of the authenticated user, that's request.getRemoteUser(), which now works. What do you expect to be the value of the 'REMOTE_USER' variable? Do you expoect something else, than what you get from request.getRemoteUser()? What do you mean by variable? Maybe an httpd environment Variable? Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Tue, Jul 15, 2008 at 6:35 PM, Rainer Jung [EMAIL PROTECTED]
wrote:
What do you expect to be the value of the 'REMOTE_USER' variable? Do you
expoect something else, than what you get from request.getRemoteUser()? What
do you mean by variable? Maybe an httpd environment Variable?
Precisely. I also need the httpd environment variable REMOTE_USER also
passed to the tomcat I have this in my httpd.conf ... and I am reading
all the environment variables(apart from the headers) in the jsp but have
these values set to null... am I missing anything specific with these
directives?
SetHandler jakarta-servlet
RequestHeader set X_REMOTE_USER %{RU}e
SetEnv SET_REMOTE_USER %{REMOTE_USER}e
JkEnvVar JK_REMOTE_USER %{remoteUser}e
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: The remote user gets forwarded automatically, but in order to make Tomcat accept that info and not try to authenticate itself, you need to set tomcatAuthentication=false in the ajp connector element in server.xml. See also http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html If you want to forward additional info, you could use httpd env vars and JkEnvVars. On the Tomcat side, retrieve those via request.getAttribute(MyEnvVar). I am using Tomcat -5.5.12 and this is what I have in my server.xml configuration for http: !-- Define a SSL HTTP/1.1 Connector on port 8443 -- !-- Connector port=64083 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- I could not lookup for the attribute tomcatAuthentication in the configuration however. First of all 5.5.12 is very outdated and also very early in the 5.5 release cycle. You need to add 'tomcatAuthentication=false' in the Connector element for your AJP connector. The connector you showed us above is - an https connector - a comment and not active At least two good reasons, why this is not the right one. The AJP Connector is the one, which uses port 8009 in the default configuration and which you can identify by 'protocol=AJP/1.3'. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung [EMAIL PROTECTED] wrote: First of all 5.5.12 is very outdated and also very early in the 5.5 release cycle. You need to add 'tomcatAuthentication=false' in the Connector element for your AJP connector. The connector you showed us above is - an https connector - a comment and not active At least two good reasons, why this is not the right one. The AJP Connector is the one, which uses port 8009 in the default configuration and which you can identify by 'protocol=AJP/1.3'. Regards, Rainer Oops.. here is the http connector line in my configuration: !-- Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=64080 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true / Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 4:22 PM, Nikhil [EMAIL PROTECTED] wrote: On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung [EMAIL PROTECTED] wrote: First of all 5.5.12 is very outdated and also very early in the 5.5 release cycle. You need to add 'tomcatAuthentication=false' in the Connector element for your AJP connector. The connector you showed us above is - an https connector - a comment and not active At least two good reasons, why this is not the right one. The AJP Connector is the one, which uses port 8009 in the default configuration and which you can identify by 'protocol=AJP/1.3'. Regards, Rainer Oops.. here is the http connector line in my configuration: !-- Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=64080 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true / Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. Nikhil but still.. I do not get what is wrong with 5.5.12 and what could I do atleast in the httpd configuration that would get the kerberized apache authentication working in the tomcat apps. -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: On Mon, Jul 14, 2008 at 4:22 PM, Nikhil [EMAIL PROTECTED] wrote: On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung [EMAIL PROTECTED] wrote: First of all 5.5.12 is very outdated and also very early in the 5.5 release cycle. You need to add 'tomcatAuthentication=false' in the Connector element for your AJP connector. The connector you showed us above is - an https connector - a comment and not active At least two good reasons, why this is not the right one. The AJP Connector is the one, which uses port 8009 in the default configuration and which you can identify by 'protocol=AJP/1.3'. Regards, Rainer Oops.. here is the http connector line in my configuration: !-- Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=64080 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true / Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. Nikhil but still.. I do not get what is wrong with 5.5.12 and what could I do atleast in the httpd configuration that would get the kerberized apache authentication working in the tomcat apps. Again, the http connector is *not* what you need to edit, if you want to combine Tomcat with mod_jk or mod_proxy_ajp. It is the AJP connector. See my previous mail. You need to add tomcatAuthentication=false to that connector. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 5:00 PM, Rainer Jung [EMAIL PROTECTED]
wrote:
Again, the http connector is *not* what you need to edit, if you want to
combine Tomcat with mod_jk or mod_proxy_ajp. It is the AJP connector. See my
previous mail.
You need to add tomcatAuthentication=false to that connector.
Regards,
Rainer
I seem to get it, Rainer. But the thing is that with my installed
tomcat-5.5.12 version and I do not have any already tomcatAuthentication
directive (if I call it that way). Okay I get you want me to add, so this
is what I edited the server.xml now
!-- Define a SSL HTTP/1.1 Connector on port 8443 --
!--
Connector port=64083 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=false sslProtocol=TLS /
--
!-- Define an AJP 1.3 Connector on port 8009 --
Connector port=64089
enableLookups=false redirectPort=64083
tomcatAuthentication=false protocol=AJP/1.3 /
!-- Define a Proxied HTTP/1.1 Connector on port 8082 --
!-- See proxy documentation for more information about using this. --
!--
Connector port=64082
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false acceptCount=100
connectionTimeout=2
proxyPort=80 disableUploadTimeout=true /
--
After editing the change in the ajp connector, and restarting the tomcat, I
still am not able to get the remote_user variable passed.
I am using the following jsp installed under
webapps/jsp-examples/readheaders.jsp to have the environment variables
listed but with out any success..
%@ page language=java %
%@ page import=java.util.Enumeration %
h2HTTP Request Headers/h2
table border=0 cellspacing=1 cellpadding=2 trthName/th
thValue/th /tr
% // Get all HTTP request headers names/values
Enumeration e1 = request.getHeaderNames();
while (e1.hasMoreElements()) {
boolean doLoop = true;
String name = ((String)e1.nextElement()).toUpperCase();
Enumeration e2 = request.getHeaders(name);
while (e2.hasMoreElements()){
String value = (String)e2.nextElement();
%
tr
td class=gray%= name %/td
td class=gray%= value %/td
/tr
%
}
}
%
--
Any suggestions? (Although I am still to try out the Tomcat6, but would
prefer for fixing the existing installation unless there are any real
problems in the tomcat version that I am using.
Thanks,
Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
Rainer, I seem to have found a related link on this but this is really old pertaining to the older versions of Tomcat.. any suggestions please. http://marc.info/?t=10431829842r=1w=2
Re: tomcat, apache with mod_jk and mod_auth_kerb
Nikhil wrote: !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=64089 enableLookups=false redirectPort=64083 tomcatAuthentication=false protocol=AJP/1.3 / OK After editing the change in the ajp connector, and restarting the tomcat, I still am not able to get the remote_user variable passed. Any suggestions? (Although I am still to try out the Tomcat6, but would prefer for fixing the existing installation unless there are any real problems in the tomcat version that I am using. Use request.getRemoteUser() HTH Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
I tried out Tomcat6 too and added 'tomcatAuthentication=false' to the ajp connector but that still not work. :-( On Mon, Jul 14, 2008 at 7:15 PM, Nikhil [EMAIL PROTECTED] wrote: Rainer, I seem to have found a related link on this but this is really old pertaining to the older versions of Tomcat.. any suggestions please. http://marc.info/?t=10431829842r=1w=2 -- Nikhil Google is Great !
Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 7:46 PM, Rainer Jung [EMAIL PROTECTED]
wrote:
Use request.getRemoteUser()
HTH
Rainer
Thanks Rainer.
I am now using Tomcat6(latest stable release) and configured the server.xml
with ajp connector to use tomcatAuthentication=false and I am still getting
the 'null' value :-( . Any other suggestions that I need to edit anywhere
else like web.xml / security constraints.
with the following sample jsp :
-
%@ page language=java %
%@ page import=java.util.Enumeration %
h2HTTP Request Headers/h2
table border=0 cellspacing=1 cellpadding=2 trthName/th
thValue/th /tr
% // Get all HTTP request headers names/values
Enumeration e1 = request.getHeaderNames();
String valueuser = request.getRemoteUser();
while (e1.hasMoreElements()) {
boolean doLoop = true;
String name = ((String)e1.nextElement()).toUpperCase();
Enumeration e2 = request.getHeaders(name);
while (e2.hasMoreElements()){
String value = (String)e2.nextElement();
%
tr
td class=gray%= name %/td
td class=gray%= value %/td
td class=gray%= valueuser %/td
/tr
%
}
}
%
tomcat, apache with mod_jk and mod_auth_kerb
Hi,
I am using httpd v2.0.58 installed on a Solaris-10 system, also have
mod_auth_kerb with proper kerberos infrastructure.
I am hosting few new applications on tomcat and wanted to integrate with the
kerberos but via the httpd as the front end.
As in, the httpd will do the front-end kerberos authentication and it passes
on the authentication details like REMOTE_USER/kerb_cache to the tomcat
through mod_jk.
I have earlier tried using the mod_rewrite module with proxy .. but
that would ask me to enable the http connector port of the tomcat instance
and will prompt to keep the spoofing chances wide open.
Like instead of my apache instance doing the authentication and pass on
the remote_user variable, there can be speculations of any arbitrary user
hosting his own httpd instance and could get to send a spoofed up
REMOTE_USER variable to the tomcat instance and thus breaking the whole
secured system.
Hence, I just want to use the ajp connection of the tomcat and keep the http
connector of the tomcat instance closed.
Reminding of the ajp, I searched for a while and found mod_jk and
mod_proxy_ajp are the two best around for integrating the tomcat with apache
but
after learning that mod_proxy_ajp is only available for httpd v2.2 or after
and unfortunately my system installed version is httpd v2.0.58.
So, mod_proxy_ajp choice is perhaps ruled out for now and I am left with
using the configuration overhead involved mod_jk module.
I have no problems in using mod_jk but could not figure out the ways of
passing the remote_user variable effectively to the tomcat instance
would also desire to have a scalability that with a single httpd instance
supporting the multiple tomcat instances (may be on a single host/spanned
across multiple hosts).
I have tried using SetEnvIf, JkEnvVar, RequestHeader directives to only to
find of no use.
Could anyone please help me figure out the much needed lines that I need to
put into the httpd.conf to get the authentication information right passed
to the tomcat from the kerberized http access.
This is the glimpse of the httpd configuration (non-working) that I have for
my httpd instance and the tomcat right now.. any corrections/suggestions are
most welcome.
--
Listen 8080
LoadModule jk_module libexec/mod_jk.so
JkLogFile /home/me/httpd/logs/jk_log
JkLogLevel DEBUG
JkShmFile /home/me/httpd/logs/jkshmfile
JkWorkersFile /home/me/httpd/conf/worker-properties
VirtualHost *:8080
ServerName httpdauth.mysub.mydomain.com
ServerAlias httpdauth.mysub httpdauth
Location /default
AuthType Kerberos
AuthName Testing
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms MYDOMAIN.COM UNIX.MYDOMAIN.COM
KrbServiceName HTTP/[EMAIL PROTECTED]
KrbSaveCredentials on
Krb5Keytab /home/me/httpd/conf/httpdauth.http.keytab
require valid-user
/Location
SetHandler jakarta-servlet
RequestHeader set X_REQHDR_REMOTE_USER %{remoteUser}e
SetEnv X_ENV_REMOTE_USER %{remoteUser}e
JkEnvVar X_JK_REMOTE_USER %{remoteUser}e
# earlier rewrite configuration
# RewriteEngine On
# RewriteRule ^/(.*)$
http://intranet/~me/printenv.cgi[L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
# RequestHeader set X_REMOTE_USER %{remoteUser}e
# RequestHeader add X-H-USER %{remoteUser}e
/VirtualHost
--
With worker properties being :
--
workers.tomcat_home=/home/me/httpd/tomcat/apache-tomcat-5.5.12
workers.java_home=/usr/local/java/jdk
ps=/
worker.list=default
worker.default.port=64089
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1
--
Are there any other ways? or I could be also missing any lines/directives in
the configuration?
Thanks, Nikhil
RE: tomcat, apache with mod_jk and mod_auth_kerb
From: Nikhil [mailto:[EMAIL PROTECTED] Subject: tomcat, apache with mod_jk and mod_auth_kerb I have earlier tried using the mod_rewrite module with proxy .. but that would ask me to enable the http connector port of the tomcat instance and will prompt to keep the spoofing chances wide open. Not necessarily. You could configure address attribute of the Tomcat HTTP Connector to listen only on 127.0.0.1 if httpd is on the same system, or if on a different system, configure Tomcat's RemoteAddrValve to limit requests to just that system. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Address%20Filter You may need to adjust the above links for the Tomcat version you're using, which you didn't bother to tell us. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
Hi Nikhil, Nikhil schrieb: I have no problems in using mod_jk but could not figure out the ways of passing the remote_user variable effectively to the tomcat instance would also desire to have a scalability that with a single httpd instance supporting the multiple tomcat instances (may be on a single host/spanned across multiple hosts). I have tried using SetEnvIf, JkEnvVar, RequestHeader directives to only to find of no use. The remote user gets forwarded automatically, but in order to make Tomcat accept that info and not try to authenticate itself, you need to set tomcatAuthentication=false in the ajp connector element in server.xml. See also http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html If you want to forward additional info, you could use httpd env vars and JkEnvVars. On the Tomcat side, retrieve those via request.getAttribute(MyEnvVar). Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat, apache with mod_jk and mod_auth_kerb
Not necessarily. You could configure address attribute of the Tomcat HTTP Connector to listen only on 127.0.0.1 if httpd is on the same system, or if on a different system, configure Tomcat's RemoteAddrValve to limit requests to just that system. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote%20Address%20Filter You may need to adjust the above links for the Tomcat version you're using, which you didn't bother to tell us. - Chuck Thanks Chuck. I am using Tomcat 5.5.12 and I could not find this attribute in the server.xml configuration. What is the equivalent of RemoteAddressValve for v5.5.12 ? Nikhil
Re: tomcat, apache with mod_jk and mod_auth_kerb
The remote user gets forwarded automatically, but in order to make Tomcat accept that info and not try to authenticate itself, you need to set tomcatAuthentication=false in the ajp connector element in server.xml. See also http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html If you want to forward additional info, you could use httpd env vars and JkEnvVars. On the Tomcat side, retrieve those via request.getAttribute(MyEnvVar). Regards, Rainer Hi Rainer, I am using Tomcat -5.5.12 and this is what I have in my server.xml configuration for http: !-- Define a SSL HTTP/1.1 Connector on port 8443 -- !-- Connector port=64083 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- I could not lookup for the attribute tomcatAuthentication in the configuration however.
