Re: REMOTE_USER mod_jk
Am 19.11.2015 um 14:32 schrieb Teresa Fasano: With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss), while with Apache/2.4.6 is lost. In the log of the application we see this error: "REMOTE_USER variable not assigned." If you have a test system, you can set JkLogLevel to debug. On that log level, you should be able to see the REMOTE_USER forwarding in the mod_jk logs. First check how the line looks when using HTTPD 2.2. Then check, whether that info is present when using 2.4. If "yes", then your problem is on the Tomcat (configuration, webapp) side. If it is not present, then HTTPD 2.4 for some reason does not set REMOTE_USER and you have to check your 2.4 integration. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER mod_jk
2015-11-19 16:02 GMT+03:00 Teresa Fasano: > Hi, > > I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO > authentication. > > Routing Apache request to tomcat (JBoss) we are not able to retreive > REMOTE_USER. > > It seems that the REMOTE_USER is lost. > > In the configuration file shibboleth2.xml we have REMOTE_USER="uid". > > The authentication of shibboleth is successful as you can see from the logs > of the identity provider and the log of the service provider: > <...> > > In the access log of the Apache I see the value of the attribute uid (the > remote_user): > 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1" > > The authentication of the location is: > >AuthType shibboleth >ShibRequireSession On >ShibExportAssertion On >require valid-user > > > > It seems that the Apache is unable to pass this attribute. How do you test whether it is able or unable to pass it? How your AJP connector in Tomcat is configured? You need to set tomcatAuthentication="false" on [1] [1] http://tomcat.apache.org/connectors-doc/common_howto/proxy.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER mod_jk
With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss), while with Apache/2.4.6 is lost. In the log of the application we see this error: "REMOTE_USER variable not assigned." Il 19/11/2015 14:02, Teresa Fasano ha scritto: Hi, I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO authentication. Routing Apache request to tomcat (JBoss) we are not able to retreive REMOTE_USER. It seems that the REMOTE_USER is lost. In the configuration file shibboleth2.xml we have REMOTE_USER="uid". The authentication of shibboleth is successful as you can see from the logs of the identity provider and the log of the service provider: 1) IdP: 20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,||| 2) SP: 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: iuav-dev2) for principal from (IdP: https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress: 130.186.19.126) with (NameIdentifier: _5ae86372161ba20460d91773f12241a5) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _b7a9d7435d4b2633af811cac17b80683) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the following attributes with session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) { 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: eduPersonTargetedID (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: } In the access log of the Apache I see the value of the attribute uid (the remote_user): 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1" The authentication of the location is: AuthType shibboleth ShibRequireSession On ShibExportAssertion On require valid-user It seems that the Apache is unable to pass this attribute. Is there anyone that know how to forward REMOTE_USER with mod_jk to the application? Regards. Teresa -- -- L'educazione è il pane dell'anima -- Teresa Fasano CINECA System and Technologies Department Middleware and Infrastructure Group Via Magnanelli, 6/3 Casalecchio di Reno (Bologna) ITALY web: http://www.cineca.it e-mail: t.fas...@cineca.it phone: +39 051 61 71 364 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
REMOTE_USER mod_jk
Hi, I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO authentication. Routing Apache request to tomcat (JBoss) we are not able to retreive REMOTE_USER. It seems that the REMOTE_USER is lost. In the configuration file shibboleth2.xml we have REMOTE_USER="uid". The authentication of shibboleth is successful as you can see from the logs of the identity provider and the log of the service provider: 1) IdP: 20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,||| 2) SP: 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: iuav-dev2) for principal from (IdP: https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress: 130.186.19.126) with (NameIdentifier: _5ae86372161ba20460d91773f12241a5) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _b7a9d7435d4b2633af811cac17b80683) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the following attributes with session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) { 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: eduPersonTargetedID (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: } In the access log of the Apache I see the value of the attribute uid (the remote_user): 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1" The authentication of the location is: AuthType shibboleth ShibRequireSession On ShibExportAssertion On require valid-user It seems that the Apache is unable to pass this attribute. Is there anyone that know how to forward REMOTE_USER with mod_jk to the application? Regards. Teresa -- -- L'educazione è il pane dell'anima -- Teresa Fasano CINECA System and Technologies Department Middleware and Infrastructure Group Via Magnanelli, 6/3 Casalecchio di Reno (Bologna) ITALY web: http://www.cineca.it e-mail: t.fas...@cineca.it phone: +39 051 61 71 364 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org