Re: REMOTE_USER mod_jk

2015-11-20 Thread Rainer Jung 

Am 19.11.2015 um 14:32 schrieb Teresa Fasano:

With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss),
while with Apache/2.4.6 is lost.

In the log of the application we see this error: "REMOTE_USER variable
not assigned."


If you have a test system, you can set JkLogLevel to debug. On that log 
level, you should be able to see the REMOTE_USER forwarding in the 
mod_jk logs. First check how the line looks when using HTTPD 2.2. Then 
check, whether that info is present when using 2.4. If "yes", then your 
problem is on the Tomcat (configuration, webapp) side. If it is not 
present, then HTTPD 2.4 for some reason does not set REMOTE_USER and you 
have to check your 2.4 integration.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: REMOTE_USER mod_jk

2015-11-19 Thread Konstantin Kolinko 
2015-11-19 16:02 GMT+03:00 Teresa Fasano :
> Hi,
>
> I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO
> authentication.
>
> Routing Apache request to tomcat (JBoss) we are not able to retreive
> REMOTE_USER.
>
> It seems that the REMOTE_USER is lost.
>
> In the configuration file shibboleth2.xml we have REMOTE_USER="uid".
>
> The authentication of shibboleth is successful as you can see from the logs
> of the identity provider and the log of the service provider:
> <...>
>
> In the access log of the Apache I see the value of the attribute uid (the
> remote_user):
> 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"
>
> The authentication of the location is:
> 
>AuthType shibboleth
>ShibRequireSession On
>ShibExportAssertion On
>require valid-user
> 
>
>
> It seems that the Apache is unable to pass this attribute.

How do you test whether it is able or unable to pass it?

How your AJP connector in Tomcat is configured?  You need to set
tomcatAuthentication="false" on  [1]

[1] http://tomcat.apache.org/connectors-doc/common_howto/proxy.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: REMOTE_USER mod_jk

2015-11-19 Thread Teresa Fasano 
With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss), 
while with Apache/2.4.6 is lost.


In the log of the application we see this error: "REMOTE_USER variable 
not assigned."


Il 19/11/2015 14:02, Teresa Fasano ha scritto:

Hi,

I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth 
as SSO authentication.


Routing Apache request to tomcat (JBoss) we are not able to retreive 
REMOTE_USER.


It seems that the REMOTE_USER is lost.

In the configuration file shibboleth2.xml we have REMOTE_USER="uid".

The authentication of shibboleth is successful as you can see from the 
logs of the identity provider and the log of the service provider:


1) IdP:
20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,||| 



2) SP:
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session 
(ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: 
iuav-dev2) for principal from (IdP: 
https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress: 
130.186.19.126) with (NameIdentifier: 
_5ae86372161ba20460d91773f12241a5) using (Protocol: 
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: 
_b7a9d7435d4b2633af811cac17b80683)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the 
following attributes with session (ID: 
_771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) {

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: 
eduPersonTargetedID (1 values)

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber 
(1 values)

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: }

In the access log of the Apache I see the value of the attribute uid 
(the remote_user):

130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"

The authentication of the location is:

   AuthType shibboleth
   ShibRequireSession On
   ShibExportAssertion On
   require valid-user



It seems that the Apache is unable to pass this attribute.

Is there anyone that know how to forward REMOTE_USER with mod_jk to 
the application?


Regards.
Teresa




--
--
L'educazione è il pane dell'anima
--

Teresa Fasano

CINECA
System and Technologies Department
Middleware and Infrastructure Group
Via Magnanelli, 6/3
Casalecchio di Reno (Bologna) ITALY

web: http://www.cineca.it
e-mail:  t.fas...@cineca.it
phone:   +39 051 61 71 364


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

REMOTE_USER mod_jk

2015-11-19 Thread Teresa Fasano 

Hi,

I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as 
SSO authentication.


Routing Apache request to tomcat (JBoss) we are not able to retreive 
REMOTE_USER.


It seems that the REMOTE_USER is lost.

In the configuration file shibboleth2.xml we have REMOTE_USER="uid".

The authentication of shibboleth is successful as you can see from the 
logs of the identity provider and the log of the service provider:


1) IdP:
20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,|||

2) SP:
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session (ID: 
_771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: iuav-dev2) for 
principal from (IdP: https://idp-univ-dev.cineca.it/idp/shibboleth) at 
(ClientAddress: 130.186.19.126) with (NameIdentifier: 
_5ae86372161ba20460d91773f12241a5) using (Protocol: 
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: 
_b7a9d7435d4b2633af811cac17b80683)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the 
following attributes with session (ID: 
_771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) {
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: 
eduPersonTargetedID (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber 
(1 values)

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: }

In the access log of the Apache I see the value of the attribute uid 
(the remote_user):

130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"

The authentication of the location is:

   AuthType shibboleth
   ShibRequireSession On
   ShibExportAssertion On
   require valid-user



It seems that the Apache is unable to pass this attribute.

Is there anyone that know how to forward REMOTE_USER with mod_jk to the 
application?


Regards.
Teresa

--
--
L'educazione è il pane dell'anima
--

Teresa Fasano

CINECA
System and Technologies Department
Middleware and Infrastructure Group
Via Magnanelli, 6/3
Casalecchio di Reno (Bologna) ITALY

web: http://www.cineca.it
e-mail:  t.fas...@cineca.it
phone:   +39 051 61 71 364


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org