Philip Kahle wrote:
Hi all,
I am trying to set up a Java Web Application using Servlets and JSPs in
Tomcat 7. User authentication should be done on a central Shibboleth
Identity Provider.
I have already configured Apache including mod_ssl, mod_proxy_ajp and
the shib2 module following these instructions:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
The redirect to the central login page works and, after entering my
credentials, the session is correctly created by the identity provider
and I am forwarded to my webapp.
At this point I should have different attributes in my session, such as
the user's email address, name and so on.
But these are stored in the coyoteRequest attributes, which I can
observe while debugging in Eclipse. As the coyoteRequest is a protected
field of org.apache.catalina.connector.Request which again is a field of
the RequestFacade I can not get any of these values.
What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
in the instructions above).
By setting "ShibUseHeaders On" in apache I get all of the attributes in
the request headers, but this is not recommended for security reasons.
Why ? That is a generic recommendation, but it does not apply if :
- all the requests to Tomcat go through httpd first
- the link between httpd and Tomcat is "secure" (not accessible by anyone)
If e.g. httpd and Tomcat live on the same host, and you configure the Tomcat AJP Connector
to only accept requests from localhost, then it would be ok to pass private information
through headers.
Simplify your life if possible.
Is there any way to access the coyoteRequest in a servlet or at least
configure tomcat to transfer more attributes to the servletRequest?
At least by using mod_jk instead of mod_proxy_ajp, you can transmit a bunch of things from
Apache httpd to Tomcat (including Apache httpd's "variables" e.g.). I do not know
mod_proxy_ajp well enough to confirm that this is possible with it also, but I would
imagine so.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
