André Warnier wrote:
Philip Kahle wrote:
Hi all,
I am trying to set up a Java Web Application using Servlets and JSPs in
Tomcat 7. User authentication should be done on a central Shibboleth
Identity Provider.
I have already configured Apache including mod_ssl, mod_proxy_ajp and
the shib2 module following these instructions:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
The redirect to the central login page works and, after entering my
credentials, the session is correctly created by the identity provider
and I am forwarded to my webapp.
At this point I should have different attributes in my session, such as
the user's email address, name and so on.
But these are stored in the coyoteRequest attributes, which I can
observe while debugging in Eclipse. As the coyoteRequest is a protected
field of org.apache.catalina.connector.Request which again is a field of
the RequestFacade I can not get any of these values.
What I get is ONE of the attributes in the REMOTE_USER field (compare 2.
in the instructions above).
By setting "ShibUseHeaders On" in apache I get all of the attributes in
the request headers, but this is not recommended for security reasons.
Why ? That is a generic recommendation, but it does not apply if :
- all the requests to Tomcat go through httpd first
- the link between httpd and Tomcat is "secure" (not accessible by anyone)
If e.g. httpd and Tomcat live on the same host, and you configure the
Tomcat AJP Connector to only accept requests from localhost, then it
would be ok to pass private information through headers.
Simplify your life if possible.
Is there any way to access the coyoteRequest in a servlet or at least
configure tomcat to transfer more attributes to the servletRequest?
At least by using mod_jk instead of mod_proxy_ajp, you can transmit a
bunch of things from Apache httpd to Tomcat (including Apache httpd's
"variables" e.g.). I do not know mod_proxy_ajp well enough to confirm
that this is possible with it also, but I would imagine so.
Addendum : sorry, that was not a direct answer to your question.
The direct answer is that HttpServletRequest (and ServletRequest) already provide a bunch
of methods to access request attributes. See
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html.
These are part of the specification, so you do not need to configure anything at the
Tomcat level for that.
As long as the request already contains attributes of course.
Still talking about mod_jk, basically anything you set in Apache httpd using "SetEnv" for
example, gets passed to Tomcat as a request attribute, through the AJP protocol.
Someone else would need to confirm if this is also the case using mod_proxy_ajp.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
