> Magosányi,
> On 10/7/19 10:37, Magosányi Árpád wrote:
> > I intend to use the user and certificate info in a Filter.
> > I think I have configured everything to do that, but the
> > information does not get passed along. Based on various
> > documentations and howtos, SSLVerifyClient require, SSLOptions
> > +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On
> > should be enough to pass certificate data, and Require valid-user
> > should be enough to pass the authenticated username.
> > I see the following debug output (also contains the various info
> > logged by the filter), which clearly lacks the information needed.
> How are you getting the attributes from the request?

This is the filter code:

package com.kodekonveyor.realm;

import java.io.IOException;
import java.util.Collections;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

public class KKAuthorizationFilter implements Filter {

    private ServletContext context;

    public void init(FilterConfig fConfig) throws ServletException {
        this.context = fConfig.getServletContext();
        this.context.log("KKAuthorizationFilter initialized");
    public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String user = httpRequest.getRemoteUser();
        String authType = httpRequest.getAuthType();
        for ( String attributeName:
Collections.list(httpRequest.getAttributeNames())) {
        for ( String name:
Collections.list(httpRequest.getParameterNames())) {
        for ( String headerName:
Collections.list(httpRequest.getHeaderNames())) {
            for (String value:
            this.context.log("header "+headerName+":"+value);
        HttpSession session = httpRequest.getSession();
        if(null != session)
            for (String sessionAttName:
Collections.list(session.getAttributeNames())) {
                this.context.log("session attribute
        for ( String attributeName:
Collections.list(context.getAttributeNames())) {
            this.context.log("context attr
        Object cert =
        chain.doFilter(request, response);


> > I have a cgi in the cgi-bin directory, which prints out the
> > environment, and I see both REMOTE_USER and all relevant
> > certificate related information there.
> Is the CGI being executed by Tomcat or is it being executed by httpd?

Executed by Apache httpd. As you can see in the logs, mod_jk does not
pass any of that information through to tomcat, which is exactly my problem.

For reference, here is the code of the CGI (not my code, copied from the


print "Content-type: text/html\n\n";
print "<pre>\n";

foreach $key (sort keys(%ENV)) {
  print "$key = $ENV{$key}<p>";
print "</pre>\n";

and relevant parts of the output:

REMOTE_USER = github|756...@kode-konveyor.eu.auth0.com/
SSL_CLIENT_S_DN = emailAddress=m...@kodekonveyor.com,CN=mag

> -chris
> > ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For
additional commands, e-mail: users-h...@tomcat.apache.org >

Reply via email to