Adding to my own previous post :
A posteriori, I saw a question here :
https://stackoverflow.com/questions/58240796/pass-username-and-client-certificate-from-apache-to-tomcat-using-mod-jk
that may be related to your question on this list.
Examining the above, you problem may be in the httpd configuration :
As I interpret it, the <Directory> section that you mention, will not be taken into
account for the URLs that you are proxying to tomcat.
That is because <Directory> sections only apply if the URL ultimately maps to a local file
for httpd. In this case, it does not, because you are proxying this request to tomcat. For
such URLs, you should use a <Location> or <LocationMatch> in httpd, not a <Directory>.
For example, *add* this to your httpd configuration :
<LocationMatch /servlet.*>
DirectoryIndex off
RewriteEngine Off
AuthType openid-connect
AllowOverride None
AuthzDBDQuery "a correct database query"
Require dbd-group allrepo
LogLevel debug
</LocationMatch>
Note: the above is very rough, and you may need to tune the regex a bit better.
On 08.10.2019 00:11, André Warnier (tomcat) wrote:
On 07.10.2019 23:24, Magosányi Árpád wrote:
On 10/7/19 8:20 PM, André Warnier (tomcat) wrote:
Forgot the atribute 'tomcatAuthentication="false"' in the Connector ?
Yes, I did, however adding it back did not improve the situation.
Ok. I just mentioned that, because it is one piece of the puzzle, and you might
have
forgotten it.
What this piece really does is :
- IF the front-end Apache httpd authenticates the HTTP request which it later
passes on to
tomcat
- IF the protocol used between Apache httpd and tomcat is AJP
- IF the AJP Connector in tomcat has the attribute set as above
- THEN tomcat will retrieve the user-id of the httpd-authenticated user, and
save it
internally as the tomcat-authenticated user-id for this request
So now you have the two last IF's answered positively.
What about the first IF ?
Info : in the default format of the Apache httpd access log, it will show the
authenticated user (if any) for each request, for example like this :
127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET
/starwebtt-internal/esearch...
(where "THEUSER" is the httpd-authenticated user)
while if the request is not authenticated by httpd, it will show a "-" instead
of the
user-id, like this :
127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch...
(and, of course, if httpd has not authenticated the request which it later
passes on to
tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot
retrieve
this user-id, and thus the request, at the tomcat level, is not authenticated).
Next comes the question of how the tomcat application retrieves this user-id,
from tomcat
itself. I suppose that this would be a question for the developers of the
"com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your
configuration below.
(if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses
some other
method, then you are out of luck for this front-end/back-end combination)(or
you may need
to do something additional at the front-end httpd level).
My server.xml now:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="-1" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
and my web.xml until mime mappings:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
<filter>
<filter-name>KKAuthorizationFilter</filter-name>
<filter-class>com.kodekonveyor.realm.KKAuthorizationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>KKAuthorizationFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org