On 15.05.20 09:06, oh...@yahoo.com.INVALID wrote:
> Hi,
> I am using an Apache proxy in front of Tomcat 9, and I am using AJP 
> connection to connect from the Apache to Tomcat, and I have the Apache 
> sending a username to the Tomcat in a REMOTE_USER header.
> In the Tomcat server.xml I have:
>  <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
> tomcatAuthentication="false"/>
> In the Apache httpd.conf, to test, this I have:
> <LocationMatch /myapp*>
> ProxyPass ajp://192.168.218.XX:8009
> ProxyPassReverse ajp://192.168.XX.224:8009
> </LocationMatch>
> But when I access the app via the Apache, it is not automatically logging me 
> into the app.
> Is there anything else that I have to do to get this to work besides what I 
> did above?  Is there something that I have to modify in the app itself to get 
> this to work?

Hi Jim,

which exact version of Tomcat 9 are you using? Note that there were
significant changes for the default and required configuration for the
AJP connector, in order to use it. Best to find all of them: Search for
AJP in the change log tomcat.apache.org/tomcat-9.0-doc/changelog.html

Notable among them: Everything to do with "secret", and the default bind
address, "localhost", for the AJP connector. i.e. I'd expect this
configuration to be insufficient for any of the latest releases.

I haven't ever used this REMOTE_USER authentication, but nothing in the
configuration that you've posted gives any clue about what you do and
what you send. I would expect Tomcat to *not* blindly accept any
REMOTE_USER header by default, unless it's whitelisted and explicitly
asked for - it otherwise would be a great way to exploit servers that
don't have a remote proxy (or one where the remote proxy is configured
to remove this header). Nothing in the configuration you post gives me a
hint about what you do to make tomcat accept and trust this header.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to