Hi, Yes, I am using Oracle Access Manager (OAM) so we have what they call an "OAM webgate" that is integrated with the Apache. That webgate automatically populates an HTTP header named "remote_user" with the user that OAM authenticated.
So the problem I having is trying to figure out how to "integrate" that with Tomcat. So we have: Browser <==> Apache+webgate <==> Tomcat (webapp) Jim On Friday, May 15, 2020, 08:36:18 AM EDT, André Warnier (tomcat/perl) <a...@ice-sa.com> wrote: Let me give my 5 cent. In the tomcat AJP Connector Tomcat, you use the tomcatAuthentication attribute : <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/> This setting has the effect that tomcat will "believe" the authenticated user-id that Apache is passing to it in the AJP protocol messages that Apache sends to tomcat, and not try to re-authenticate again at the tomcat level. (Note : this is not done by a "REMOTE_USER" HTTP header added by Apache; it happens via some internal variable specific to the AJP protocol). Of course, for this, the request needs to be first authenticated in Apache (so that it has a user-id to pass to tomcat). So do you have anything at the Apache httpd side, which authenticates the user before the request gets passed to tomcat (via AJP) ? On 15.05.2020 14:08, ohaya wrote: > Hi Olaf, > > Thanks. I do appreciate that! I will do more digging. > > Jim > > > On Friday, May 15, 2020, 07:41:50 AM EDT, Olaf Kock <tom...@olafkock.de> >wrote: > > > On 15.05.20 13:23, ohaya wrote: >> Hi, >> >> I just tried adding the secret to the Apache side: >> >> ProxyPass ajp://192.168.218.XXX:8009 secret="123" >> ProxyPassReverse ajp://192.168.218.XXX:8009 secret="123" >> >> and I get an error when I try to start Apache: >> >> AH00526: Syntax error on line 554 of /apps/oracle/apache/conf/httpd.conf: >> ProxyPass unknown Worker parameter >> >> I am currently using Apache 2.4.39. Is there another way to specify the >> "secret"? > > With 9.0.20 you do not yet need to pass a secret - that came along later > (somewhere around 30-33 AFAIR). However, you'll need to make sure that > your AJP port is only available for the reverse proxy and nobody else - > there was a recent security disclosure, which led to the change of many > default settings for the AJP connector in the current releases. > > It boils down to the last sentence of my previous answer: I've never > used REMOTE_USER headers for authentication, and there's no indicator in > your setup that you're allowing Tomcat to trust such a header. I might > be completely off here, but as nobody else answered yet, I thought I'd > give it a try. > > Olaf > >> Thanks, >> Jim >> >> >> On Friday, May 15, 2020, 07:04:44 AM EDT, ohaya >><oh...@yahoo.com.invalid> wrote: >> >> Hi, >> >> The Tomcat version I am using is 9.0.20. I will take a look at the changelog. >> >> This is the first time I have tried this, and I couldn't find much info, so >> I appreciate the feedback. I will look for info about "secret". >> >> I wasn't sure about the format on the Apache side for the >> ProxyPass/ProxyPassReverse - does what I posted look all right? >> >> Also, when I was searching around for info, I saw some comments that seem to >> be saying that the "tomcatAuthentication" parameter on the Tomcat connection >> was no longer supported or something like that? >> >> Also re. "secret" on the Tomcat side: If that is set to, for example, >> "mysecret", how do I pass that on the Apache side? >> >> Thanks again, >> Jim >> >> >> On Friday, May 15, 2020, 03:33:19 AM EDT, Olaf Kock >><tom...@olafkock.de> wrote: >> >> >> On 15.05.20 09:06, oh...@yahoo.com.INVALID wrote: >>> Hi, >>> >>> I am using an Apache proxy in front of Tomcat 9, and I am using AJP >>> connection to connect from the Apache to Tomcat, and I have the Apache >>> sending a username to the Tomcat in a REMOTE_USER header. >>> >>> In the Tomcat server.xml I have: >>> >>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >>>tomcatAuthentication="false"/> >>> >>> In the Apache httpd.conf, to test, this I have: >>> >>> <LocationMatch /myapp*> >>> ProxyPass ajp://192.168.218.XX:8009 >>> ProxyPassReverse ajp://192.168.XX.224:8009 >>> </LocationMatch> >>> >>> But when I access the app via the Apache, it is not automatically logging >>> me into the app. >>> >>> Is there anything else that I have to do to get this to work besides what I >>> did above? Is there something that I have to modify in the app itself to >>> get this to work? >> Hi Jim, >> >> which exact version of Tomcat 9 are you using? Note that there were >> significant changes for the default and required configuration for the >> AJP connector, in order to use it. Best to find all of them: Search for >> AJP in the change log tomcat.apache.org/tomcat-9.0-doc/changelog.html >> >> Notable among them: Everything to do with "secret", and the default bind >> address, "localhost", for the AJP connector. i.e. I'd expect this >> configuration to be insufficient for any of the latest releases. >> >> I haven't ever used this REMOTE_USER authentication, but nothing in the >> configuration that you've posted gives any clue about what you do and >> what you send. I would expect Tomcat to *not* blindly accept any >> REMOTE_USER header by default, unless it's whitelisted and explicitly >> asked for - it otherwise would be a great way to exploit servers that >> don't have a remote proxy (or one where the remote proxy is configured >> to remove this header). Nothing in the configuration you post gives me a >> hint about what you do to make tomcat accept and trust this header. >> >> Olaf >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org