Hi,
Yes, I am using Oracle Access Manager (OAM) so we have what they call an "OAM
webgate" that is integrated with the Apache. That webgate automatically
populates an HTTP header named "remote_user" with the user that OAM
authenticated.
So the problem I having is trying to figure out how to "integrate" that with
Tomcat.
So we have:
Browser <==> Apache+webgate <==> Tomcat (webapp)
Jim
On Friday, May 15, 2020, 08:36:18 AM EDT, André Warnier (tomcat/perl)
<[email protected]> wrote:
Let me give my 5 cent.
In the tomcat AJP Connector Tomcat, you use the tomcatAuthentication attribute :
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>
This setting has the effect that tomcat will "believe" the authenticated
user-id that
Apache is passing to it in the AJP protocol messages that Apache sends to
tomcat, and not
try to re-authenticate again at the tomcat level.
(Note : this is not done by a "REMOTE_USER" HTTP header added by Apache; it
happens via
some internal variable specific to the AJP protocol).
Of course, for this, the request needs to be first authenticated in Apache (so
that it has
a user-id to pass to tomcat).
So do you have anything at the Apache httpd side, which authenticates the user
before the
request gets passed to tomcat (via AJP) ?
On 15.05.2020 14:08, ohaya wrote:
> Hi Olaf,
>
> Thanks. I do appreciate that! I will do more digging.
>
> Jim
>
>
> On Friday, May 15, 2020, 07:41:50 AM EDT, Olaf Kock <[email protected]>
>wrote:
>
>
> On 15.05.20 13:23, ohaya wrote:
>> Hi,
>>
>> I just tried adding the secret to the Apache side:
>>
>> ProxyPass ajp://192.168.218.XXX:8009 secret="123"
>> ProxyPassReverse ajp://192.168.218.XXX:8009 secret="123"
>>
>> and I get an error when I try to start Apache:
>>
>> AH00526: Syntax error on line 554 of /apps/oracle/apache/conf/httpd.conf:
>> ProxyPass unknown Worker parameter
>>
>> I am currently using Apache 2.4.39. Is there another way to specify the
>> "secret"?
>
> With 9.0.20 you do not yet need to pass a secret - that came along later
> (somewhere around 30-33 AFAIR). However, you'll need to make sure that
> your AJP port is only available for the reverse proxy and nobody else -
> there was a recent security disclosure, which led to the change of many
> default settings for the AJP connector in the current releases.
>
> It boils down to the last sentence of my previous answer: I've never
> used REMOTE_USER headers for authentication, and there's no indicator in
> your setup that you're allowing Tomcat to trust such a header. I might
> be completely off here, but as nobody else answered yet, I thought I'd
> give it a try.
>
> Olaf
>
>> Thanks,
>> Jim
>>
>>
>> On Friday, May 15, 2020, 07:04:44 AM EDT, ohaya
>><[email protected]> wrote:
>>
>> Hi,
>>
>> The Tomcat version I am using is 9.0.20. I will take a look at the changelog.
>>
>> This is the first time I have tried this, and I couldn't find much info, so
>> I appreciate the feedback. I will look for info about "secret".
>>
>> I wasn't sure about the format on the Apache side for the
>> ProxyPass/ProxyPassReverse - does what I posted look all right?
>>
>> Also, when I was searching around for info, I saw some comments that seem to
>> be saying that the "tomcatAuthentication" parameter on the Tomcat connection
>> was no longer supported or something like that?
>>
>> Also re. "secret" on the Tomcat side: If that is set to, for example,
>> "mysecret", how do I pass that on the Apache side?
>>
>> Thanks again,
>> Jim
>>
>>
>> On Friday, May 15, 2020, 03:33:19 AM EDT, Olaf Kock
>><[email protected]> wrote:
>>
>>
>> On 15.05.20 09:06, [email protected] wrote:
>>> Hi,
>>>
>>> I am using an Apache proxy in front of Tomcat 9, and I am using AJP
>>> connection to connect from the Apache to Tomcat, and I have the Apache
>>> sending a username to the Tomcat in a REMOTE_USER header.
>>>
>>> In the Tomcat server.xml I have:
>>>
>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>tomcatAuthentication="false"/>
>>>
>>> In the Apache httpd.conf, to test, this I have:
>>>
>>> <LocationMatch /myapp*>
>>> ProxyPass ajp://192.168.218.XX:8009
>>> ProxyPassReverse ajp://192.168.XX.224:8009
>>> </LocationMatch>
>>>
>>> But when I access the app via the Apache, it is not automatically logging
>>> me into the app.
>>>
>>> Is there anything else that I have to do to get this to work besides what I
>>> did above? Is there something that I have to modify in the app itself to
>>> get this to work?
>> Hi Jim,
>>
>> which exact version of Tomcat 9 are you using? Note that there were
>> significant changes for the default and required configuration for the
>> AJP connector, in order to use it. Best to find all of them: Search for
>> AJP in the change log tomcat.apache.org/tomcat-9.0-doc/changelog.html
>>
>> Notable among them: Everything to do with "secret", and the default bind
>> address, "localhost", for the AJP connector. i.e. I'd expect this
>> configuration to be insufficient for any of the latest releases.
>>
>> I haven't ever used this REMOTE_USER authentication, but nothing in the
>> configuration that you've posted gives any clue about what you do and
>> what you send. I would expect Tomcat to *not* blindly accept any
>> REMOTE_USER header by default, unless it's whitelisted and explicitly
>> asked for - it otherwise would be a great way to exploit servers that
>> don't have a remote proxy (or one where the remote proxy is configured
>> to remove this header). Nothing in the configuration you post gives me a
>> hint about what you do to make tomcat accept and trust this header.
>>
>> Olaf
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
