On 15.05.2020 14:42, ohaya wrote:

Yes, I am using Oracle Access Manager (OAM) so we have what they call an "OAM webgate" 
that is integrated with the Apache. That webgate automatically populates an HTTP header named 
"remote_user" with the user that OAM authenticated.

So the problem I having is trying to figure out how to "integrate" that with 

Then you would need an Apache add-on module which grabs the content of this header, and sets the Apache R->user variable (where R is the Apache request object). And in Tomcat, your Connector, as it is shown below, will automatically pick up this user-id and use it within tomcat.

There is probably already an option in OAM which does this (set the Apache user at the same time as adding that HTTP header REMOTE_USER). That is what it should do anyway, if OAM can also authenticate the user for an application running within Apache.

So we have:

Browser <==> Apache+webgate <==> Tomcat (webapp)


      On Friday, May 15, 2020, 08:36:18 AM EDT, André Warnier (tomcat/perl) 
<a...@ice-sa.com> wrote:
Let me give my 5 cent.

In the tomcat AJP Connector Tomcat, you use the tomcatAuthentication attribute :

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 

This setting has the effect that tomcat will "believe" the authenticated 
user-id that
Apache is passing to it in the AJP protocol messages that Apache sends to 
tomcat, and not
try to re-authenticate again at the tomcat level.
(Note : this is not done by a "REMOTE_USER" HTTP header added by Apache; it 
happens via
some internal variable specific to the AJP protocol).

Of course, for this, the request needs to be first authenticated in Apache (so 
that it has
a user-id to pass to tomcat).

So do you have anything at the Apache httpd side, which authenticates the user 
before the
request gets passed to tomcat (via AJP) ?

On 15.05.2020 14:08, ohaya wrote:
   Hi Olaf,

Thanks. I do appreciate that! I will do more digging.


       On Friday, May 15, 2020, 07:41:50 AM EDT, Olaf Kock <tom...@olafkock.de> 
On 15.05.20 13:23, ohaya wrote:

I just tried adding the secret to the Apache side:

ProxyPass ajp://192.168.218.XXX:8009 secret="123"
ProxyPassReverse ajp://192.168.218.XXX:8009 secret="123"

and I get an error when I try to start Apache:

AH00526: Syntax error on line 554 of /apps/oracle/apache/conf/httpd.conf:
ProxyPass unknown Worker parameter

I am currently using Apache 2.4.39. Is there another way to specify the 

With 9.0.20 you do not yet need to pass a secret - that came along later
(somewhere around 30-33 AFAIR). However, you'll need to make sure that
your AJP port is only available for the reverse proxy and nobody else -
there was a recent security disclosure, which led to the change of many
default settings for the AJP connector in the current releases.

It boils down to the last sentence of my previous answer: I've never
used REMOTE_USER headers for authentication, and there's no indicator in
your setup that you're allowing Tomcat to trust such a header. I might
be completely off here, but as nobody else answered yet, I thought I'd
give it a try.



         On Friday, May 15, 2020, 07:04:44 AM EDT, ohaya 
<oh...@yahoo.com.invalid> wrote:

The Tomcat version I am using is 9.0.20. I will take a look at the changelog.

This is the first time I have tried this, and I couldn't find much info, so I appreciate 
the feedback. I will look for info about "secret".

I wasn't sure about the format on the Apache side for the 
ProxyPass/ProxyPassReverse - does what I posted look all right?

Also, when I was searching around for info, I saw some comments that seem to be saying 
that the "tomcatAuthentication" parameter on the Tomcat connection was no 
longer supported or something like that?

Also re. "secret" on the Tomcat side: If that is set to, for example, 
"mysecret", how do I pass that on the Apache side?

Thanks again,

       On Friday, May 15, 2020, 03:33:19 AM EDT, Olaf Kock <tom...@olafkock.de> 
On 15.05.20 09:06, oh...@yahoo.com.INVALID wrote:

I am using an Apache proxy in front of Tomcat 9, and I am using AJP connection 
to connect from the Apache to Tomcat, and I have the Apache sending a username 
to the Tomcat in a REMOTE_USER header.

In the Tomcat server.xml I have:

     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 

In the Apache httpd.conf, to test, this I have:

<LocationMatch /myapp*>
ProxyPass ajp://192.168.218.XX:8009
ProxyPassReverse ajp://192.168.XX.224:8009

But when I access the app via the Apache, it is not automatically logging me 
into the app.

Is there anything else that I have to do to get this to work besides what I did 
above?  Is there something that I have to modify in the app itself to get this 
to work?
Hi Jim,

which exact version of Tomcat 9 are you using? Note that there were
significant changes for the default and required configuration for the
AJP connector, in order to use it. Best to find all of them: Search for
AJP in the change log tomcat.apache.org/tomcat-9.0-doc/changelog.html

Notable among them: Everything to do with "secret", and the default bind
address, "localhost", for the AJP connector. i.e. I'd expect this
configuration to be insufficient for any of the latest releases.

I haven't ever used this REMOTE_USER authentication, but nothing in the
configuration that you've posted gives any clue about what you do and
what you send. I would expect Tomcat to *not* blindly accept any
REMOTE_USER header by default, unless it's whitelisted and explicitly
asked for - it otherwise would be a great way to exploit servers that
don't have a remote proxy (or one where the remote proxy is configured
to remove this header). Nothing in the configuration you post gives me a
hint about what you do to make tomcat accept and trust this header.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to