Christopher Schultz wrote:
Omar Nafees wrote:
1) request.getRemoteUser() only works on the "entry-point" servlet (e.g.
index.jsp) - it doesn't work if you forward immediately to another page.
It seems strange that Tomcat doesn't keep remote user around for later
use and forces me to keep it around explicitly in some form (such as a
hidden POST parameter).
This doesn't sound right; getRemoteUser should return the REMOTE_USER
each time, regardless of which request it is.
And it does. fwd.jsp is
<jsp:forward page="auth.jsp"/>
and auth.jsp is
<[EMAIL PROTECTED] session="false"%>
<HTML>
User: <%=request.getRemoteUser() %>
</HTML>
and I do get the correct user name when sending the request to an apache
with basic authentication configured and connected to Tomcat via mod_jk.
2) The above is assuming SSL is turned off for my application. The
minute I turn it on in it's security constraint (in web.xml)
You cannot "turn on" SSL in web.xml; all you can do is require that SSL
be used in order for security to work.
Since you're using mod_jk, you won't be able to use CONFIDENTIAL as a
security constraint, since mod_jk doesn't communicate using a
CONFIDENTIAL channel.
I added
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
to web.xml. If I contact the webapp via Apache with http, I get a
redirect to th https URL. If I talk to Apache via https, I can access
the application. We know that mod_jk forwards the info about the
protocol used by Apache when accepting the original request and this
info is handled by Tomcats security-constraint the same was, as if
Tomcat had created it on its own connectors.
request.getRemoteUser() only returns null. Is there a particular setting
in security constraint or elsewhere to achieve the desired behavior?
I believe you are making a mistake by using CONFIDENTIAL in web.xml, and
Tomcat is reacting correctly by refusing to accept the remote user as
furnished by mod_jk because it is not being sent over SSL.
In my test case, it
- doesn't reject or redirect, it simply answers the request - if it was
sent via Apache/mod_jk using https in the original request
- the JSP correctly outputs the user name. I get it when requesting
fwd.jsp, and also when requesting auth.jsp.
Again I think you should try a simple example first.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
