This week's book giveaway is in the OCAJP 8 forum.
We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Tomcat Apache and ProxyPass Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of OCA Java SE 8 Programmer I Study Guide this week in the OCAJP 8 forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat Apache and ProxyPass" Watch "Tomcat Apache and ProxyPass" New topic

Tomcat Apache and ProxyPass

Alex Mesfin

Joined: Dec 29, 2011
Posts: 2

I have set up access to Tomcat using apache Httpd ProxyPass as follows:

ProxyPass /service
ProxyPassReverse /service

Apache Httpd is used to authenticate users and as a front end to tomcat. Once a user is login, how do I capture his usernmae environment and passit on to tomcat as or any possible way. what I am looking for is to capture the loggedin user from the environent if possible.

Among other things Iam running Jenkins, and would like to know how to capture the users loggedin from apache.

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17151

Welcome to the JavaRanch, Alex!

I use Tomcat's own (J2EE standard) security myself, so I'm not familiar with what amenities one can expect from Apache. The J2EE security standard is preferable to me, since it integrates better with J2EE webapps.

I would expect that Apache is at least adding the authentication headers to the data stream being forwarded to Tomcat, although I could be wrong.

First, check the HttpServletRequest getRemoteUser() method and see if that method returns a userId or if it returns null.

If that doesn't work, you'll have to look at the actual headers themselves.

An IDE is no substitute for an Intelligent Developer.
Karthik Shiraly

Joined: Apr 04, 2009
Posts: 711

You're using mod_proxy_http. httpd will add an "Authorization" HTTP header but Tomcat does not try to interpret it. getRemoteUser() will return null. As Tim says, the Tomcat webapp will have to parse the header (it comes something like - Authorization: Digest username="wpadminuser2", realm="restricted" ....)

On the other hand, if you proxy using mod_proxy_ajp and set "tomcatAuthentication=false" in Tomcat server.xml for the 8009 AJP connector, getRemoteUser() will return the correct username for both basic and digest auth.
Consider using mod_proxy_ajp. The proxy URLs should change to ajp://
However, according to this article, mod_proxy_ajp is not the author's preferred choice. So you might want to test for stability if you decide to use it.
Alex Mesfin

Joined: Dec 29, 2011
Posts: 2

What I had was Jenkins running jobs , like ants script and shell scripts, it is from this scripts that I want to capture the logged in user name, Not from Servlet or JSP.
If any one would share his though I will be very greatful, thanks

Karthik Shiraly

Joined: Apr 04, 2009
Posts: 711

Jenkins is also servlet and servlet filter based. If you check the "Enabling security" and "allow container to authenticate" checkboxes in jenkins configuration, jenkins displays in the page header the username authenticated by httpd.
Its filters are able to understand both basic and digest authentication headers received from httpd proxy.
But Jenkins does not seem to provide any inbuilt env variable to get the username. Perhaps this plugin may do the trick, but I didn't try it out.
Another problem with this approach is that you can't log out, because the Authorization header is sent by httpd proxy for every request, until browser is closed.

I'm not very familiar with Jenkins or its authentication, but I get the impression from its config page that Jenkins prefers to do its own authentication and authorization. Its source code shows it uses the very capable acegi security toolkit. I'm guessing that Jenkins authn and authz are much more refined than a simplistic in-or-out authentication from the apache proxy. Perhaps you should consider doing the authentication on jenkins side rather than on httpd side, and then try that plugin.
I also get the impression that the authenticated user is not very important, because your question has been asked in multiple forums and has remained unanswered as far as I could find. Perhaps there is some other approach. Sorry I can't provide a better answer, since I'm not very familiar with Jenkins.
I agree. Here's the link:
subject: Tomcat Apache and ProxyPass
It's not a secret anymore!