Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat Apache and ProxyPass

 
Alex Mesfin
Greenhorn
Posts: 2
C++ Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have set up access to Tomcat using apache Httpd ProxyPass as follows:

ProxyPass /service http://127.0.0.1:8080/service
ProxyPassReverse /service http://127.0.0.1:8080/service

Apache Httpd is used to authenticate users and as a front end to tomcat. Once a user is login, how do I capture his usernmae environment and passit on to tomcat as or any possible way. what I am looking for is to capture the loggedin user from the environent if possible.

Among other things Iam running Jenkins, and would like to know how to capture the users loggedin from apache.


 
Tim Holloway
Saloon Keeper
Pie
Posts: 18162
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Alex!

I use Tomcat's own (J2EE standard) security myself, so I'm not familiar with what amenities one can expect from Apache. The J2EE security standard is preferable to me, since it integrates better with J2EE webapps.

I would expect that Apache is at least adding the authentication headers to the data stream being forwarded to Tomcat, although I could be wrong.

First, check the HttpServletRequest getRemoteUser() method and see if that method returns a userId or if it returns null.

If that doesn't work, you'll have to look at the actual headers themselves.
 
Karthik Shiraly
Bartender
Posts: 1208
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You're using mod_proxy_http. httpd will add an "Authorization" HTTP header but Tomcat does not try to interpret it. getRemoteUser() will return null. As Tim says, the Tomcat webapp will have to parse the header (it comes something like - Authorization: Digest username="wpadminuser2", realm="restricted" ....)

On the other hand, if you proxy using mod_proxy_ajp and set "tomcatAuthentication=false" in Tomcat server.xml for the 8009 AJP connector, getRemoteUser() will return the correct username for both basic and digest auth.
Consider using mod_proxy_ajp. The proxy URLs should change to ajp://127.0.0.1:8009/service.
However, according to this article, mod_proxy_ajp is not the author's preferred choice. So you might want to test for stability if you decide to use it.
 
Alex Mesfin
Greenhorn
Posts: 2
C++ Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What I had was Jenkins running jobs , like ants script and shell scripts, it is from this scripts that I want to capture the logged in user name, Not from Servlet or JSP.
If any one would share his though I will be very greatful, thanks

EAM
 
Karthik Shiraly
Bartender
Posts: 1208
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jenkins is also servlet and servlet filter based. If you check the "Enabling security" and "allow container to authenticate" checkboxes in jenkins configuration, jenkins displays in the page header the username authenticated by httpd.
Its filters are able to understand both basic and digest authentication headers received from httpd proxy.
But Jenkins does not seem to provide any inbuilt env variable to get the username. Perhaps this plugin may do the trick, but I didn't try it out.
Another problem with this approach is that you can't log out, because the Authorization header is sent by httpd proxy for every request, until browser is closed.

I'm not very familiar with Jenkins or its authentication, but I get the impression from its config page that Jenkins prefers to do its own authentication and authorization. Its source code shows it uses the very capable acegi security toolkit. I'm guessing that Jenkins authn and authz are much more refined than a simplistic in-or-out authentication from the apache proxy. Perhaps you should consider doing the authentication on jenkins side rather than on httpd side, and then try that plugin.
I also get the impression that the authenticated user is not very important, because your question has been asked in multiple forums and has remained unanswered as far as I could find. Perhaps there is some other approach. Sorry I can't provide a better answer, since I'm not very familiar with Jenkins.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic