This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Tomcat Apache and ProxyPass Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat Apache and ProxyPass" Watch "Tomcat Apache and ProxyPass" New topic
Author

Tomcat Apache and ProxyPass

Alex Mesfin
Greenhorn

Joined: Dec 29, 2011
Posts: 2

I have set up access to Tomcat using apache Httpd ProxyPass as follows:

ProxyPass /service http://127.0.0.1:8080/service
ProxyPassReverse /service http://127.0.0.1:8080/service

Apache Httpd is used to authenticate users and as a front end to tomcat. Once a user is login, how do I capture his usernmae environment and passit on to tomcat as or any possible way. what I am looking for is to capture the loggedin user from the environent if possible.

Among other things Iam running Jenkins, and would like to know how to capture the users loggedin from apache.


Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15960
    
  19

Welcome to the JavaRanch, Alex!

I use Tomcat's own (J2EE standard) security myself, so I'm not familiar with what amenities one can expect from Apache. The J2EE security standard is preferable to me, since it integrates better with J2EE webapps.

I would expect that Apache is at least adding the authentication headers to the data stream being forwarded to Tomcat, although I could be wrong.

First, check the HttpServletRequest getRemoteUser() method and see if that method returns a userId or if it returns null.

If that doesn't work, you'll have to look at the actual headers themselves.


Customer surveys are for companies who didn't pay proper attention to begin with.
Karthik Shiraly
Ranch Hand

Joined: Apr 04, 2009
Posts: 489
    
    5
You're using mod_proxy_http. httpd will add an "Authorization" HTTP header but Tomcat does not try to interpret it. getRemoteUser() will return null. As Tim says, the Tomcat webapp will have to parse the header (it comes something like - Authorization: Digest username="wpadminuser2", realm="restricted" ....)

On the other hand, if you proxy using mod_proxy_ajp and set "tomcatAuthentication=false" in Tomcat server.xml for the 8009 AJP connector, getRemoteUser() will return the correct username for both basic and digest auth.
Consider using mod_proxy_ajp. The proxy URLs should change to ajp://127.0.0.1:8009/service.
However, according to this article, mod_proxy_ajp is not the author's preferred choice. So you might want to test for stability if you decide to use it.
Alex Mesfin
Greenhorn

Joined: Dec 29, 2011
Posts: 2

What I had was Jenkins running jobs , like ants script and shell scripts, it is from this scripts that I want to capture the logged in user name, Not from Servlet or JSP.
If any one would share his though I will be very greatful, thanks

EAM
Karthik Shiraly
Ranch Hand

Joined: Apr 04, 2009
Posts: 489
    
    5
Jenkins is also servlet and servlet filter based. If you check the "Enabling security" and "allow container to authenticate" checkboxes in jenkins configuration, jenkins displays in the page header the username authenticated by httpd.
Its filters are able to understand both basic and digest authentication headers received from httpd proxy.
But Jenkins does not seem to provide any inbuilt env variable to get the username. Perhaps this plugin may do the trick, but I didn't try it out.
Another problem with this approach is that you can't log out, because the Authorization header is sent by httpd proxy for every request, until browser is closed.

I'm not very familiar with Jenkins or its authentication, but I get the impression from its config page that Jenkins prefers to do its own authentication and authorization. Its source code shows it uses the very capable acegi security toolkit. I'm guessing that Jenkins authn and authz are much more refined than a simplistic in-or-out authentication from the apache proxy. Perhaps you should consider doing the authentication on jenkins side rather than on httpd side, and then try that plugin.
I also get the impression that the authenticated user is not very important, because your question has been asked in multiple forums and has remained unanswered as far as I could find. Perhaps there is some other approach. Sorry I can't provide a better answer, since I'm not very familiar with Jenkins.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Tomcat Apache and ProxyPass
 
Similar Threads
Tomcat 7 digest authentication problem
tomcat port ---81;apache port---8080;
Tomcat/httpd connection with mod_jk ... Apache connecting to wrong Tomcat instance?
hello everyone.I have made tomcat and apache together just now under your help!but--
Resolving website name correctly in Tomcat