Apache Httpd is used to authenticate users and as a front end to tomcat. Once a user is login, how do I capture his usernmae environment and passit on to tomcat as or any possible way. what I am looking for is to capture the loggedin user from the environent if possible.
Among other things Iam running Jenkins, and would like to know how to capture the users loggedin from apache.
I use Tomcat's own (J2EE standard) security myself, so I'm not familiar with what amenities one can expect from Apache. The J2EE security standard is preferable to me, since it integrates better with J2EE webapps.
I would expect that Apache is at least adding the authentication headers to the data stream being forwarded to Tomcat, although I could be wrong.
First, check the HttpServletRequest getRemoteUser() method and see if that method returns a userId or if it returns null.
If that doesn't work, you'll have to look at the actual headers themselves.
Customer surveys are for companies who didn't pay proper attention to begin with.
You're using mod_proxy_http. httpd will add an "Authorization" HTTP header but Tomcat does not try to interpret it. getRemoteUser() will return null. As Tim says, the Tomcat webapp will have to parse the header (it comes something like - Authorization: Digest username="wpadminuser2", realm="restricted" ....)
On the other hand, if you proxy using mod_proxy_ajp and set "tomcatAuthentication=false" in Tomcat server.xml for the 8009 AJP connector, getRemoteUser() will return the correct username for both basic and digest auth.
Consider using mod_proxy_ajp. The proxy URLs should change to ajp://127.0.0.1:8009/service.
However, according to this article, mod_proxy_ajp is not the author's preferred choice. So you might want to test for stability if you decide to use it.
What I had was Jenkins running jobs , like ants script and shell scripts, it is from this scripts that I want to capture the logged in user name, Not from Servlet or JSP.
If any one would share his though I will be very greatful, thanks
Joined: Apr 04, 2009
Jenkins is also servlet and servlet filter based. If you check the "Enabling security" and "allow container to authenticate" checkboxes in jenkins configuration, jenkins displays in the page header the username authenticated by httpd.
Its filters are able to understand both basic and digest authentication headers received from httpd proxy.
But Jenkins does not seem to provide any inbuilt env variable to get the username. Perhaps this plugin may do the trick, but I didn't try it out.
Another problem with this approach is that you can't log out, because the Authorization header is sent by httpd proxy for every request, until browser is closed.
I'm not very familiar with Jenkins or its authentication, but I get the impression from its config page that Jenkins prefers to do its own authentication and authorization. Its source code shows it uses the very capable acegi security toolkit. I'm guessing that Jenkins authn and authz are much more refined than a simplistic in-or-out authentication from the apache proxy. Perhaps you should consider doing the authentication on jenkins side rather than on httpd side, and then try that plugin.
I also get the impression that the authenticated user is not very important, because your question has been asked in multiple forums and has remained unanswered as far as I could find. Perhaps there is some other approach. Sorry I can't provide a better answer, since I'm not very familiar with Jenkins.