• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat Apache and ProxyPass

 
Greenhorn
Posts: 2
C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have set up access to Tomcat using apache Httpd ProxyPass as follows:

ProxyPass /service http://127.0.0.1:8080/service
ProxyPassReverse /service http://127.0.0.1:8080/service

Apache Httpd is used to authenticate users and as a front end to tomcat. Once a user is login, how do I capture his usernmae environment and passit on to tomcat as or any possible way. what I am looking for is to capture the loggedin user from the environent if possible.

Among other things Iam running Jenkins, and would like to know how to capture the users loggedin from apache.


 
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Alex!

I use Tomcat's own (J2EE standard) security myself, so I'm not familiar with what amenities one can expect from Apache. The J2EE security standard is preferable to me, since it integrates better with J2EE webapps.

I would expect that Apache is at least adding the authentication headers to the data stream being forwarded to Tomcat, although I could be wrong.

First, check the HttpServletRequest getRemoteUser() method and see if that method returns a userId or if it returns null.

If that doesn't work, you'll have to look at the actual headers themselves.
 
Bartender
Posts: 1210
25
Android Python PHP C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're using mod_proxy_http. httpd will add an "Authorization" HTTP header but Tomcat does not try to interpret it. getRemoteUser() will return null. As Tim says, the Tomcat webapp will have to parse the header (it comes something like - Authorization: Digest username="wpadminuser2", realm="restricted" ....)

On the other hand, if you proxy using mod_proxy_ajp and set "tomcatAuthentication=false" in Tomcat server.xml for the 8009 AJP connector, getRemoteUser() will return the correct username for both basic and digest auth.
Consider using mod_proxy_ajp. The proxy URLs should change to ajp://127.0.0.1:8009/service.
However, according to this article, mod_proxy_ajp is not the author's preferred choice. So you might want to test for stability if you decide to use it.
 
Alex Mesfin
Greenhorn
Posts: 2
C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What I had was Jenkins running jobs , like ants script and shell scripts, it is from this scripts that I want to capture the logged in user name, Not from Servlet or JSP.
If any one would share his though I will be very greatful, thanks

EAM
 
Karthik Shiraly
Bartender
Posts: 1210
25
Android Python PHP C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jenkins is also servlet and servlet filter based. If you check the "Enabling security" and "allow container to authenticate" checkboxes in jenkins configuration, jenkins displays in the page header the username authenticated by httpd.
Its filters are able to understand both basic and digest authentication headers received from httpd proxy.
But Jenkins does not seem to provide any inbuilt env variable to get the username. Perhaps this plugin may do the trick, but I didn't try it out.
Another problem with this approach is that you can't log out, because the Authorization header is sent by httpd proxy for every request, until browser is closed.

I'm not very familiar with Jenkins or its authentication, but I get the impression from its config page that Jenkins prefers to do its own authentication and authorization. Its source code shows it uses the very capable acegi security toolkit. I'm guessing that Jenkins authn and authz are much more refined than a simplistic in-or-out authentication from the apache proxy. Perhaps you should consider doing the authentication on jenkins side rather than on httpd side, and then try that plugin.
I also get the impression that the authenticated user is not very important, because your question has been asked in multiple forums and has remained unanswered as far as I could find. Perhaps there is some other approach. Sorry I can't provide a better answer, since I'm not very familiar with Jenkins.
 
reply
    Bookmark Topic Watch Topic
  • New Topic