getRemoteUser from Web Application
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
getRemoteUser from Web Application
by glassfish-2
::
Rate this Message:
We have been unable to successfully use the getRemoteUser method from within a Web Application running on GlassFish v2.1.
We proxy from Apache to our web application and restrict access using mod_auth_kerb in Apache. We would like the web application to be able to see who has authenticated. The Apache proxy and Kerberos authentication work properly, but the java getRemoteUser method always returns null. I believe this is because it cannot see the http REMOTE_USER variable. I would greatly appreciate any suggestions for configuring this properly. Here is the relevant portion of our http configuration: ------ ###### # GlassFish proxy ProxyPreserveHost on RewriteEngine on RequestHeader Set Proxy-keysize 512 RequestHeader Set Proxy-ip %{REMOTE_ADDR}e RequestHeader Set Host www.mysecure.com:443 RewriteRule ^/HelloWeb$ /HelloWeb/ [R,L] RewriteRule ^/HelloWeb/(.*) http://localhost:38080/HelloWeb/$1 [P,L] <Location "/HelloWeb"> order deny,allow deny from all AuthType KerberosV5 AuthName "kerberos authentication" Satisfy any require valid-user </Location> ------ Please let me know if there is any more information I can provide. Any suggestions would be greatly appreciated. [Message sent by forum member 'bougie' (dab66@...)] http://forums.java.net/jive/thread.jspa?messageID=369133 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: getRemoteUser from Web Application
by glassfish-2
::
Rate this Message:
For what it's worth, I've reproduced this using a simple cgi script, so this is definitely not specific to GlassFish. Here's what I have so far.
------ ###### # GlassFish proxy ProxyPreserveHost on RewriteEngine on RewriteLog /var/log/httpd/rewrite.log RewriteLogLevel 9 RequestHeader Set Proxy-keysize 512 RequestHeader Set Proxy-ip %{REMOTE_ADDR}e RequestHeader Set Host myserver.cornell.edu:443 RequestHeader set REMOTE_USER %{LA-U:REMOTE_USER}e RewriteRule ^/HelloWeb$ /HelloWeb/ [R,L] RewriteRule ^/HelloWeb/(.*) http://localhost:38080/HelloWeb/$1 [P,L,E=REMOTE_USER:%{LA-U:REMOTE_USER}] <Location "/HelloWeb"> order deny,allow deny from all AuthType KerberosV5 AuthName "kerberos" Satisfy any require valid-user </Location> ------ And, here's what I see in rewrite.log. ------ ... [rid#8928268/initial] (2) init rewrite engine with requested uri /HelloWeb/UserServlet ... [rid#8928268/initial] (3) applying pattern '^/HelloWeb$' to uri '/HelloWeb/UserServlet' ... [rid#8928268/initial] (3) applying pattern '^/HelloWeb/(.*)' to uri '/HelloWeb/UserServlet' ... [rid#8928268/initial] (2) rewrite /HelloWeb/UserServlet -> http://localhost:38080/HelloWeb/UserServlet ... [rid#892a270/subreq] (2) init rewrite engine with requested uri /HelloWeb/UserServlet ... [rid#892a270/subreq] (1) pass through /HelloWeb/UserServlet ... [rid#8928268/initial] (5) lookahead: path=/HelloWeb/UserServlet var=REMOTE_USER -> val= ... [rid#8928268/initial] (5) setting env variable 'REMOTE_USER' to '' ... [rid#8928268/initial] (2) forcing proxy-throughput with http://localhost:38080/HelloWeb/UserServlet ... [rid#8928268/initial] (1) go-ahead with proxy request proxy:http://localhost:38080/HelloWeb/UserServlet [OK] ... [rid#8928268/initial] (2) init rewrite engine with requested uri /HelloWeb/UserServlet ... [rid#8928268/initial] (3) applying pattern '^/HelloWeb$' to uri '/HelloWeb/UserServlet' ... [rid#8928268/initial] (3) applying pattern '^/HelloWeb/(.*)' to uri '/HelloWeb/UserServlet' ... [rid#8928268/initial] (2) rewrite /HelloWeb/UserServlet -> http://localhost:38080/HelloWeb/UserServlet ... [rid#892a270/subreq] (2) init rewrite engine with requested uri /HelloWeb/UserServlet ... [rid#892a270/subreq] (1) pass through /HelloWeb/UserServlet ... [rid#8928268/initial] (5) lookahead: path=/HelloWeb/UserServlet var=REMOTE_USER -> val=dab66 ... [rid#8928268/initial] (5) setting env variable 'REMOTE_USER' to 'dab66' ... [rid#8928268/initial] (2) forcing proxy-throughput with http://localhost:38080/HelloWeb/UserServlet ... [rid#8928268/initial] (1) go-ahead with proxy request proxy:http://localhost:38080/HelloWeb/UserServlet [OK] ------ However, when proxying through apache, neither my cgi script nor my web application see the REMOTE_USER (dab66). [Message sent by forum member 'bougie' (dab66@...)] http://forums.java.net/jive/thread.jspa?messageID=369166 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: getRemoteUser from Web Application
by glassfish-2
::
Rate this Message:
Just incase anyone's interested, I received some intricate explanations from the apache users mailing list on why getRemoteUser won't work through a proxied connection. The closest I've gotten is to rewrite my apache configuration to create a REMOTE_USER *HTTP header* for authenticated connections. This seems to work well, and can be accessed from java using HttpServletRequest.getHeader. Because anyone connecting to our web applications has been authenticated by mod_auth_kerb, I believe this sufficient for our applications to determine who has authenticated and act accordingly. If necessary, I should be able to update our servlet container to take the REMOTE_USER HTTP header and set it into a UserPrincipal object.
Here is our updated configuration: ------ <Location "/test"> order deny,allow deny from all AuthType KerberosV5 AuthName "kerberos" Satisfy any require valid-user RewriteEngine on RewriteCond %{REMOTE_USER} (.+) RequestHeader Set Proxy-ip %{REMOTE_ADDR}e RequestHeader Set Host ourserver.com:443 RequestHeader set REMOTE_USER %{REMOTE_USER}e RewriteRule ^/var/www/html/test/(.*) http://localhost/cgi-bin/test/$1 [P,L,E=REMOTE_USER:%{REMOTE_USER}] </Location> ------ And here is what it puts in rewrite.log: ------ 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] add path info postfix: /var/www/html/test -> /var/www/html/test/remote.cgi 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] applying pattern '^/var/www/html/test/(.*)' to uri '/var/www/html/test/remote.cgi' 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (4) RewriteCond: input='dab66' pattern='(.+)' => matched 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] rewrite /var/www/html/test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (5) setting env variable 'REMOTE_USER' to 'dab66' 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi 192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (1) [per-dir /test/] go-ahead with proxy request proxy:http://localhost/cgi-bin/test/remote.cgi [OK] ------ [Message sent by forum member 'bougie' (dab66@...)] http://forums.java.net/jive/thread.jspa?messageID=370512 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
