users@glassfish.java.net

Re: httpd/ajp Reverse Proxy: Losing REMOTE_USER Variable

From: Peter Cline <pcline_at_pobox.upenn.edu>
Date: Tue, 16 Feb 2010 16:55:55 -0500

Hi Amy,
Works beautifully. Thanks so much for your help!

Peter

Amy Roh wrote:
> Hi Peter,
>
> On 2/15/2010 12:09 PM, Peter Cline wrote:
>> Hi all,
>>
>> I'm working on getting Glassfish v3 set up with a httpd reverse proxy,
>> using mod_proxy_ajp. Setting up a simple listener, deploying existing
>> wars, and enabling the JK switch makes the basic connection work
>> flawlessly. No issues there.
>>
>> There is a problem, however. First, though, to explain: the flavor of
>> authentication our institution is moving to [avoiding tangent here], for
>> the time being, only supports an httpd plugin, hence the reverse proxy.
>> The plugin protects paths, handles authentication for those paths, sets
>> a few environment variables, including REMOTE_USER and AUTH_TYPE, and
>> then passes this forward.
>>
>> The problem: applications running under glassfish are not getting any
>> values in the REMOTE_USER and AUTH_TYPE fields. They're blank.
>>
>> We tested this first under tomcat, and at first, the same thing was
>> happening. Those fields were being blanked. However, we needed to set a
>> flag in the AJP listener string:
>> -- tomcatAuthentication="false"
>> After setting that flag, it lets the REMOTE_USER and AUTH_TYPE fields
>> pass to the application.
>>
>> As mentioned, applications under glassfish get nothing from these
>> fields. Digging around, I can't find anything even roughly equivalent to
>> tomcat's auth="false" notion in glassfish, unless i'm completely missing
>> something. So here come the questions, and please forgive any ignorance;
>> the mechanics of environment passing through AJP are nothing but fuzzy
>> to me:
>> - Am I correct in assuming that glassfish is either ignoring or
>> purposefully blanking these variables?
>
> Similar to Tomcat, GlassFish is using default values
> (tomcatAuthentication="true") unless it's configured to use something
> else.
>
> You can try configuring the jk connector using glassfish-jk.properties
> file. After creating the glassfish-jk.properties file with
> configuration changes, tomcatAuthentication="false" in this case, you
> can set glassfish to use the new configuration by
>
> asadmin create-jvm-options
> -Dcom.sun.enterprise.web.connector.enableJK.propertyFile=/path_to_configuration/glassfish-jk.properties
>
>
> Amy
>
>> - If so, any way to ask it nicely not to do so? - Is this behavior
>> limited to certain environment variables only, or is the entire
>> environment blanked / reset when a call like this comes in through AJP?
>> I could consider rewriting the contents of these to different variable
>> names somewhere on the httpd side.
>> - Any other thoughts?
>>
>> Thanks for any help/advice you can offer.
>>
>> Peter
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>