Better integration of RemoteIpValve, AuthenticatorBase and reverse proxies

Thu, 21 Feb 2019 05:06:57 -0800 

Hi folks,
I have some improvement ideas for several components where I think others would benefit from too. 


We intend to run a set of apps on Tomcat 8.5 behind Apache 2.4.x for a 
possible future load balacing scenario. While evaluating this task I 
have stumbled on the issue that it isn't that trivial to tell HTTPd that 
Tomcat is peforming the authentication and here is remoe user + auth 
type, use that for your access logs too. I have a partially working idea 
I'd like to get upstream (partially reported as BZ 62496):



1. RemoteIpValve sets requestAttributesEnabled by default in [1], I'd 
like to add here:
> org.apache.coyote.Constants.FORWARDED_REQUEST_ATTRIBUTE: 
"org.apache.tomcat.forwardedRequest"

> request.setAttribute(Constants.FORWARDED_REQUEST_ATTRIBUTE, "true");

2. AuthenticatorBase would pick this up in [2] by checking this 
attribute and doing:

> response.setHeader(remoteUserHeaderName, request.getRemoteUser());
> response.setHeader(authtTypeHeaderName, request.getAuthType());

where default header names are: X-Remote-User, X-Auth-Type.

I am not yet certain whether it should require just 
FORWARDED_REQUEST_ATTRIBUTE, but also another attribute (e.g., boolean 
respondAuthInfoOnForwardedRequests) also. FORWARDED_REQUEST_ATTRIBUTE is 
nice because any internal component will know that this request is not 
an original request, but a forwarded one.


On HTTPd I have:

Header note X-Remote-User REMOTE_USER
Header note X-Auth-Type AUTH_TYPE
Header unset X-Remote-User
Header unset Auth-Type
LuaHookLog /usr/local/etc/apache24/register_remote_user.lua register_remote_user


Access logs now look fine for me on both Tomcat and Apache HTTPd.

WDYT?

Michael


[1] 
https://github.com/apache/tomcat85/blob/trunk/java/org/apache/catalina/valves/RemoteIpValve.java#L666-L676
[2] 
https://github.com/apache/tomcat85/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L999-L1001


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org















    











					Reply via email to