[TriLUG] Apache: modifying REMOTE_USER (w/ Tomcat)
Jeremy Portzer
jeremyp at pobox.com
Tue Dec 6 14:01:22 EST 2005
Hello TriLUG Apache and/or Tomcat gurus,
I am encountering a vexing problem regarding the deployment of a J2EE web
application running inside Tomcat 5, with Apache HTTPD 1.3 as the
front-end web server.
The issue surrounds authentication via Shibboleth. The basic auth
workflow is as follows:
- Unauthenticated request comes in from the client
- "Require valid-user" directive in HTTPD configuration forwards request
to the Shibboleth module (via Authtype Shibboleth, implemented by
mod_shib)
- Shibboleth module handles authentication and sets the REMOTE_USER
variable in the HTTPD request if auth is successful
- Request continues through to mod_jk (Jakarta Connector) and is received
by Tomcat for processing
- The Java application in Tomcat reads REMOTE_USER and proceeds
accordingly.
This is generally working well. But the wrinkle is that the Shibboleth
origin (directory server, think like LDAP), has mixed-case usernames in
it. So, the username returned into REMOTE_USER might be something like
SmithJ or JonesK.
The problem is that the Java application expects all usernames to be
lowercase. It has its usernames stored in a database in all lowercase
format and its case-sensitive comparison causes the application to fail.
(Test users created in the directory server in all lowercase work fine.)
Clearly there are several ways of resolving this:
* Fix the Java app so it handles the case mismatch. This is not easily
done becaues it's a third-party closed source app, but this would be
optimal.
* Fix the usernames in the directory server so they aren't mixed-case to
begin with. This is not desired as the central directory is used by many
other applications, and the mixed-case format is desired by the directory
administrators.
* Configure something in Shibboleth to automatically lowercase the
usernames through the "Attribute provider" that translates information for
HTTPD. This has been deemed impossible by several apparently
knowledgeable folks on the Shibboleth discussion list. I am not that
familiar with Shibboleth so I'm taking them on their word here.
So, the option I'm trying to consider is if there's a way of modifying
REMOTE_USER in Apache HTTPD "between" the step of obtaining it from the
Shib module and then having the request processed by mod_jk. I've studied
the HTTPD documentation, and while there are several rules for setting
environment variables, none of them seem to have access to string
functions that would allow me to lowercase and then set the variable.
Relevant Apache configuration snippets:
#snip generic shib configuration info
<Location /webapps>
AuthType shibboleth
require valid-user
</Location>
#further on down, after generic mod_jk configuration info
JKMount /webapps/* ajp13
Another option presented to me is to write a Tomcat filter which could be
installed ahead of the J2EE app that could intercept the REMOTE_USER
variable and perform the necessary translation. Unfortunately I am not
familiar with Java or Tomcat filters.
Thanks for any ideas. Can this be done in Apache at all? Would I need to
write a new Apache module, and if so, can that be done in Perl or other
scripting language?
Regards,
Jeremy Portzer
--
/---------------------------------------------------------------------\
| Jeremy Portzer jeremyp at pobox.com trilug.org/~jeremy |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/
More information about the TriLUG
mailing list