CMDBuild Forum

Problem Configuring header authentication using Apache + Kerberos + TomCat

Configurations
#1

apache.tomcat.eeror.log (123.2 KB)

Hello, Colleagues!
I will be glad of any help and hint.

Problem with the Cmdbuild application configuration using the HeaderAuthenticator parameter
I use Apache + Kerberos to redirect requests to TomCat

Apache Settings:

<VirtualHost *:80>
LogLevel debug
....
ErrorLog /var/log/httpd/tomcat.error.log
CustomLog /var/log/httpd/tomcat.log combined
...........
ServerName localhost
ServerAlias localhost
<Location /cmdbuild/>
 AuthType Kerberos
 AuthName 'Acme Corporation'
 KrbServiceName HTTP/seername.dev.local
 KrbMethodNegotiate on
 KrbMethodK5Passwd off
 Krb5Keytab /etc/cmdbdev.keytab
 Require valid-user
</Location>
ProxyRequests Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-User %{REMOTE_USER}s

Redirect permanent /cmdbuild  http://servername:8092/cmdbuild

#ProxyPass /cmdbuild http://servername:8092/cmdbuild
#ProxyPassReverse /cmdbuild http://servername:8092/cmdbuild

ProxyPass /cmdbuild ajp://servername:8009/cmdbuild
ProxyPassReverse /cmdbuild ajp://servername:8009/cmdbuild
#ProxyPassReverseCookiePath /cmdbuild /cmdbuild
</VirtualHost>

Cmdbuild:
auth.methods=HeaderAuthenticator,DBAuthenticator
header.attribute.name=X-Forwarded-User

The user exists in cmdb.

Kerberos is configured and running.
But the app doesn’t want to authenticate me.

Cmdbuil.log:

> 2020-09-24T13:12:24.227+03:00 [req:v4t0gd] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.241+03:00 [req:n1gl19] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.242+03:00 [req:n1gl19] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.242+03:00 [req:n1gl19] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.282+03:00 [req:wfsed8] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.282+03:00 [req:wfsed8] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.282+03:00 [req:wfsed8] DEBUG org.cmdbuild.webapp.filters.UiFilter - ui filter doFilter BEGIN
> 2020-09-24T13:12:24.283+03:00 [req:wfsed8] DEBUG org.cmdbuild.webapp.filters.UiFilter - return ui config = window.cmdbuildConfig={"baseUrl":"http://SERVERNAME/cmdbuild_pretest_32/services/rest/v3","geoserverBaseUrl":"http://SERVERNAME/cmdbuild_pretest_32/services/geoserver","bimserverBaseUrl":"http://SERVERNAME/cmdbuild_pretest_32/services/bimserver","socketUrl":"ws://SERVERNAME/cmdbuild_pretest_32/services/websocket/v1/main","manifest":"ready2use"};
> 2020-09-24T13:12:24.283+03:00 [req:wfsed8] DEBUG org.cmdbuild.webapp.filters.UiFilter - ui filter doFilter END
> 2020-09-24T13:12:24.283+03:00 [req:wfsed8] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.283+03:00 [req:nxsfmu] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.284+03:00 [req:nxsfmu] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.288+03:00 [req:8ackvg] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.289+03:00 [req:8ackvg] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.291+03:00 [req:8ackvg] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.293+03:00 [req:11dykz] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.293+03:00 [req:dfp8pd] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.294+03:00 [req:11dykz] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.294+03:00 [req:dfp8pd] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.295+03:00 [req:dfp8pd] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.296+03:00 [req:11dykz] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.296+03:00 [req:nxsfmu] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.314+03:00 [req:lrn94r] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.315+03:00 [req:lrn94r] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.315+03:00 [req:dxyxb1] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.316+03:00 [req:dxyxb1] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.316+03:00 [req:c18zae] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.316+03:00 [req:c18zae] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.317+03:00 [req:lrn94r] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.317+03:00 [req:dxyxb1] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.318+03:00 [req:c18zae] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.354+03:00 [req:617emw] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.355+03:00 [req:617emw] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.364+03:00 [req:y1e1mg] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.364+03:00 [req:y1e1mg] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.367+03:00 [req:y1e1mg] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.386+03:00 [req:617emw] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:24.560+03:00 [req:xvwy1a] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:24.561+03:00 [req:xvwy1a] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:24.563+03:00 [req:xvwy1a] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:25.725+03:00 [req:gy93or] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.726+03:00 [req:gy93or] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:25.727+03:00 [req:gy93or] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:25.887+03:00 [req:dx5s39] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.887+03:00 [req:n1ltzv] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.887+03:00 [req:dx5s39] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:25.887+03:00 [req:n1ltzv] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:25.888+03:00 [req:dx5s39] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:25.888+03:00 [req:n1ltzv] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:25.897+03:00 [req:2c0d20] DEBUG o.c.w.f.LanguageFilter$$EnhancerBySpringCGLIB$$4fee5447 - set request language = ru
> 2020-09-24T13:12:25.907+03:00 [req:a1ed01] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - enable cors for this request
> 2020-09-24T13:12:25.907+03:00 [req:a1ed01] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - set cors allowed origins = [http://SERVERNAME]
> 2020-09-24T13:12:25.908+03:00 [req:a1ed01] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.908+03:00 [req:a1ed01] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:25.909+03:00 [req:a1ed01] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:25.920+03:00 [req:7yi91o] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.920+03:00 [req:7yi91o] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:25.921+03:00 [req:7yi91o] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:25.922+03:00 [req:417e61] DEBUG o.c.w.f.LanguageFilter$$EnhancerBySpringCGLIB$$4fee5447 - set request language = ru
> 2020-09-24T13:12:25.923+03:00 [req:417e61] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.924+03:00 [req:417e61] WARN  o.c.a.s.inner.SessionDataServiceImpl - no session available, using dummy session data
> 2020-09-24T13:12:25.942+03:00 [req:53746f] DEBUG o.c.w.f.LanguageFilter$$EnhancerBySpringCGLIB$$4fee5447 - set request language = ru
> 2020-09-24T13:12:25.943+03:00 [req:53746f] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:25.954+03:00 [req:pnmywv] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:26.105+03:00 [req:cdbe9a] DEBUG o.c.w.f.LanguageFilter$$EnhancerBySpringCGLIB$$4fee5447 - set request language = ru
> 2020-09-24T13:12:26.106+03:00 [req:fbovio] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - enable cors for this request
> 2020-09-24T13:12:26.106+03:00 [req:g1ll03] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - enable cors for this request
> 2020-09-24T13:12:26.106+03:00 [req:cdbe9a] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:26.106+03:00 [req:fbovio] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - set cors allowed origins = [http://SERVERNAME]
> 2020-09-24T13:12:26.106+03:00 [req:g1ll03] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - set cors allowed origins = [http://SERVERNAME]
> 2020-09-24T13:12:26.107+03:00 [req:g1ll03] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:26.107+03:00 [req:fbovio] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:26.107+03:00 [req:g1ll03] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:26.107+03:00 [req:fbovio] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:26.107+03:00 [req:g1ll03] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:26.108+03:00 [req:fbovio] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END
> 2020-09-24T13:12:26.110+03:00 [req:nq76es] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - enable cors for this request
> 2020-09-24T13:12:26.110+03:00 [req:nq76es] DEBUG o.c.w.s.SecurityConfiguration$$EnhancerBySpringCGLIB$$80ec20cc - set cors allowed origins = [http://SERVERNAME]
> 2020-09-24T13:12:26.110+03:00 [req:nq76es] DEBUG o.c.a.l.AuthenticationServiceImpl - try to validate request with authenticator = HeaderAuthenticator
> 2020-09-24T13:12:26.111+03:00 [req:nq76es] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter BEGIN
> 2020-09-24T13:12:26.112+03:00 [req:nq76es] DEBUG o.c.w.filters.UiCacheControlFilter - ui cache control filter doFilter END

the headers seem to work, and I get a response from the server:

Request URL: http://servername/cmdbuild/services/rest/v3/sessions/current?_dc=1600942543993&ext=true&if_exists=true

Can you tell me if this functionality is supported? or is it already disabled?

#2

I can’t configure proxying. can someone share their experience?
I have Apache 2.4 on CentOS 7

#3

My Apache log:

[Mon Sep 28 16:29:27.374819 2020] [authz_core:debug] [pid 12059] mod_authz_core.c(809): [client 127.0.0.5:52492] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Sep 28 16:29:27.375019 2020] [authz_core:debug] [pid 12059] mod_authz_core.c(809): [client 127.0.0.5:52492] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Sep 28 16:29:27.375062 2020] [auth_kerb:debug] [pid 12059] src/mod_auth_kerb.c(1954): [client 127.0.0.5:52492] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Sep 28 16:29:27.375099 2020] [auth_kerb:debug] [pid 12059] src/mod_auth_kerb.c(1295): [client 127.0.0.5:52492] Acquiring creds for HTTP/servername.DOMAIN.local
[Mon Sep 28 16:29:27.376954 2020] [auth_kerb:debug] [pid 12059] src/mod_auth_kerb.c(1708): [client 127.0.0.5:52492] Verifying client data using KRB5 GSS-API
[Mon Sep 28 16:29:27.377595 2020] [auth_kerb:debug] [pid 12059] src/mod_auth_kerb.c(1724): [client 127.0.0.5:52492] Client didn't delegate us their credential
[Mon Sep 28 16:29:27.377622 2020] [auth_kerb:debug] [pid 12059] src/mod_auth_kerb.c(1743): [client 127.0.0.5:52492] GSS-API token of length 185 bytes will be sent back
[Mon Sep 28 16:29:27.382527 2020] [auth_kerb:debug] [pid 12059] src/mod_auth_kerb.c(1855): [client 127.0.0.5:52492] kerb_authenticate_a_name_to_local_name andrey@DOMAIN.LOCAL -> andrey
[Mon Sep 28 16:29:27.382609 2020] [authz_core:debug] [pid 12059] mod_authz_core.c(809): [client 127.0.0.5:52492] AH01626: authorization result of Require valid-user : granted
[Mon Sep 28 16:29:27.382622 2020] [authz_core:debug] [pid 12059] mod_authz_core.c(809): [client 127.0.0.5:52492] AH01626: authorization result of <RequireAny>: granted
[Mon Sep 28 16:29:27.382678 2020] [proxy:debug] [pid 12059] mod_proxy.c(1123): [client 127.0.0.5:52492] AH01143: Running scheme ajp handler (attempt 0)
[Mon Sep 28 16:29:27.382694 2020] [proxy_ajp:debug] [pid 12059] mod_proxy_ajp.c(727): [client 127.0.0.5:52492] AH00895: serving URL ajp://192.168.0.10/cmdbuild_pretest_32/
[Mon Sep 28 16:29:27.382704 2020] [proxy:debug] [pid 12059] proxy_util.c(1957): AH00932: AJP: worker for (192.168.0.10) has been marked for retry
[Mon Sep 28 16:29:27.382713 2020] [proxy:debug] [pid 12059] proxy_util.c(2203): AH00942: AJP: has acquired connection for (192.168.0.10)
[Mon Sep 28 16:29:27.382725 2020] [proxy:debug] [pid 12059] proxy_util.c(2256): [client 127.0.0.5:52492] AH00944: connecting ajp://192.168.0.10/cmdbuild_pretest_32/ to 192.168.0.10:8009
[Mon Sep 28 16:29:27.382790 2020] [proxy:debug] [pid 12059] proxy_util.c(2426): [client 127.0.0.5:52492] AH00947: connected /cmdbuild_pretest_32/ to 192.168.0.10:8009
[Mon Sep 28 16:29:27.382992 2020] [proxy:debug] [pid 12059] proxy_util.c(2802): AH02824: AJP: connection established with 192.168.0.10:8009 (192.168.0.10)
[Mon Sep 28 16:29:27.383139 2020] [proxy_ajp:debug] [pid 12059] mod_proxy_ajp.c(276): [client 127.0.0.5:52492] AH00872: APR_BUCKET_IS_EOS
[Mon Sep 28 16:29:27.383163 2020] [proxy_ajp:debug] [pid 12059] mod_proxy_ajp.c(282): [client 127.0.0.5:52492] AH00873: data to read (max 8186 at 4)
[Mon Sep 28 16:29:27.383175 2020] [proxy_ajp:debug] [pid 12059] mod_proxy_ajp.c(296): [client 127.0.0.5:52492] AH00875: got 0 bytes of data
[Mon Sep 28 16:29:27.386447 2020] [proxy_ajp:debug] [pid 12059] mod_proxy_ajp.c(634): [client 127.0.0.5:52492] AH00892: got response from 192.168.0.10:8009 (192.168.0.10)
[Mon Sep 28 16:29:27.386489 2020] [proxy:debug] [pid 12059] proxy_util.c(2218): AH00943: AJP: has released connection for (192.168.0.10)
#4

image
TomCat page - HTTP Status 404

#5

I managed to open the page
But header authorization doesn’t work

apache.tomcat.eeror.log (123.2 KB)
cmdbuild.log (33.9 KB)

server.xml:

  <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8444" proxyName="s001itd-0135"
                  proxyPort="80"/>

Apache fele.conf:

    <VirtualHost *:80>

    ServerName TamCatServerName
    ....
    ....
    ....
        LogLevel debug
       #ProxyRequests Off
        #ProxyPreserveHost on
        ErrorLog /var/log/httpd/tomcat2.error.log
        CustomLog /var/log/httpd/tomcat2.log combined
    ....
        <location />
        RequestHeader set X-Forwarded-User %{REMOTE_USER}s
        </location>
    ....
        <proxy>
        Order deny,allow
        Allow from all
        </proxy>
    ........................
    ........................
    ProxyPreserveHost On
    #ProxyPass / http://xx.31.0.xx:8080/
    #ProxyPassReverse / http://xx.31.0.xx:8080/

    ProxyPass  /cmdbuild_pretest_32 ajp://TamCatServerIP:8009/cmdbuild_pretest_32
    ProxyPassReverse /cmdbuild_pretest_32 ajp://TamCatServerIP:8009/cmdbuild_pretest_32

    #ProxyPass  /cmdbuild_pretest_32 ajp://localhost:8009/cmdbuild_pretest_32  retry=0
    #ProxyPassReverse /cmdbuild_pretest_32 ajp://localhost:8009/cmdbuild_pretest_32

    </VirtualHost>

Please tell me what I’m wrong about.
I hope for any of your answers