This forum has been moved here:
Helicon Tech Community Forum

Helicon Ape (Forum Locked Forum Locked)
 Helicon Tech : Helicon Ape
Subject Topic: Rewrite variable REMOTE_USER
Author
Message |
Vittel
Newbie


Joined: 20 October 2010
Posts: 3
Posted: 28 October 2010 at 1:07am

Hi all.

We're running a product on apache server, which we have to move to a Microsoft IIS server (please no comments on this ).
Here is an extract of the current apache config:
--------------------------------
[...]
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
[...]
    <IfModule mod_auth_sspi.c>
     <Location />
     
        AuthName "A Protected Place"
        AuthType SSPI
        SSPIAuth On
        SSPIUsernameCase lower
        require valid-user

        RewriteEngine On 
         
    RewriteCond %{REMOTE_USER} ^sub-domain-com.(.+)$
        RewriteRule . - [E=RU:%[email protected]]

        RequestHeader set REMOTE_USER %{RU}e
     </Location>
    </IfModule>
[...]
--------------------------------
As you can see, we have to rewrite the authenticated REMOTE_USER from "sub-domain-com\user" to "[email protected]" (it's product related).

We moved the site to the IIS server, where the mod_auth_sspi isn't required, because IIS does the authentication by it's self.
I'm now trying to achieve the same rewrite on IIS with Helicon Ape server, but somehow it doesn't work.
I read somewhere that it isn't possible to rewrite the REMOTE_USER, AUTH_USER etc. on IIS, but I thought it would be able with Ape server, isn't it?

Besides, Ape server is running fine with other functions, just the rewrite explained above doesn't work.

Regards
Back to Top
 
Vyacheslav
Admin Group


Joined: 02 July 2008
Location: Ukraine
Posts: 1542
Posted: 28 October 2010 at 3:52am

Hello.
The code above involves two modules: mod_headers and mod_rewrite. Perhaps in Helicon Ape they run in different sequence. Please try the following code:

Code:
SetEnvIf %{REMOTE_USER} ^sub-domain-com\.(.+)$ RU="[email protected]"
RequestHeader set REMOTE_USER %{RU}e


__________________
Slavik Shynkarenko,
Helicon Tech.
Back to Top Visit Vyacheslav's Homepage
 
Vittel
Newbie


Joined: 20 October 2010
Posts: 3
Posted: 01 December 2010 at 8:00am

Hello

Sorry for not writing back so long, I did a lot of testing.

It doesn't work with your SetEnvIf code.

Just to clarify:
According to this picture: http://learn.iis.net/file.axd?i=152

The whole request should (as I understand) look like this:

1. HTTP request from user
2. IIS Authentication Module authenticates the user in active directory (NTLM) an sets AUTH_USER to sub-domain-com\user
3. The ExecuteHandler calls "ISAPI Ape", which modifies the request header AUTH_USER from sub-domain-com\user to [email protected]
3. The ExecuteHandler calls the application (ISAPI too) which uses the modified AUTH_USER as the authenticated user


If the header AUTH_USER can't be rewritten, we're also able to specify a custom header.
I already tried this with different headers. For testing purposes the following code:

Code:

SetEnv RU "[email protected]"
SetEnv REMUSER %{REMOTE_USER}
SetEnv AUTUSER %{AUTH_USER}
RewriteHeader USER_A: .* %{HTTP:Authorization}
RewriteHeader USER_B: .* %{REMOTE_USER}
RewriteHeader USER_C: .* %{AUTH_USER}
RewriteHeader USER_D: .* %{RU}
RewriteHeader USER_E: .* %{REMUSER}
RewriteHeader USER_F: .* %{AUTUSER}



results in the following rewrite.log entries when I'm opening the website:
Code:


init rewrite engine with /libs/app/login.html
Rewrite Header USER_A to >> ?resource=/
Rewrite Header USER_B to >> ?resource=/
Rewrite Header USER_C to >> ?resource=/
Rewrite Header USER_D to >> [email protected]?resource=/
Rewrite Header USER_E to >> %{REMOTE_USER}?resource=/
Rewrite Header USER_F to >> %{AUTH_USER}?resource=/
applying pattern .* to uri /libs/app/login.html

init rewrite engine with /libs/app/login.html
Rewrite Header USER_A to >> Negotiate TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAA[...]?resource=/
Rewrite Header USER_B to >> ?resource=/
Rewrite Header USER_C to >> ?resource=/
Rewrite Header USER_D to >> [email protected]?resource=/
Rewrite Header USER_E to >> %{REMOTE_USER}?resource=/
Rewrite Header USER_F to >> %{AUTH_USER}?resource=/
applying pattern .* to uri /libs/app/login.html

init rewrite engine with /libs/app/login/login.css
Rewrite Header USER_A to >>

Rewrite Header USER_B to >>
init rewrite engine with /libs/app/login/login_ie.css
Rewrite Header USER_C to >>
Rewrite Header USER_A to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_B to >>
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_C to >>
Rewrite Header USER_F to >> %{AUTH_USER}
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/login.css
applying pattern .* to uri /libs/app/login/login_ie.css

init rewrite engine with /libs/app/login/login.js
Rewrite Header USER_A to >>
Rewrite Header USER_B to >>
Rewrite Header USER_C to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/login.js

init rewrite engine with /libs/app/login/login_ie.css
Rewrite Header USER_A to >> Negotiate TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAA[...]
Rewrite Header USER_B to >>
Rewrite Header USER_C to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/login_ie.css

init rewrite engine with /libs/app/login/login.css
Rewrite Header USER_A to >> Negotiate TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAA[...]
Rewrite Header USER_B to >>
Rewrite Header USER_C to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/login.css

init rewrite engine with /libs/app/login/login.js
Rewrite Header USER_A to >> Negotiate TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAA[...]
Rewrite Header USER_B to >>
Rewrite Header USER_C to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/login.js

init rewrite engine with /libs/app/login/loginbg.jpg
Rewrite Header USER_A to >>
Rewrite Header USER_B to >>
Rewrite Header USER_C to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/loginbg.jpg

init rewrite engine with /libs/app/login/loginbg.jpg
Rewrite Header USER_A to >> Negotiate TlRMTVNTUAADAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAA[...]
Rewrite Header USER_B to >>
Rewrite Header USER_C to >>
Rewrite Header USER_D to >> [email protected]
Rewrite Header USER_E to >> %{REMOTE_USER}
Rewrite Header USER_F to >> %{AUTH_USER}
applying pattern .* to uri /libs/app/login/loginbg.jpg



 - what is the value "?resource=/" meaning?
 - even if I set the USER_D to a specific value, the application doesn't recognize it.
 - somehow the SetEnv %{xyz} doesn't work, because the output of USER_E is "%{REMOTE_USER}" and not the value from the header REMOTE_USER. Same for USER_F.


It seams that the headers REMOTE_USER and AUTH_USER are never set. But according to the picture above, users are authenticated just at the beginning of the request.
Do I miss understand something?


Edited by Vittel - 01 December 2010 at 8:00am
Back to Top
 
Vyacheslav
Admin Group


Joined: 02 July 2008
Location: Ukraine
Posts: 1542
Posted: 01 December 2010 at 4:05pm

Hello.
Please clarify what authentication you use.
SetEnv %{xyz} doesn’t work because the syntax isn’t correct. You should use SetEnvIf to get content of server variable:
Code:
SetEnvIf %{REMOTE_USER} (.*) REMUSER=$1
SetEnvIf %{AUTH_USER} (.*) AUTUSER=$1


Please try the following code:
Code:
RequestHeader set USER_B %{REMOTE_USER}e
RequestHeader set USER_C %{AUTH_USER}e
RequestHeader set USER_D %{RU}e
RequestHeader set USER_E %{REMUSER}e
RequestHeader set USER_F %{AUTUSER}e


rewrite.log won’t show the results since that is different module, but you can check with the application.

We’re going to make additional tests and I’ll let you know once we have something.

Thanks.

__________________
Slavik Shynkarenko,
Helicon Tech.
Back to Top Visit Vyacheslav's Homepage
 
Vittel
Newbie


Joined: 20 October 2010
Posts: 3
Posted: 02 December 2010 at 10:04am

No, the application still doesn't work.
I will see if the application can log the data which it reads from the header. At the moment it only writes "authentication error" to its log.

To test your SetEnvIf I did a request header REMUSER and AUTHUSER, I got the following from rewrite.log:
Code:
Rewrite Header USER_A to >> -1
Rewrite Header USER_B to >> -1

Why -1 ?



Back to Top
 
Vyacheslav
Admin Group


Joined: 02 July 2008
Location: Ukraine
Posts: 1542
Posted: 02 December 2010 at 12:48pm

Hello.
Unfortunately it’s not possible to do what you need now, because those modules work before authentication, when REMOTE_USER and others aren’t set.
We take it as a feature request and will implement this feature in the coming build of Helicon Ape.
Thanks.

__________________
Slavik Shynkarenko,
Helicon Tech.
Back to Top Visit Vyacheslav's Homepage
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version