Add AJP REMOTE_USER authentication propagation test#9
Closed
honza-kasik wants to merge 6 commits into
Closed
Conversation
honza-kasik
force-pushed
the
ajp-auth-propagation
branch
from
3bf4b70 to
1402d75
Compare
honza-kasik
changed the title
Validates the end-to-end path that IIS/isapi_redirect uses after Windows authentication: httpd authenticates the user (via Basic auth as a stand-in for Windows auth) → mod_proxy_ajp forwards REMOTE_USER as an AJP attribute → Undertow receives it → Elytron's EXTERNAL mechanism authenticates the user → the secured servlet is accessible. Three test scenarios: authenticated user with correct role (200), no authentication (403), authenticated user with wrong role (403). Adds -Dhttpd.skip.mod_proxy_cluster flag to run httpd without mod_proxy_cluster modules, since its global proxy handler intercepts all ProxyPass requests. The test sets this flag via @BeforeAll.
Enable AjpAuthPropagationTest to run in both Docker and native mode. Docker changes: - DockerHttpdBalancer: skipModProxyCluster branch that starts httpd without mod_proxy_cluster, with --init + exec for proper signal delivery on graceful restart - AjpAuthConfigurator: ajpHost parameter for Docker networking (containers use network aliases, not localhost), proxy module loading with IfModule guards, htpasswd path fallback - Test computes AJP host/port per mode and uses auth-aware readiness polling to verify the full AJP path is up before asserting Added to main TEST_CLASS so it runs in both Docker and native CI.
honza-kasik
force-pushed
the
ajp-auth-propagation
branch
from
1402d75 to
701155e
Compare
honza-kasik
force-pushed
the
ajp-auth-propagation
branch
from
5cc1bd5 to
b7e2eb6
Compare
Contributor
Author
|
Closing in favor of https://github.com/jboss-eap-qe/tests-native-connectors mod_cluster TS is not a place for non-mod_proxy_cluster based connectors. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There was no test coverage for the REMOTE_USER → AJP → Elytron EXTERNAL mechanism path. This test validates the actual AJP protocol path end-to-end using httpd Basic auth as a stand-in for any external authenticator (IIS, SSO, etc.).