tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: tomcat, apache with mod_jk and mod_auth_kerb
Date Wed, 16 Jul 2008 09:52:20 GMT
Nikhil schrieb:
> On Wed, Jul 16, 2008 at 2:52 PM, Rainer Jung <rainer.jung@kippdata.de>
> wrote:
> 
>> To repeat two of my questions:
>>
>> What do you expect to be the value of the 'REMOTE_USER' variable?
>>
>> Do you expect something else, than what you get from
>> request.getRemoteUser()?
>>
>> After I understand that, we can find an appropriate solution.
>>
>>
>> Regards,
>>
>> Rainer
>>
> 
> Hi Rainer,
> 
> REMOTE_USER variable value is always expected to be as set by the httpd
> process and passed onto the tomcat.
>>> Do you expect something else, than what you get from
> request.getRemoteUser()?
> No, but I would not want to have this method invoked everytime I want to
> know a logged in account instead an already set (global)  variable value
> (preferrably by httpd and passed onto the tomcat) would do.

OK. REMOTE_USER goes back to the times oF CGI. At that time the web 
server could only pass along information to the CGI process via 
environmnt variables, because it had to start an external process for 
doing CGI.

The servlet spec tries to make the same information available in the 
context of a java web container. The correct way of retrieving the name 
of the authenticated user from the container *is* 
request.getRemoteUser(). In java you would nearly always implement a 
"global variable" as a member of some object, which you retrieve via a 
getter function. request.getRemoteUser() is the right and standards 
conforming way to do it.

When the web container has a web server in front, e.g. Apache httpd and 
a connection component like mod_jk, usually the combination tries to 
hide the information, that the architecture is more complex, from the 
webapp developer. So Apache/mod_jk/Tomcat correctly configured provide 
the user name authenticated by httpd to the webapp in exactly the same 
way, as it would be seen without Apache and mod_jk. That way the 
developer doesn't have to know the details. So using 
request.gerRemoteUser() still is the correct way.

The only thing to configure is tomcatAuthentiction="false" in order to 
tell Tomcat to trust the authentication done by Apache and not try to do 
authentication itself.

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message