tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Http connector and remote user information
Date Fri, 16 Sep 2011 09:33:53 GMT
Sylvain Goulmy wrote:
> Hi everyone,
> I'm actually using Tomcat on my environment platform (Tomcat 5.5 / Tomcat 6
> and soon Tomcat 7). I have a frontend Apache http Server using the jk
> connector to communicate with Tomcat instance.
> I'd like to change this connector and use the mod_proxy one for several
> reasons. The main difficulty to handle is relative to the remote-user
> information. Indeed the jk connector automatically transmits the information
> so that the application can retrieve it using a request.getRemoteUser()
> method call.
> If i'm not using the ajp connector anymore, i need to handle something on
> the tomcat side to set the remote user in the request object. I thought i
> could use a valve to do this. And that's where the road ends, i have watched
> the ajp conenctor code in order to see how the remote user is set in the
> request but i can't find it.

You are not finding it, because you are looking in the wrong place.
If mod_jk can pass the authenticated user to Tomcat, via the AJP channel, it is because 
the user (or request) has been authenticated on the Apache side, before the request is 
forwarded through mod_jk to Tomcat.
The AJP connector on the Tomcat side then picks up this user-id from the request coming in

on the AJP channel, and sets the UserPrincipal in Tomcat accordingly.
That's why a subsequent getRemoteUser() can pick it up in Tomcat.

If you want to switch to mod_proxy instead of mod_jk, the question is : can mod_proxy 
forward the Apache user-id to Tomcat ?
The question is slightly more complicated, because there are two methods of connecting 
Apache to Tomcat using mod_proxy :
a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same as the one used 
with mod_jk)

If you are using the second one (AJP), then we know that the AJP protocol /can/ carry the

Apache user-id to Tomcat (because that is what mod_jk does).  The question is whether 
mod_proxy_ajp has some setting to tell it to do that (or does it by default).

If you are using the first one (HTTP), then one way would be to force Apache to add a HTTP

header to the request, containing the user-id; and on the Tomcat side, have something that

picks up this HTTP header, and stuffs its content in the UserPrincipal object.
I don't know if something like that exists ready-made, but a custom Valve or servlet 
filter should be able to do that.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message