tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Thu, 01 Jan 1970 00:00:00 GMT

---- "André Warnier" <aw@ice-sa.com> wrote: 
> ohaya@cox.net wrote:
> ...
> > ---- Rainer Jung <rainer.jung@kippdata.de> wrote: 
> >> Although this thread has moved forward towards the role topic, I want to 
> >> give some infos about the user forwarding by mod_jk. Some of it was 
> >> already present in previous posts.
> >>
> >> 1) In order to let Tomcat accept the user, you need to set 
> >> tomcatAuthentication to "false"
> >>
> >> 2) mod_jk will always forward the user as detected by the
> >>     following logic:
> >>     - the user as authenticated by Apache
> >>     - if this doesn't exist it will forward the value of
> >>       an Apache environment variable. The default name of the
> >>       variable is "JK_REMOTE_USER", but it can be changed using
> >>       the configuration directive "JkRemoteUserIndicator"
> >>
> >> 3) The user ID will *not* be forwarded in the form of a request header
> >>
> >> 4) The forwarded user id is logged in the JK log file on level debug
> >>     as the "user" field in the line:
> >>
> >> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d 
> >> auth=%s user=%s laddr=%s raddr=%s uri=%s
> >>
> >> 5) There is no need to use JkEnvVar
> >>
> >> 6) When not using a real Apache authentication, you can instead
> >>     set the Apache environment variable JK_REMOTE_USER
> >>     e.g. via mod_setenvif or the E= syntax of mod_rewrite.
> >>     If you change the name of the env var using JkRemoteUserIndicator
> >>     use the variable name given there instead.
> >>
> >> 7) The Apache authenticated user can be logged in the Apache AccessLog
> >>     using "%u". Any environment variable XXX can be logged using
> >>     %{XXX}e.
> >>
> >> 8) The user can be logged in the Tomcat AccessLog using %u.
> >>
> >> 9) The user is returned by request.getRemoteUser() on the Tomcat side.
> >>
> >> Regards,
> >>
> >> Rainer
> >>
> > 
> > 
> > Hi Rainier,
> > 
> > Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator.
> > 
> > I'm kind of well along the way with my valve, but I still have mod_jk for one proxy
section, so I'll give those a try.
> > 
> Hi Rainer.
> Thanks also for the precise information.  We've missed you..
> 
> Jim, one more question :
> At the Apache httpd level, when the user has been authenticated by OAM, /can/ you get
the 
> authenticated user's user-id ? and how ?
> 
> 

Hi,

On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that gets populated
by the OAM agent, called "OAM_REMOTE_USER".

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message