tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Fri, 02 Dec 2011 17:22:48 GMT
Hash: SHA1


On 12/2/11 11:26 AM, wrote:
> Sure. Here's the section from httpd.conf. This is testing where I 
> purposely insert a "REMOTE_USER" HTTP header into the request
> being proxied. As I said, I have a sniffer on the line, and I can
> see the REMOTE_USER header, but still, when I get to my test JSP
> hosted on the Tomcat, getUserPrincipal() is returning null (don't
> mind the hostname in the ProxyPass, etc. I just happen to be
> hosting Tomcat on that machine, and WebLogic is shutdown there).

The problem is that AJP sends the authentication information as part
of the AJP protocol, not as a request header. You are setting a
request header which is not the mechanism AJP uses to transfer the userid.

You might want to check to see if your SSO module works the way that
other httpd modules expect -- like the other mod_auth_[xyz], for instance.

Specifically, the JkRemoteUserIndicator directive which allows you to
override the environment variable whose value will be used to
send-over the username to Tomcat.

I wouldn't think you'd have to do that (REMOTE_USER should already be
set by your auth module and mod_proxy_jk should already be using
that), but you might be able to force it for some testing.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message