tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Mon, 05 Dec 2011 09:37:40 GMT wrote:
> ---- Rainer Jung <> wrote: 
>> Although this thread has moved forward towards the role topic, I want to 
>> give some infos about the user forwarding by mod_jk. Some of it was 
>> already present in previous posts.
>> 1) In order to let Tomcat accept the user, you need to set 
>> tomcatAuthentication to "false"
>> 2) mod_jk will always forward the user as detected by the
>>     following logic:
>>     - the user as authenticated by Apache
>>     - if this doesn't exist it will forward the value of
>>       an Apache environment variable. The default name of the
>>       variable is "JK_REMOTE_USER", but it can be changed using
>>       the configuration directive "JkRemoteUserIndicator"
>> 3) The user ID will *not* be forwarded in the form of a request header
>> 4) The forwarded user id is logged in the JK log file on level debug
>>     as the "user" field in the line:
>> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d 
>> auth=%s user=%s laddr=%s raddr=%s uri=%s
>> 5) There is no need to use JkEnvVar
>> 6) When not using a real Apache authentication, you can instead
>>     set the Apache environment variable JK_REMOTE_USER
>>     e.g. via mod_setenvif or the E= syntax of mod_rewrite.
>>     If you change the name of the env var using JkRemoteUserIndicator
>>     use the variable name given there instead.
>> 7) The Apache authenticated user can be logged in the Apache AccessLog
>>     using "%u". Any environment variable XXX can be logged using
>>     %{XXX}e.
>> 8) The user can be logged in the Tomcat AccessLog using %u.
>> 9) The user is returned by request.getRemoteUser() on the Tomcat side.
>> Regards,
>> Rainer
> Hi Rainier,
> Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator.
> I'm kind of well along the way with my valve, but I still have mod_jk for one proxy section,
so I'll give those a try.
Hi Rainer.
Thanks also for the precise information.  We've missed you..

Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM, /can/ you get the

authenticated user's user-id ? and how ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message