tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Mon, 05 Dec 2011 09:37:40 GMT
ohaya@cox.net wrote:
...
> ---- Rainer Jung <rainer.jung@kippdata.de> wrote: 
>> Although this thread has moved forward towards the role topic, I want to 
>> give some infos about the user forwarding by mod_jk. Some of it was 
>> already present in previous posts.
>>
>> 1) In order to let Tomcat accept the user, you need to set 
>> tomcatAuthentication to "false"
>>
>> 2) mod_jk will always forward the user as detected by the
>>     following logic:
>>     - the user as authenticated by Apache
>>     - if this doesn't exist it will forward the value of
>>       an Apache environment variable. The default name of the
>>       variable is "JK_REMOTE_USER", but it can be changed using
>>       the configuration directive "JkRemoteUserIndicator"
>>
>> 3) The user ID will *not* be forwarded in the form of a request header
>>
>> 4) The forwarded user id is logged in the JK log file on level debug
>>     as the "user" field in the line:
>>
>> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d 
>> auth=%s user=%s laddr=%s raddr=%s uri=%s
>>
>> 5) There is no need to use JkEnvVar
>>
>> 6) When not using a real Apache authentication, you can instead
>>     set the Apache environment variable JK_REMOTE_USER
>>     e.g. via mod_setenvif or the E= syntax of mod_rewrite.
>>     If you change the name of the env var using JkRemoteUserIndicator
>>     use the variable name given there instead.
>>
>> 7) The Apache authenticated user can be logged in the Apache AccessLog
>>     using "%u". Any environment variable XXX can be logged using
>>     %{XXX}e.
>>
>> 8) The user can be logged in the Tomcat AccessLog using %u.
>>
>> 9) The user is returned by request.getRemoteUser() on the Tomcat side.
>>
>> Regards,
>>
>> Rainer
>>
> 
> 
> Hi Rainier,
> 
> Thanks for the great info above, esp. re. the JK_REMOTE_USER and JkRemoteUserIndicator.
> 
> I'm kind of well along the way with my valve, but I still have mod_jk for one proxy section,
so I'll give those a try.
> 
Hi Rainer.
Thanks also for the precise information.  We've missed you..

Jim, one more question :
At the Apache httpd level, when the user has been authenticated by OAM, /can/ you get the

authenticated user's user-id ? and how ?




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message