> You could try setting tomcatAuthentification="false" on your AJP connector > in server.xml. If Shibboleth put the value in REMOTE_USER as it should then > tomcat should pick it up as the principal. > Be aware that you should protect your ajp connector so that no other > machine than your Apache can connect to it.
This was one of the first things I tried, and when it didn't work I thought I must be missing something. Of course, now that you've inspired me to try again it works flawlessly. Thanks! I am still curious as to why the AJP connector populates incoming request headers as attributes, though. It seems like it has the potential to cause problems without offering any obvious benefits. -- Elliot Kendall IAM Support Engineer - Single Sign On Information Technology Services University of California, San Francisco --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org