-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 7/24/15 4:46 AM, John Baker wrote: > I agree that mod_proxy_ajp is more commonly supported. I've > looked/briefly worked on the mod_jk source and it was pretty awful > - but that's what happens to code over time. Anything in particular? Plumbing code is always not terribly pretty. It's kept up-to-date and generally supports more features than mod_proxy_ajp. > I see your point regarding the ajp protocol but equally, HTTP is > everywhere and if every other part of a web stack is HTTP, there > seems little value in doing anything different between Apache & > Tomcat. There are some slight optimizations in comparison to AJP. When HTTPS/2 (which is very much like AJP) hits, you'll see less of a difference. > AJP has various load balancing features/etc and if that's what one > wants, fine, but most organisations have hardware load balancers > etc to do this for them now-a-days. Also, mod_proxy_* does load-balancing. This is not a feature of the protocol, but of the tool. > Going back to my request, I note the Servlet Specification API > docs state that getRemoteUser should return the CGI variable > REMOTE_USER: > > http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/ HttpServletRequest.html#getRemoteUser() > > But as I've highlighted, it does not, so Tomcat is in breach of > the spec. How can this be raised as a bug? REMOTE_USER is not an HTTP header... it's the "REMOTE_USER" CGI variable. So, your proposed implementation is incorrect and represents a security vulnerability. Tomcat is compliant insofar as there is no standard that covers where the REMOTE_USER CGI variable should be set or what its value should be. When a user is logged-into a web application, request.getRemoteUser returns the name of the currently-logged-in user. When no user is logged-in, it returns null. That seems to be compliant to me. How do you want it to behave instead? If you want to have the web server report the REMOTE_USER CGI variable to Tomcat, you'll have to arrange that for yourself. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVs4JvAAoJEBzwKT+lPKRYNNEQAJBtO8KFMoWeMtqWc25tFNuI FwDhVJkR/t4gi2j2UR/Ap5UMAgtoPymOqnDbaHLFzlX7QAncM+kB+/6Cq/Djkz5U NorStWCy8msX+YV6VFz4nTyE1Kk60O/oC8Qq6AruxWUiUpKjPBqNkVCa+uHufkRw bP3ma2JGHifM0J6GyVVWCM7oHQvAVWcIMaB5Qiemev22W9sDV58drM4ip5CAFrmV QlCpS5KFKIJ+srVTFED2SswhqlFBBE8pZTfkl9ewKYA3RBM30iRzqka2ruGnq84n H1h4hvh/MfmW3f6cOfgKM1sRh/jRHfFwsjgjxNQbv/uaATPdAF6LOELZUa+fKoPh PBHI7cPbooCDcIk2AWPlFKSjqXf47KXmQh86jkOFojVwiHLRjxrrd4yjQT3uARW8 Ue9tNuFPJoP4kgNvQRqNV/vAAXPZ6WffS23ejI4qsqHGDjM8cMYTnz9f27/UzyGF MZdlB7lZirS1eSQ5TCvqEtsqt4zFOWUMdE8APVHQmaQl+UbSkTKunPkWd8LptK/u ZHdiIaMfJfpq/XT0Z1mdzlMp2QxFOkkrcOaAjsFKTkeC7RXMLHijHz165I8/5M4M plVgv9KhRJgG7CqDBMjbhAtzGC66Isp0LJBcBub+zDd8TfySCWfc3EjCBDrnUQ0d WZiI5lP493WaTuYjFTj5 =b2GL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
