> I haven't looked too closely, but I'm not sure what "standard" > mechanisms there are to communicate this through a proxy. variables > don't pass through a proxy, and a HEADER is NOT the proper solution here > unless you also implement something similar to the Tomcat RemoteIpValve > where you have the notion of trustedProxiesForAuth or something like that.
Neither AJP forwarding REMOTE_USER or an HTTP header is great, so if we all care about security, that feature of mod_jk needs disabling with warnings/sirens should one enable it. I do appreciate the remote IP valve exists, but this is a sticking plaster around the core design flaw. However, it is true that plenty of vendor modules exist in the Apache HTTPD world that forward a username on a header (I've listed some) and with the appropriate controls in place, it isn't an awful solution to use an HTTP header to carry the username. It's no different to mod_jk forwarding REMOTE_USER (mod_jk isn't providing security in our puzzle). --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
