We currently have a proxy server that has both Apache HTTP Server and Tomcat installed, with httpd acting as both a proxy for the local Tomcat installation, and also for a number of downstream servers. Currently we use httpd Basic Auth on the proxy box and send the Basic Auth header downstream to the other servers.
We would like to begin using Tomcat form based authentication on the proxy box and somehow only send the user id on to downstream servers as a custom HTTP header. My question is this: Is it possible for Apache HTTP Server to defer authentication to Tomcat (which will use form based auth), and then ask Tomcat for (essentially) the value of 'HttpServletRequest#getRemoteUser()' to send to the downstream servers? E.g. here's the desired behavior 1. Unauthenticated user sends request to proxy box 2. Apache HTTP Server determines that the request is intended for the local Tomcat defers processing to Tomcat 3. Tomcat determines that the requested URI is a protected resource and therefore redirects the user to login page; user successfully logs on and Tomcat redirects to originally requested page (later) 1. User authenticated in flow 1 now attempts to reach a URI that Apache HTTP Server determines should be handled by a downstream server 2. Apache server asks Tomcat for the authenticated user's username and adds this information as a custom header on the request to downstream server (e.g. X-Userid: JohnS) -- - Bill