Hi,
I recently posted under the thread "Apache authentication information
(remoteuser) not visible in Tomcat" and I am grateful to all that
responded with useful comments.
I learned the following about how Tomcat treats authentication
information received from Apache via AJP headers (mod_jk) - once told to
consider it by using "tomcatAuthentication=false" in the appropriate place:
1) request.getRemoteUser() only works on the "entry-point" servlet (e.g.
index.jsp) - it doesn't work if you forward immediately to another page.
It seems strange that Tomcat doesn't keep remote user around for later
use and forces me to keep it around explicitly in some form (such as a
hidden POST parameter).
2) The above is assuming SSL is turned off for my application. The
minute I turn it on in it's security constraint (in web.xml),
request.getRemoteUser() only returns null. Is there a particular setting
in security constraint or elsewhere to achieve the desired behavior?
Thanks in advance for any help.
Omar
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
