Re: Setting JK_REMOTE_USER help

Wed, 16 Jun 2010 07:36:50 -0700 

Marc Boorshtein wrote:

You should not need to do that, it should be automatic.
Just make sure that in the Tomcat <Connector> for AJP (in server.xml), you
set the attribute
tomcatAuthentication="false"

If the request is authenticated by Apache, mod_jk will (always) pass it
internally to Tomcat, along with the request.  If the above attribute is
set, then Tomcat will also "believe" this user-id, and not try itself to
authenticate the user.



OK, so the good news is that setting tomcatAuthentication="false" did
get tomcat to not prompt me for authentication.  The bad news is that
it looks like that this doesn't actually set the user's context


it does, but maybe not with everything you were expecting


because I am receiving unauthorized messages from the application
which relies on container security.


When Apache authenticates a user, it gets a user-id, like "marcb".
That is what mod_jk passes to Tomcat, nothing else. That is one "A" of "AAA", which stands for Authentication, Authorization and Access-control. Authorization is another step, which can only be done by Tomcat in this case, because the concepts do not really match between Apache httpd and Tomcat (Apache has users and groups, Tomcat uses "roles"). 

  I have an LDAP realm setup, is

there a configuration to bridge this gap?  If not I THINK I can write
a "wrapper" realm that will take the user id attribute and "fake" it.
Any thoughts?
Since you have Apache in front already, you could do the whole AAA under Apache, and remove anything you do not really need from Tomcat. What do you really need to know about a user at the Tomcat application level, apart from his user-id ? 
(Or you could do the total opposite : do the whole AAA in Tomcat)
The whole thing is rather flexible, and what you choose to do where is very much depending on your circumstances. (Like : do all accesses to Tomcat go through Apache first ? is the link between Apache and Tomcat secure ? are there resources served by Apache directly, and do some of them need AAA ? etc..) 



As for the versions, thanks for the reminder:
Tomcat 6.0.26
Apache 2.2.15
mod_jk 1.2   <== you are missing a number here, and for some things it really 
matters
CentOS 5.5



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to