---- "André Warnier" <a...@ice-sa.com> wrote: > oh...@cox.net wrote: > > > ... > > > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" > > tomcatAuthentication="false" /> > > > That is correct. The "false" means that Tomcat will not do it's own > authentication, and > will instead rely on the authenticated user-id passed by the front-end server. > > Now could you also show us the section of your Apache front-end > configuration, containing > the directives which forward the requests to Tomcat ? > (proxy or rewrite stanzas) > > Note: the fact that the Apache/Tomcat connector (the one at the Apache level) > passes the > authenticated user-id to Tomcat along with the proxied request, depends on > the fact that > within Apache (more precisely within the internal Apache "request record"), > the request is > really authenticated (*). > I am saying this because in an earlier post, you mentioned that you were > using a > third-party authentication package at the Apache httpd level. > It is unlikely, but possible, that this authentication package would use its > own logic, > and never "populate" the internal Apache request record with this user-id > (**). > In such a case, the automatic forwarding of the user-id by the Apache-level > connector > module (mod_proxy_ajp or mod_jk) would of course not work, because they check > the internal > Apache request record, and have no knowledge of another user-id source. > > > (*) in Tomcat terms, the equivalent of populating the userPrincipal object > (**) for example, it may act as a filter, and rely on each request always > containing a > cookie which "authenticates" the request, and do its own access control > independently of > Apache httpd itself >
Andre, Sure. Here's the section from httpd.conf. This is testing where I purposely insert a "REMOTE_USER" HTTP header into the request being proxied. As I said, I have a sniffer on the line, and I can see the REMOTE_USER header, but still, when I get to my test JSP hosted on the Tomcat, getUserPrincipal() is returning null (don't mind the hostname in the ProxyPass, etc. I just happen to be hosting Tomcat on that machine, and WebLogic is shutdown there). # Proxy to Tomcat on weblogic1 machine, using AJP <Location /samplesajp> RequestHeader set "REMOTE_USER" "222222229test111111111111" ProxyPass ajp://weblogic1.whatever.com:8009/samplesajp ProxyPassReverse ajp://weblogic1.whatever.com:8009/samplesajp </Location> Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org