---- "André Warnier" <a...@ice-sa.com> wrote: > oh...@cox.net wrote: > ... > > ---- Rainer Jung <rainer.j...@kippdata.de> wrote: > >> Although this thread has moved forward towards the role topic, I want to > >> give some infos about the user forwarding by mod_jk. Some of it was > >> already present in previous posts. > >> > >> 1) In order to let Tomcat accept the user, you need to set > >> tomcatAuthentication to "false" > >> > >> 2) mod_jk will always forward the user as detected by the > >> following logic: > >> - the user as authenticated by Apache > >> - if this doesn't exist it will forward the value of > >> an Apache environment variable. The default name of the > >> variable is "JK_REMOTE_USER", but it can be changed using > >> the configuration directive "JkRemoteUserIndicator" > >> > >> 3) The user ID will *not* be forwarded in the form of a request header > >> > >> 4) The forwarded user id is logged in the JK log file on level debug > >> as the "user" field in the line: > >> > >> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d > >> auth=%s user=%s laddr=%s raddr=%s uri=%s > >> > >> 5) There is no need to use JkEnvVar > >> > >> 6) When not using a real Apache authentication, you can instead > >> set the Apache environment variable JK_REMOTE_USER > >> e.g. via mod_setenvif or the E= syntax of mod_rewrite. > >> If you change the name of the env var using JkRemoteUserIndicator > >> use the variable name given there instead. > >> > >> 7) The Apache authenticated user can be logged in the Apache AccessLog > >> using "%u". Any environment variable XXX can be logged using > >> %{XXX}e. > >> > >> 8) The user can be logged in the Tomcat AccessLog using %u. > >> > >> 9) The user is returned by request.getRemoteUser() on the Tomcat side. > >> > >> Regards, > >> > >> Rainer > >> > > > > > > Hi Rainier, > > > > Thanks for the great info above, esp. re. the JK_REMOTE_USER and > > JkRemoteUserIndicator. > > > > I'm kind of well along the way with my valve, but I still have mod_jk for > > one proxy section, so I'll give those a try. > > > Hi Rainer. > Thanks also for the precise information. We've missed you.. > > Jim, one more question : > At the Apache httpd level, when the user has been authenticated by OAM, /can/ > you get the > authenticated user's user-id ? and how ? > >
Hi, On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that gets populated by the OAM agent, called "OAM_REMOTE_USER". Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org