---- "André Warnier" <a...@ice-sa.com> wrote:
> oh...@cox.net wrote:
> ...
> > ---- Rainer Jung <rainer.j...@kippdata.de> wrote:
> >> Although this thread has moved forward towards the role topic, I want to
> >> give some infos about the user forwarding by mod_jk. Some of it was
> >> already present in previous posts.
> >>
> >> 1) In order to let Tomcat accept the user, you need to set
> >> tomcatAuthentication to "false"
> >>
> >> 2) mod_jk will always forward the user as detected by the
> >> following logic:
> >> - the user as authenticated by Apache
> >> - if this doesn't exist it will forward the value of
> >> an Apache environment variable. The default name of the
> >> variable is "JK_REMOTE_USER", but it can be changed using
> >> the configuration directive "JkRemoteUserIndicator"
> >>
> >> 3) The user ID will *not* be forwarded in the form of a request header
> >>
> >> 4) The forwarded user id is logged in the JK log file on level debug
> >> as the "user" field in the line:
> >>
> >> Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d
> >> auth=%s user=%s laddr=%s raddr=%s uri=%s
> >>
> >> 5) There is no need to use JkEnvVar
> >>
> >> 6) When not using a real Apache authentication, you can instead
> >> set the Apache environment variable JK_REMOTE_USER
> >> e.g. via mod_setenvif or the E= syntax of mod_rewrite.
> >> If you change the name of the env var using JkRemoteUserIndicator
> >> use the variable name given there instead.
> >>
> >> 7) The Apache authenticated user can be logged in the Apache AccessLog
> >> using "%u". Any environment variable XXX can be logged using
> >> %{XXX}e.
> >>
> >> 8) The user can be logged in the Tomcat AccessLog using %u.
> >>
> >> 9) The user is returned by request.getRemoteUser() on the Tomcat side.
> >>
> >> Regards,
> >>
> >> Rainer
> >>
> >
> >
> > Hi Rainier,
> >
> > Thanks for the great info above, esp. re. the JK_REMOTE_USER and
> > JkRemoteUserIndicator.
> >
> > I'm kind of well along the way with my valve, but I still have mod_jk for
> > one proxy section, so I'll give those a try.
> >
> Hi Rainer.
> Thanks also for the precise information. We've missed you..
>
> Jim, one more question :
> At the Apache httpd level, when the user has been authenticated by OAM, /can/
> you get the
> authenticated user's user-id ? and how ?
>
>
Hi,
On the HTTP connection from Apache httpd to Tomcat, there's an HTTP header that
gets populated by the OAM agent, called "OAM_REMOTE_USER".
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
