> 4. Address user authentication via Ajp12 and Ajp13. Ajp12
> has a test for
> isTomcatAuthentication() to see if req.setRemoteUser() should
> be called.
> I think Ajp13 doesn't have this yet and probably should. Also, if the
> user is anonymous, i.e. user = "", should we call req.setRemoteUser()
> with this value? This prevents Tomcat's normal
> authentication from being
> triggered.
>
I have this code prepared for commit, implementing the
tomcatAuthentication hack in ajp13.
But i've planned to change the hack only testing the received string for
emptyness and not calling setRemoteUser in the case, i think this will
render the tomcatAuthentication hack useless...
But perhaps the better is as you say, honor IsTomcatAuthentication and
not calling setRemoteUser for the empty string case..
But i cannot think of a usecase in which were needed to obviate an auth
done in HTTP Server and honor another done in the Servlet container..
Saludos ,
Ignacio J. Ortega
