I'm trying to get tomcat to accept remote_user from apache via mod_jk,
but still use an existing role-based realm implementation.
If necessary, I am looking into modifying Tomcat to do this, but I'd
really rather not reinvent this wheel if a) it's not necessary or b) if
someone out there has already done it.
Basically, I'm trying to get pubcookie to work with my existing realm
implementation and apps. Pubcookie sets remote_user in Apache. If you
set tomcatAuthentication=false in the coyote connector, it passes
remote_user from mod_jk to Tomcat. This works fine. However, you get
no roles--you need to roll your own roles (sorry) in each app. I'd
really like to (and assume others would as well) allow Apache to set
remote_user, and then use that with a nice, modular, pre-built realm
implementation. It would mean having to do some parallel configuration
in apache to match web.xml security constraints, but we already have to
do similar things to make mod_jk work, anyway.
It appears the connector builds its own Principal, Ajp13Principal, and
sticks it into the request, but it knows nothing about implemented
realms, so it ignores them. I'm guessing I'd need to modify
AuthenticatorBase to recognize some type of flag passed in the request
(from the connector setup), and some generic realm password, so it can
call the authenticate method and fill in the roles.
So my questions are basically: is there a better way? 1) that doesn't
involve altering Tomcat or 2) has already been done or 3) alters Tomcat
in a better way?
Thanks for any wisdom.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
