-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Elliot,

On 2/11/14, 12:41 PM, Elliot Kendall wrote:
>> You could try setting tomcatAuthentification="false" on your AJP
>> connector in server.xml. If Shibboleth put the value in
>> REMOTE_USER as it should then tomcat should pick it up as the
>> principal. Be aware that you should protect your ajp connector so
>> that no other machine than your Apache can connect to it.
> 
> This was one of the first things I tried, and when it didn't work
> I thought I must be missing something. Of course, now that you've 
> inspired me to try again it works flawlessly. Thanks!
> 
> I am still curious as to why the AJP connector populates incoming 
> request headers as attributes, though. It seems like it has the 
> potential to cause problems without offering any obvious benefits.

So, your subjective preference for request headers is better than
someone else's subjective preference for request attributes, so things
should change? Not likely.

I would argue that the data is not coming-across from anywhere else as
an HTTP header, so why should HTTP headers be added for the last-link?
You can consider Apache httpd as a reverse proxy, and if it were using
HTTP as the protocol (instead of AJP) then HTTP headers would be the
only way to go, so that would be a reasonable argument for headers
versus attributes.

Remember that you can always write a Filter (or Valve, if you need to
work at a lower level) that does anything you want, including copying
headers to attributes or vice-versa.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS+m5kAAoJEBzwKT+lPKRYqWIQALXd4PgwTXZmcn7kFvjia5SH
z+aVB4ikoaOtJbcxjyVNjz72zISwxlWLUkqbRNUBtSJfNW0dkvfluco+qxdLRr1h
lLBuvdpLOM3JBkBvtTEHHZi/Hj55wtnfxLjuH3oR4jf2Ca7G+duxs3WbO8SmaOxq
H/zwCI0DVVbZw9VhNL6QRbayFlUdBF22EVUzeOqeMDTopRAZnvjsAzjrUUgxA1eI
wBBPsJvMHSVwq7+brgEbbd/iQJD1KgYFVIKyyDUoloqZyhhS5EtD/K3xg9xwh2T0
o9VsU0HOPjSeYdhRmNw3+xKq1KrH59C4VJ28gIcu3e+RQA1LGHC2/y6vPA5TT9yi
eec0etvaergZ8+EMMauanQt+VlqQ2eyPuDmXUEQvBlzYW33GULY3mFefNjLX/Q6i
FEMPE0nD8R999334sOE3r/3JgwqH31xBRScHrTTvuBwutW902t0fhhauhcHkJZyj
iokJ4y3Ix8TdxBs6+xVDg/oSAG8EFON7z95qP5U6tgFs6yaUuHsoOMandE9nU/VE
OI75aeQv+Bp2xC/vTI4uSg9WAhLIeQisdRfrzq/Pk0TSMReV72kMAR1b1fH/AzMe
QyRyaYGCbfLEyPDaNAVBEFUm0tCpmXWrxRmapw9ZmE3kS7+ycFLeEcaqW1odfOWw
kSCwBKjxSzIrjPMQQ1vp
=TuKx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to