-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Elliot,
On 2/11/14, 12:41 PM, Elliot Kendall wrote: >> You could try setting tomcatAuthentification="false" on your AJP >> connector in server.xml. If Shibboleth put the value in >> REMOTE_USER as it should then tomcat should pick it up as the >> principal. Be aware that you should protect your ajp connector so >> that no other machine than your Apache can connect to it. > > This was one of the first things I tried, and when it didn't work > I thought I must be missing something. Of course, now that you've > inspired me to try again it works flawlessly. Thanks! > > I am still curious as to why the AJP connector populates incoming > request headers as attributes, though. It seems like it has the > potential to cause problems without offering any obvious benefits. So, your subjective preference for request headers is better than someone else's subjective preference for request attributes, so things should change? Not likely. I would argue that the data is not coming-across from anywhere else as an HTTP header, so why should HTTP headers be added for the last-link? You can consider Apache httpd as a reverse proxy, and if it were using HTTP as the protocol (instead of AJP) then HTTP headers would be the only way to go, so that would be a reasonable argument for headers versus attributes. Remember that you can always write a Filter (or Valve, if you need to work at a lower level) that does anything you want, including copying headers to attributes or vice-versa. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS+m5kAAoJEBzwKT+lPKRYqWIQALXd4PgwTXZmcn7kFvjia5SH z+aVB4ikoaOtJbcxjyVNjz72zISwxlWLUkqbRNUBtSJfNW0dkvfluco+qxdLRr1h lLBuvdpLOM3JBkBvtTEHHZi/Hj55wtnfxLjuH3oR4jf2Ca7G+duxs3WbO8SmaOxq H/zwCI0DVVbZw9VhNL6QRbayFlUdBF22EVUzeOqeMDTopRAZnvjsAzjrUUgxA1eI wBBPsJvMHSVwq7+brgEbbd/iQJD1KgYFVIKyyDUoloqZyhhS5EtD/K3xg9xwh2T0 o9VsU0HOPjSeYdhRmNw3+xKq1KrH59C4VJ28gIcu3e+RQA1LGHC2/y6vPA5TT9yi eec0etvaergZ8+EMMauanQt+VlqQ2eyPuDmXUEQvBlzYW33GULY3mFefNjLX/Q6i FEMPE0nD8R999334sOE3r/3JgwqH31xBRScHrTTvuBwutW902t0fhhauhcHkJZyj iokJ4y3Ix8TdxBs6+xVDg/oSAG8EFON7z95qP5U6tgFs6yaUuHsoOMandE9nU/VE OI75aeQv+Bp2xC/vTI4uSg9WAhLIeQisdRfrzq/Pk0TSMReV72kMAR1b1fH/AzMe QyRyaYGCbfLEyPDaNAVBEFUm0tCpmXWrxRmapw9ZmE3kS7+ycFLeEcaqW1odfOWw kSCwBKjxSzIrjPMQQ1vp =TuKx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org