Thank you André for your contribution which was very helpful.
If you are using the first one (HTTP), then one way would be to force Apache
> to add a HTTP header to the request, containing the user-id; and on the
> Tomcat side, have something that picks up this HTTP header, and stuffs its
> content in the UserPrincipal object.
> I don't know if something like that exists ready-made, but a custom Valve
> or servlet filter should be able to do that.
This is effectively the solution i had chosen, i should have mentionned it.
Actually i was looking for the implementation on the tomcat side that's why
i was looking how the ajp connector was using the user-id data to set the
remote user. You gave me the solution by mentionning the UserPrincipal
object as i was on the wrong place looking for a setRemoteUser() method.
Here is the code of the valve which give me the expected result :
public class RemoteUserValve extends ValveBase {
> public void invoke(Request request, Response response) throws
> IOException, ServletException {
> String remoteUser = request.getHeader("X-Forwarded-User");
> Principal userPrincipal = request.getPrincipal();
> if (userPrincipal != null) {
> System.out.println("Principal getName : " +
> userPrincipal.getName() + ".");
> System.out.println("Principal toString : " +
> userPrincipal.toString() + ".");
> } else {
> System.out.println("userPrincipal is null.");
> request.setUserPrincipal(new
> CoyotePrincipal(remoteUser));
> }
> getNext().invoke(request, response);
> }
> }
Please, feel free to comment this code if something looks improvable.
Thx again for your help.
Sylvain
On Fri, Sep 16, 2011 at 11:33 AM, André Warnier <a...@ice-sa.com> wrote:
> Sylvain Goulmy wrote:
>
>> Hi everyone,
>>
>> I'm actually using Tomcat on my environment platform (Tomcat 5.5 / Tomcat
>> 6
>> and soon Tomcat 7). I have a frontend Apache http Server using the jk
>> connector to communicate with Tomcat instance.
>>
>> I'd like to change this connector and use the mod_proxy one for several
>> reasons. The main difficulty to handle is relative to the remote-user
>> information. Indeed the jk connector automatically transmits the
>> information
>> so that the application can retrieve it using a request.getRemoteUser()
>> method call.
>>
>> If i'm not using the ajp connector anymore, i need to handle something on
>> the tomcat side to set the remote user in the request object. I thought i
>> could use a valve to do this. And that's where the road ends, i have
>> watched
>> the ajp conenctor code in order to see how the remote user is set in the
>> request but i can't find it.
>>
>>
> You are not finding it, because you are looking in the wrong place.
> If mod_jk can pass the authenticated user to Tomcat, via the AJP channel,
> it is because the user (or request) has been authenticated on the Apache
> side, before the request is forwarded through mod_jk to Tomcat.
> The AJP connector on the Tomcat side then picks up this user-id from the
> request coming in on the AJP channel, and sets the UserPrincipal in Tomcat
> accordingly.
> That's why a subsequent getRemoteUser() can pick it up in Tomcat.
>
> If you want to switch to mod_proxy instead of mod_jk, the question is : can
> mod_proxy forward the Apache user-id to Tomcat ?
> The question is slightly more complicated, because there are two methods of
> connecting Apache to Tomcat using mod_proxy :
> a) mod_proxy_http (protocol = HTTP, over Tomcat HTTP Connector)
> b) mod_proxy_ajp (protocol = AJP, over Tomcat's AJP Connector (the same as
> the one used with mod_jk)
>
> If you are using the second one (AJP), then we know that the AJP protocol
> /can/ carry the Apache user-id to Tomcat (because that is what mod_jk does).
> The question is whether mod_proxy_ajp has some setting to tell it to do
> that (or does it by default).
>
> If you are using the first one (HTTP), then one way would be to force
> Apache to add a HTTP header to the request, containing the user-id; and on
> the Tomcat side, have something that picks up this HTTP header, and stuffs
> its content in the UserPrincipal object.
> I don't know if something like that exists ready-made, but a custom Valve
> or servlet filter should be able to do that.
>
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail:
> users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
