Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?

Mon, 05 Dec 2011 01:38:16 -0800 

oh...@cox.net wrote:
...
---- Rainer Jung <rainer.j...@kippdata.de> wrote:
Although this thread has moved forward towards the role topic, I want to give some infos about the user forwarding by mod_jk. Some of it was already present in previous posts. 


1) In order to let Tomcat accept the user, you need to set 
tomcatAuthentication to "false"


2) mod_jk will always forward the user as detected by the
    following logic:
    - the user as authenticated by Apache
    - if this doesn't exist it will forward the value of
      an Apache environment variable. The default name of the
      variable is "JK_REMOTE_USER", but it can be changed using
      the configuration directive "JkRemoteUserIndicator"

3) The user ID will *not* be forwarded in the form of a request header

4) The forwarded user id is logged in the JK log file on level debug
    as the "user" field in the line:


Service protocol=%s method=%s ssl=%s host=%s addr=%s name=%s port=%d 
auth=%s user=%s laddr=%s raddr=%s uri=%s


5) There is no need to use JkEnvVar

6) When not using a real Apache authentication, you can instead
    set the Apache environment variable JK_REMOTE_USER
    e.g. via mod_setenvif or the E= syntax of mod_rewrite.
    If you change the name of the env var using JkRemoteUserIndicator
    use the variable name given there instead.

7) The Apache authenticated user can be logged in the Apache AccessLog
    using "%u". Any environment variable XXX can be logged using
    %{XXX}e.

8) The user can be logged in the Tomcat AccessLog using %u.

9) The user is returned by request.getRemoteUser() on the Tomcat side.

Regards,

Rainer




Hi Rainier,

Thanks for the great info above, esp. re. the JK_REMOTE_USER and 
JkRemoteUserIndicator.

I'm kind of well along the way with my valve, but I still have mod_jk for one 
proxy section, so I'll give those a try.


Hi Rainer.
Thanks also for the precise information.  We've missed you..

Jim, one more question :

At the Apache httpd level, when the user has been authenticated by OAM, /can/ you get the 
authenticated user's user-id ? and how ?





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





























					Reply via email to