It costs me several hours to figure this out. So I think it is worthy writing it down.
I have an Apache web server (2.2.3) sitting in front of Tomcat (5.5.27). In Apache configuration, I have:
<location>
AuthType Basic
AuthName "Secure Service"
AuthUserFile /etc/httpd/conf/user.db
require valid-user
</location>
If the authentication succeeds, the HTTP request is passed to Tomcat by mod_proxy_ajp:
ProxyPass /secure/ ajp://localhost:8009/secure/
In Tomcat server.xml, I disable the Tomcat authentication in the AJP connector (both tomcatAuthenticaiton and request.tomcatAuthentication work):
<Connector port="8009" enablelookups="false" redirectport="8443" protocol="AJP/1.3" address="127.0.0.1" tomcatauthentication="false">
If the authentication succeeds, Apache will create an HTTP head:
REMOTE_USER = omii
But in Tomcat, I do not see the REMOTE_USER header. Instead, I see
authorization = Basic b3ip9kd9dkekd9
It turns out that Tomcat puts the Apache authentication information in the form of a user principal, which can be accessed by the following code inside a JSP page:
java.security.Principal pr = request.getUserPrincipal();
if (pr != null) String r = pr.getName(); // r.equals("omii")
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment