0

Is there a way in apache to set REMOTE_USER to a particular value for certain URLS, prior to AJP-proxying the request to tomcat?

I have an SSO (Apache/mod_shib)-fronted tomcat application. Some of the URLs still need to be publicly-accessible. I have shibboleth working for the protected part, but the public part still requires a username (can't change how the app works).

I can correctly identify the URLs that need to be public access and turn off shibboleth authentication for them. When I do so, there's now no user defined, so the system refuses to let me in.

What I think I want to do is this:

IF URL matches pattern:
    turn off shibboleth
    force set REMOTE_USER="anonymous" //and maybe AJP_REMOTE_USER, too?!

I tried using FakeBasicAuth to achieve that last bit, but the user appears to be set after the proxy occurs. Is there a way to do this? Maybe there's a better way?

A less desirable alternative would be to configure the tomcat application to use something besides REMOTE_USER and then try setting that value with mod_rewrite. I'd rather not do that, because then the username won't show up in the tomcat access logs.

Don Faulkner
  • 121
  • 7

2 Answers2

0

Manipulating the REMOTE_USER env variable is very difficult and if you have the extra constraint to do it at the very beginning of the connection, I would try the mod_security.

Unfortunately writing rules for mod_security is not the easiest thing in the world.

Francesco Malvezzi
  • 126
  • 3
0

Example to populate header X-Remote-User with the content of REMOTE_USER variable after being authenticated and send that header to a backend proxy (apache 2.4.6).

# Example for Apache 2.4.6

<VirtualHost *:80>

RewriteEngine on
<Location />

    ###############################################
    # Your authentication logic here
    AuthType .......
    AuthName .......
    AuthBasicProvider .......
    .... etc
    Require valid-user
    ###############################################

    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set X-Remote-User %{RU}e

</Location>

    ProxyTimeout 300
    ProxyPass / http://localhost:81/
    ProxyPassReverse / http://localhost:81/

</VirtualHost>
Juan Domenech
  • 336
  • 3
  • 5