1

I have a Tomcat connected via mod_proxy_ajp to an Apache2.2 instance. Apache does the authentication via mod_auth_kerb, and Tomcat uses request.getRemoteUser() to get the authenticated user.

This basically works, but I want to rewrite the user. However, none of the headers I set affect what is returned by request.getRemoteUser(), I only see them as additional headers, what do I have to do?

   # Rewrite Magic: change REMOTE_USER to something Alfresco expects
    RewriteEngine On

    RewriteMap domain_map txt:/etc/apache2/rewrite-map.txt

    # Grab the REMOTE_USER apache environment variable for HTTP forwarding (requires sub-request!)
    RewriteCond %{LA-U:REMOTE_USER} (.*)@(.*)

    # change the format and replace the domain, e.g.: 
    # user@some.domain  ==>  other.domain_user
    RewriteRule . - [E=RU:${domain_map:%2|%2}_%1]

    # copy processed user to HTTP headers
    RequestHeader set REMOTE_USER %{RU}e
    RequestHeader set HTTP_REMOTE_USER %{RU}e
    RequestHeader set AJP_REMOTE_USER %{RU}e
    RequestHeader set AJP_HTTP_REMOTE_USER %{RU}e

Thanks!

Michael Böckling
  • 7,341
  • 6
  • 55
  • 76

2 Answers2

0

I suspect that the headers are not being set as you expect them to be set, and they are getting to Tomcat empty.

I have experienced some puzzling processing order issues that caused RequestHeader to ignore the environment variables set by a RewriteRule. Take a look at https://stackoverflow.com/a/9303018/239408 in case it helps

Community
  • 1
  • 1
xverges
  • 4,608
  • 1
  • 39
  • 60
0

It seems the getRemoteUser() value can not be overwritten by Apache header directives, as the AJP protocol handler gets the username from some internal Apache structure. I worked around this by sending the username via http header and modifying the Java code to use that instead of using getRemoteUser().

Michael Böckling
  • 7,341
  • 6
  • 55
  • 76