[users@httpd] Reverse proxying from Apache to Tomcat and Basic Authentication

[Ezio Paglia <ez...@comune.grosseto.it>]

Hi all.

Maybe the problems I am describing are more likely related to Tomcat 
users, yet I think that an architecture based on an Apache as front-end 
and one or more Tomcat's as back ends is quite common.

Reverse proxying from Apache to Tomcat works, and it still works if we 
let Tomcat to provide some authentication and authorization feature 
(i.e. via ldap).

Yet I'd like to have authentication (and even authorization) on Apache, 
I think it would be more correct. So I tried to study the problem, 
having some locations of the Apache protected by a Basic Authentication 
and proxy-passed to Tomcat. I expected the Tomcat to preserve the 
REMOTE_USER (or HTTP_REMOTE_USER ? ) variable received by Apache. It 
does not work.

Do you know how can Tomcat force an environmental variable (coming from 
Apache via reverse proxy) into its REMOTE_USER, after recognizing the 
REMOTE_ADDR of the federate Apache, without being open to attacks ?

Thanks in advance.
Yours Ezio.