tomcat, realms and tomcatAuthentication=false

[George Payne <gp...@virginia.edu>]

I'm trying to get tomcat to accept remote_user from apache via mod_jk, 
but still use an existing role-based realm implementation.

If necessary, I am looking into modifying Tomcat to do this, but I'd 
really rather not reinvent this wheel if a) it's not necessary or b) if 
someone out there has already done it.

Basically, I'm trying to get pubcookie to work with my existing realm 
implementation and apps.  Pubcookie sets remote_user in Apache.  If you 
set tomcatAuthentication=false in the coyote connector, it passes 
remote_user from mod_jk to Tomcat.   This works fine.  However, you get 
no roles--you need to roll your own roles (sorry) in each app.  I'd 
really like to (and assume others would as well) allow Apache to set 
remote_user, and then use that with a nice, modular, pre-built realm 
implementation.  It would mean having to do some parallel configuration 
in apache to match web.xml security constraints, but we already have to 
do similar things to make mod_jk work, anyway.

It appears the connector builds its own Principal, Ajp13Principal, and 
sticks it into the request, but it knows nothing about implemented 
realms, so it ignores them.  I'm guessing I'd need to modify 
AuthenticatorBase to recognize some type of flag passed in the request 
(from the connector setup), and some generic realm password, so it can 
call the authenticate method and fill in the roles.

So my questions are basically:  is there a better way?  1) that doesn't 
involve altering Tomcat or 2) has already been done or 3) alters Tomcat 
in a better way?

Thanks for any wisdom.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org