users@glassfish.java.net

Re: getRemoteUser from Web Application

From: <glassfish_at_javadesktop.org>
Date: Wed, 04 Nov 2009 09:01:49 PST

Just incase anyone's interested, I received some intricate explanations from the apache users mailing list on why getRemoteUser won't work through a proxied connection. The closest I've gotten is to rewrite my apache configuration to create a REMOTE_USER *HTTP header* for authenticated connections. This seems to work well, and can be accessed from java using HttpServletRequest.getHeader. Because anyone connecting to our web applications has been authenticated by mod_auth_kerb, I believe this sufficient for our applications to determine who has authenticated and act accordingly. If necessary, I should be able to update our servlet container to take the REMOTE_USER HTTP header and set it into a UserPrincipal object.

Here is our updated configuration:
------
<Location "/test">
        order deny,allow
        deny from all
        AuthType KerberosV5
        AuthName "kerberos"
        Satisfy any
        require valid-user
        RewriteEngine on
        RewriteCond %{REMOTE_USER} (.+)
        RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
        RequestHeader Set Host ourserver.com:443
        RequestHeader set REMOTE_USER %{REMOTE_USER}e
        RewriteRule ^/var/www/html/test/(.*) http://localhost/cgi-bin/test/$1 [P,L,E=REMOTE_USER:%{REMOTE_USER}]
</Location>
------
And here is what it puts in rewrite.log:
------
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] add path info postfix: /var/www/html/test -> /var/www/html/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] applying pattern '^/var/www/html/test/(.*)' to uri '/var/www/html/test/remote.cgi'
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (4) RewriteCond: input='dab66' pattern='(.+)' => matched
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] rewrite /var/www/html/test/remote.cgi -> http://localhost/cgi-bin/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] forcing proxy-throughput with http://localhost/cgi-bin/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (1) [per-dir /test/] go-ahead with proxy request proxy:http://localhost/cgi-bin/test/remote.cgi [OK]
------
[Message sent by forum member 'bougie' (dab66_at_cornell.edu)]

http://forums.java.net/jive/thread.jspa?messageID=370512
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.