Just incase anyone's interested, I received some intricate explanations from the apache users mailing list on why getRemoteUser won't work through a proxied connection. The closest I've gotten is to rewrite my apache configuration to create a REMOTE_USER *HTTP header* for authenticated connections. This seems to work well, and can be accessed from java using HttpServletRequest.getHeader. Because anyone connecting to our web applications has been authenticated by mod_auth_kerb, I believe this sufficient for our applications to determine who has authenticated and act accordingly. If necessary, I should be able to update our servlet container to take the REMOTE_USER HTTP header and set it into a UserPrincipal object.
Here is our updated configuration:
------
<Location "/test">
order deny,allow
deny from all
AuthType KerberosV5
AuthName "kerberos"
Satisfy any
require valid-user
RewriteEngine on
RewriteCond %{REMOTE_USER} (.+)
RequestHeader Set Proxy-ip %{REMOTE_ADDR}e
RequestHeader Set Host ourserver.com:443
RequestHeader set REMOTE_USER %{REMOTE_USER}e
RewriteRule ^/var/www/html/test/(.*)
http://localhost/cgi-bin/test/$1 [P,L,E=REMOTE_USER:%{REMOTE_USER}]
</Location>
------
And here is what it puts in rewrite.log:
------
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] add path info postfix: /var/www/html/test -> /var/www/html/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (3) [per-dir /test/] applying pattern '^/var/www/html/test/(.*)' to uri '/var/www/html/test/remote.cgi'
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (4) RewriteCond: input='dab66' pattern='(.+)' => matched
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] rewrite /var/www/html/test/remote.cgi ->
http://localhost/cgi-bin/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (5) setting env variable 'REMOTE_USER' to 'dab66'
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (2) [per-dir /test/] forcing proxy-throughput with
http://localhost/cgi-bin/test/remote.cgi
192.168.213.159 - dab66 [29/Oct/2009:11:04:47 --0400] [ourserver.com/sid#8885358][rid#971a7d0/initial] (1) [per-dir /test/] go-ahead with proxy request proxy:
http://localhost/cgi-bin/test/remote.cgi [OK]
------
[Message sent by forum member 'bougie' (dab66_at_cornell.edu)]
http://forums.java.net/jive/thread.jspa?messageID=370512