Reputation: 121
Set REMOTE_USER in apache before proxy to tomcat
Is there a way in apache to set REMOTE_USER to a particular value for certain URLS, prior to AJP-proxying the request to tomcat?
I have an SSO (Apache/mod_shib)-fronted tomcat application. Some of the URLs still need to be publicly-accessible. I have shibboleth working for the protected part, but the public part still requires a username (can't change how the app works).
I can correctly identify the URLs that need to be public access and turn off shibboleth authentication for them. When I do so, there's now no user defined, so the system refuses to let me in.
What I think I want to do is this:
IF URL matches pattern:
turn off shibboleth
force set REMOTE_USER="anonymous" //and maybe AJP_REMOTE_USER, too?!
I tried using FakeBasicAuth to achieve that last bit, but the user appears to be set after the proxy occurs. Is there a way to do this? Maybe there's a better way?
A less desirable alternative would be to configure the tomcat application to use something besides REMOTE_USER and then try setting that value with mod_rewrite. I'd rather not do that, because then the username won't show up in the tomcat access logs.
Upvotes: 0
Views: 2172
Answers (3)
Reputation: 61
a suggestion for Apache HTTPD and mod_jk:
If you prefer "anonymous" as REMOTE_USER for Tomcat
<Location unprotectedURL>
RewriteEngine On
RewriteRule .* - [E=JK_REMOTE_USER:anonymous]
</Location>
https://tomcat.apache.org/connectors-doc/common_howto/proxy.html
To disable Shibboleth session requirement
<Location unprotectedURL>
ShibRequestSetting requireSession 0
</Location>
The combination should give you a publicly accessible URL with a user set behind the scenes.
Upvotes: 0
Reputation: 366
Example to populate header X-Remote-User with the content of REMOTE_USER variable after being authenticated and send that header to a backend proxy (apache 2.4.6).
# Example for Apache 2.4.6
<VirtualHost *:80>
RewriteEngine on
<Location />
###############################################
# Your authentication logic here
AuthType .......
AuthName .......
AuthBasicProvider .......
.... etc
Require valid-user
###############################################
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User %{RU}e
</Location>
ProxyTimeout 300
ProxyPass / http://localhost:81/
ProxyPassReverse / http://localhost:81/
</VirtualHost>
Upvotes: 0
Reputation: 126
Manipulating the REMOTE_USER env variable is very difficult and if you have the extra constraint to do it at the very beginning of the connection, I would try the mod_security.
Unfortunately writing rules for mod_security is not the easiest thing in the world.
Upvotes: 0
Related Questions
- Can Tomcat be configured as the proxy for apache?
- Is there any build-in way to take advantage of "tomcat-users.xml" from external server?
- Set Proxy Username and Password in java code
- How to pass the remote_user variable from apache to apache using proxypassreverse
- How to configure Tomcat for request.getHeader("remote_user")?
- Emulate and/or Enable Single Sign On in Tomcat using AJP
- setting secure cookie through proxy servlet
- Getting a value from HttpServletRequest.getRemoteUser() in Tomcat without modifying application
- Forward REMOTE_USER to tomcat via AJP (e.g. for shibboleth)
- Apache HTTPD/mod_proxy/Tomcat and SSL with client auth