[TriLUG] Apache: modifying REMOTE_USER (w/ Tomcat)
Scott Lundgren
trilug at capitalfellow.com
Wed Dec 7 10:58:33 EST 2005
> The issue surrounds authentication via Shibboleth. The basic auth
> workflow is as follows:
> - Unauthenticated request comes in from the client
> - "Require valid-user" directive in HTTPD configuration forwards
> request
> to the Shibboleth module (via Authtype Shibboleth, implemented by
> mod_shib)
> - Shibboleth module handles authentication and sets the REMOTE_USER
> variable in the HTTPD request if auth is successful
>
Jeremy,
I think you're best bet is to modify mod_shib if it is responsible for
the second step of setting the remote_user variable. the reason I say
that because while JSPs/Servlet have the concept of request chaining &
allowing to modify the request before handing the request to the next
logical step, you'll effectively be writing a proxy. Your flow would
be:
httpd --> mod_shib --> mod_jk --> a web application of 1 servlet that
takes requests sent to it, lower cases auth_user then forwards to -->
your web application
This is a very simple servlet to write. I would suggest passing the URL
of the target web application as a runtime configuration parameter to
make this tool more flexible for other shibboleth applications.
- SL
More information about the TriLUG
mailing list