[TriLUG] Apache: modifying REMOTE_USER (w/ Tomcat)

Jeremy Portzer jeremyp at pobox.com
Wed Dec 7 20:09:39 EST 2005 

On Wed, 7 Dec 2005, Scott Lundgren wrote:

> > The issue surrounds authentication via Shibboleth.  The basic auth
> > workflow is as follows:
> > - Unauthenticated request comes in from the client
> > - "Require valid-user" directive in HTTPD configuration forwards 
> > request
> > to the Shibboleth module (via Authtype Shibboleth, implemented by
> > mod_shib)
> > - Shibboleth module handles authentication and sets the REMOTE_USER
> > variable in the HTTPD request if auth is successful
> >
> 
> Jeremy,
> 
> I think you're best bet is to modify mod_shib if it is responsible for 
> the second step of setting the remote_user variable. 

Thanks, I didn't even think of that, not sure why.  This is OSS and I 
should be able to hack in a patch somewhere that lowercases the variable.  
I think we are having to compile mod_shib anyway to change some other 
compile-time option, so this wouldn't be that added a burden.

the reason I say 
> that because while JSPs/Servlet have the concept of request chaining & 
> allowing to modify the request before handing the request to the next 
> logical step, you'll effectively be writing a proxy. Your flow would 
> be:
> httpd --> mod_shib -->  mod_jk --> a web application of 1 servlet that 
> takes requests sent to it, lower cases auth_user then forwards to --> 
> your web application
> 
> This is a very simple servlet to write. I would suggest passing the URL 
> of the target web application as a runtime configuration parameter to 
> make this tool more flexible for other shibboleth applications.

Thanks.  I just don't have the Java and servlet experience to figure this
out from the ground up, but maybe it would be a good simple project to
learn on.

--Jeremy

-- 
/---------------------------------------------------------------------\
| Jeremy Portzer        jeremyp at pobox.com      trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/

More information about the TriLUG mailing list