[TriLUG] Apache: modifying REMOTE_USER (w/ Tomcat)

Scott Lundgren trilug at capitalfellow.com
Wed Dec 7 10:58:33 EST 2005


> The issue surrounds authentication via Shibboleth.  The basic auth
> workflow is as follows:
> - Unauthenticated request comes in from the client
> - "Require valid-user" directive in HTTPD configuration forwards 
> request
> to the Shibboleth module (via Authtype Shibboleth, implemented by
> mod_shib)
> - Shibboleth module handles authentication and sets the REMOTE_USER
> variable in the HTTPD request if auth is successful
>

Jeremy,

I think you're best bet is to modify mod_shib if it is responsible for 
the second step of setting the remote_user variable. the reason I say 
that because while JSPs/Servlet have the concept of request chaining & 
allowing to modify the request before handing the request to the next 
logical step, you'll effectively be writing a proxy. Your flow would 
be:
httpd --> mod_shib -->  mod_jk --> a web application of 1 servlet that 
takes requests sent to it, lower cases auth_user then forwards to --> 
your web application

This is a very simple servlet to write. I would suggest passing the URL 
of the target web application as a runtime configuration parameter to 
make this tool more flexible for other shibboleth applications.

- SL




More information about the TriLUG mailing list