开发者

Rewrite authenticated Apache2.2 user for mod_proxy_ajp

I have a Tomcat connected via mod_proxy_ajp to an Apache2.2 instance. Apache does the authentication via mod_auth_kerb, and Tomcat uses request.getRemoteUser() to get the authenticated user.

This basically works, but I want to rewrite the user. However, none of the headers I set affect what is returned by request.getRemoteUser(), I only see them as additional headers, what do I have to do?

   # Rewrite Magic: change REMOTE_USER to something Alfresco expects
    RewriteEngine On

    RewriteMap domain_map txt:/etc/apache2/rewrite-map.txt

    # Grab the REMOTE_USER apache environment variable for HTTP forwarding (requires sub-request!)
    RewriteCond %{LA-U:REMOTE_USER} (.*)@(.*)

    # change the format and replace the domain, e.g.: 
    # user@some.domain  ==>  other.domain_user
    RewriteRule . - [E=RU:$开发者_运维知识库{domain_map:%2|%2}_%1]

    # copy processed user to HTTP headers
    RequestHeader set REMOTE_USER %{RU}e
    RequestHeader set HTTP_REMOTE_USER %{RU}e
    RequestHeader set AJP_REMOTE_USER %{RU}e
    RequestHeader set AJP_HTTP_REMOTE_USER %{RU}e

Thanks!


I suspect that the headers are not being set as you expect them to be set, and they are getting to Tomcat empty.

I have experienced some puzzling processing order issues that caused RequestHeader to ignore the environment variables set by a RewriteRule. Take a look at https://stackoverflow.com/a/9303018/239408 in case it helps


It seems the getRemoteUser() value can not be overwritten by Apache header directives, as the AJP protocol handler gets the username from some internal Apache structure. I worked around this by sending the username via http header and modifying the Java code to use that instead of using getRemoteUser().

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜