Forward REMOTE_USER to tomcat via AJP (e.g. for shibboleth)

Question

Today I just got stuck with the following problem: 1. I configured apache for basic authentication (require valid user); which worked. 2. I further configured apache to forward requests for some path (/idp in my case) to a tomcat servlet (shibboleth IDP).

The result was, that the shibboleth IdP (ECP profile) told me there was no "REMOTE_USER" set (it's using the httpRequest.getRemoteUser() method to check this; it returned null).

I tried a lot of things like SetEnv and RewriteRule stuff, but without success.

The solution is quite simple, but rather hard to find... so I decided to post it here to help others solving that kind of issue.

Regards Stefan

Answer 1

Ok, here's my solution. I found that tomcat needs to be configured to trust/accept the authentication that was done by apache2...

To do this, you have to edit the server.xml of tomcat (should be at /etc/tomcat6/server.xml or similar) and add tomcatAuthentication="false" to your <Connector>-Tag for the AJP connection. My Connector tag looks now like this:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
   tomcatAuthentication="false" /> 

Now you just need to restart tomcat... finished.

Hope this helps! ;-)

Stefan

Explanation:

"tomcatAuthentication" -- "If set to true, the authentication will be done in Tomcat. Otherwise, the authenticated principal will be propagated from the native webserver and used for authorization in Tomcat. The default value is true."

Quoted from: http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html