使用AJP在Tomcat中模拟和/或启用单一登录

Question

I have apache forwarding requests to tomcat using ajp. My app in tomcat uses basic authentication via tomcat-users user database. Users are listed there, given roles, and everything works great.

However, my users have id cards they plug into their workstations which identify them by a unique number. I don't know the details of this, but apache and the browser has some module(s) which automatically identifies the user and essentially authenticates her and REMOTE_USER is available when in the apache environment.

Unfortunately, REMOTE_USER isn't available in tomcat (via the request.getRemoteUser()), so the user is prompted to log in when going to my tomcat app. I found this thread:

Forward REMOTE_USER to tomcat via AJP (eg for shibboleth)

Which describes that you can disable tomcat authentication, which makes the REMOTE_USER available in tomcat, but since we've disabled the tomcat authentication, there are no longer any roles assigned to the user.

To be clear, I've added this id number to the tomcat-users but it doesn't help:

<user username="billg" password="pass" roles="ceo"/>
<!-- billg's id number -->
<user username="12345@ms" roles="ceo"/>

I know this is a somewhat unique environment and request, but does anyone have experience with making something like this work?

FWIW: This is apache 2.2+ and tomcat 6 (but if there's a solution for tomcat 7+ I'm interested in that as well).

Thanks!

Answer 1

You want to set tomcatAuthentication="false" in your server.xml 's AJP <Connector> configuration.

See Tomcat's AJP Connector Configuration Guide for reference.

While the reference I gave was for Tomcat 8, the same technique also applies to Tomcat 7 and Tomcat 6 as well. But you may as well upgrade to Tomcat 8 since it's stable and Tomcat 6 is in maintenance mode these days and doesn't get much in the way of improvements.