[英]Apache & Tomcat reverse proxy with basic authentication: Can Tomcat receive the username?
I've successfully configured Apache to listen over SSL/443 and proxy Tomcat listening on HTTP/8080. 我已经成功配置了Apache以侦听SSL / 443和代理Tomcat侦听HTTP / 8080。 I have also set up basic authentication in Apache. 我还在Apache中设置了基本身份验证。
Once the user connects to my Tomcat servlet, will the HttpServletRequest.getRemoteUser() be populated or null. 一旦用户连接到我的Tomcat servlet,将填充HttpServletRequest.getRemoteUser()或将其设置为null。 If null, how might I get the remote user? 如果为null,我如何获得远程用户?
The simplest solution may be to use mod_proxy_ajp
, which in addition to proxying requests also transfers a variety of metadata to Tomcat, including authentication information such as REMOTE_USER
. 最简单的解决方案可能是使用mod_proxy_ajp
,除了代理请求外,它还会将各种元数据传输到Tomcat,其中包括诸如REMOTE_USER
身份验证信息。
These docs for Alfresco discuss this configuration, which includes changes on both the Tomcat side (so that it knows to trust the forwarded authentication) and the Apache side. 这些 Alfresco的文档讨论了这种配置,其中包括Tomcat方面(以便它知道信任转发的身份验证)和Apache方面的更改。
If you're using a generic http proxy like mod_proxy
, you would need to arrange for Apache to add the value of REMOTE_USER
to the request (possibly as an X-
header), and then arrange for your Tomcat application to recognize and trust that header (and you would obviously need to arrange for your front-end proxy to strip that header from any incoming requests). 如果您使用的是像mod_proxy
这样的通用http代理,则需要安排Apache将REMOTE_USER
的值添加到请求中(可能是X-
头),然后安排Tomcat应用程序识别并信任该头(显然,您将需要安排您的前端代理从所有传入请求中删除该标头)。
I don't know how you would do this on the tomcat side, but this post seems to have some suggestions. 我不知道您如何在雄猫方面做到这一点,但是这篇文章似乎有一些建议。
I needed to add 我需要添加
<Location />
Order allow,deny
Allow from all
RequestHeader unset Authorization
</Location>
to the wrapping location, the RequestHeader being the specialty that fixed it. 到包装位置,RequestHeader是固定它的专业。
I found this (again) via http://codeblow.com/questions/remove-fundamental-authentication-header-with-apache-mod-proxy/ - don't know where I originally found it last year, it was a last measure for some security issue. 我(再次)通过http://codeblow.com/questions/remove-fundamental-authentication-header-with-apache-mod-proxy/找到了 -不知道我去年最初在哪里找到它,这是最后一次解决某些安全问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.