[Bug 62496] New: Add possibility write remote user/auth type to response header

Wed, 27 Jun 2018 07:26:47 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62496

            Bug ID: 62496
           Summary: Add possibility write remote user/auth type to
                    response header
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

I have a fairly simple usecase for an enhancement request from which a lot of
users can benefit.

Use case:

* Apache HTTPd (2.4.33) <====> Tomcat (8.5.30) via mod_proxy
* Apache logs with CustomLog ... common
* VirtualHost does not only proxy Tomcat, also hosts other unrelated apps
(.e.g, Subversion), so changing the log format is not an option
* Tomcat performs authentication
* Apache logs the requests, but remote_user column is empty. This is ugly and I
do not really want duplicate logging, i.e., on both sides or if both need to be
consistent.

Thanks to rjung@ and jim@ I worked out a solution which does a nice job.

httpd-tomcat.conf:
> <Location "/app">
>     ProxyPreserveHost On
>     ProxyPass ..
>     ProxyPassReverse ..
>     RequestHeader set X-Forwarded-Proto "https"
>     Header note X-Remote-User REMOTE_USER
>     LuaHookLog /usr/local/etc/apache24/register_remote_user.lua 
> register_remote_user
> </Location>

register_remote_user.lua:
> require 'apache2'
> 
> function register_remote_user(r)
>     local remote_user = r.notes["REMOTE_USER"]
>     if remote_user ~= nil then
>         r.user = remote_user
>         -- not implemented in mod_lua
>         -- r.ap_auth_type = "SPNEGO"
>     end
>     return apache2.OK
> end

On the Tomcat side I have added:
> public class ResponseRemoteUserValve extends ValveBase {
> 
>       @Override
>       public void invoke(Request request, Response response) throws 
> IOException, ServletException {
>               String remoteUser = request.getRemoteUser();
> 
>               if (remoteUser != null) {
>                       response.setHeader("X-Remote-User", remoteUser);
>               }
> 
>               getNext().invoke(request, response);
>       }
> 
> }

Ideally for request#getAuthType() to X-Remote-AuthType too. I think this is
suitable for either AuthenticatorBase or RemoteIPValve.

Comments and ideas welcome!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to