https://bz.apache.org/bugzilla/show_bug.cgi?id=57708
Bug ID: 57708 Summary: [Patch] Authentication by reverse proxy, authorization by Tomcat Product: Tomcat 9 Version: unspecified Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: minf...@sharp.fm Created attachment 32567 --> https://bz.apache.org/bugzilla/attachment.cgi?id=32567&action=edit Patch for tomcat v7.0.x In the current implementation of the tomcatAuthentication parameter, this allows the REMOTE_USER variable from the webserver to be used as the principal for the tomcat request. A side effect of this option is that if the web application uses roles (authorization), the roles will be silently ignored, and the user will be locked out. This limits the usefulness of tomcatAuthentication. The attached patches introduce the tomcatAuthorization flag. When true, the REMOTE-USER will be used as the principal, while authorization will continue in Tomcat as normal. What this means practically is that it now becomes possible to place a webserver in front of a web application, and the authentication performed by the webserver will cleanly replace the authentication performed by tomcat, while leaving the web application authorization configuration intact. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org