https://bz.apache.org/bugzilla/show_bug.cgi?id=57708
Bug ID: 57708
Summary: [Patch] Authentication by reverse proxy, authorization
by Tomcat
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: minf...@sharp.fm
Created attachment 32567
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32567&action=edit
Patch for tomcat v7.0.x
In the current implementation of the tomcatAuthentication parameter, this
allows the REMOTE_USER variable from the webserver to be used as the principal
for the tomcat request.
A side effect of this option is that if the web application uses roles
(authorization), the roles will be silently ignored, and the user will be
locked out.
This limits the usefulness of tomcatAuthentication.
The attached patches introduce the tomcatAuthorization flag. When true, the
REMOTE-USER will be used as the principal, while authorization will continue in
Tomcat as normal.
What this means practically is that it now becomes possible to place a
webserver in front of a web application, and the authentication performed by
the webserver will cleanly replace the authentication performed by tomcat,
while leaving the web application authorization configuration intact.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
