https://bz.apache.org/bugzilla/show_bug.cgi?id=57708

            Bug ID: 57708
           Summary: [Patch] Authentication by reverse proxy, authorization
                    by Tomcat
           Product: Tomcat 9
           Version: unspecified
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: minf...@sharp.fm

Created attachment 32567
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=32567&action=edit
Patch for tomcat v7.0.x

In the current implementation of the tomcatAuthentication parameter, this
allows the REMOTE_USER variable from the webserver to be used as the principal
for the tomcat request.

A side effect of this option is that if the web application uses roles
(authorization), the roles will be silently ignored, and the user will be
locked out.

This limits the usefulness of tomcatAuthentication.

The attached patches introduce the tomcatAuthorization flag. When true, the
REMOTE-USER will be used as the principal, while authorization will continue in
Tomcat as normal.

What this means practically is that it now becomes possible to place a
webserver in front of a web application, and the authentication performed by
the webserver will cleanly replace the authentication performed by tomcat,
while leaving the web application authorization configuration intact.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to