File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes REMOTE_USER env variable not passed from apache to tomcat? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "REMOTE_USER env variable not passed from apache to tomcat?" Watch "REMOTE_USER env variable not passed from apache to tomcat?" New topic

REMOTE_USER env variable not passed from apache to tomcat?

Shane Doucette

Joined: Jun 26, 2002
Posts: 4
Hi all,
I'm having troubles with reading the REMOTE_USER variable in a servlet.
Here's some environment background: we have a set of jsp applications, served by tomcat 4.0.4 thru apache via mod_jk, which are protected by .htaccess. We have to use .htaccess files, as we are having the users authenticate using a Kerberos ID and password.
The following code used to return the username entered at the .htaccess prompt, when we were using Tomcat 3.2.2, but when we moved to 4.0.4, getRemoteUser returns null.

Now, I've read that I may need to create a realm in my server.xml, but that doesn't seem to be the way to go for my needs, as it's required that I use the .htaccess. Unless of course there's some sort of kerberos realm I can define...
Anyhow, if anyone has any suggestions as to what we might be doing wrong, it would certainly help. We've been banging our heads against this for two days now!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

Hmmmm. Sounds like a possible conflict between Apache user validation and J2EE user validation.
While it's possible that this is just a bug in the Apache-to-Tomcat pipeline, I think that in an "ideal" world, a J2EE app isn't supposed to be be dependent on outside help - their security system is expected to be self-contained. Otherwise portability suffers and it's even possible that the Apache server and Tomcat servers might conflict about what's allowed and what isn't. So most likely, to truly fix things, you're going to have to use the packages with a Kerberos security plugin rather than depend on Apache. The self-containedness aspect means that to make a truly portable WAR/EAR, you must also be serving up the HTML and multimedia files from Tomcat, BTW.
Why the change? Tomcat 4 implements a newer J2EE standard. Formerly, thanks to U.S. government restrictions on "munitions", encrpytion wasn't part of the Java standard package set.
Note that if "purity" would kill performance or require a major rewrite, the source code to Apache and the connector are available for the tweaking.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: REMOTE_USER env variable not passed from apache to tomcat?
It's not a secret anymore!