mod_auth_vas, Tomcat, mod_jk and getRemoteUser() == null

Hi, everyone.

VAS+mod_auth_vas can be used to authenticate forTomcat servlets. You only need to install the mod_jk module into apacheand tweak a connector. Tomcat generally comes with a pre-configured AJPconnector that will listen to mod_jk.

The biggest 'gotcha' isthat you will need to configure Tomcat so that it stops doing its ownauthentication, and starts believing the auth information supplied byapache. This is done by turning off the connector's tomcatAuthenticationproperty, which normally defaults to'true'. Do this either by editing$BASEDIR/conf/jk2.properties andadding

request.tomcatAuthentication=false

ORby editing $BASEDIR/server.xml, finding the AJP connector andadding tomcatAuthentication="false" as an attribute. For example:

<Connector port="8009"
    enableLookups="false" redirectPort="8443" debug="0"
    protocol="AJP/1.3"
    tomcatAuthentication="false"  />

Besure to add a <Location> element somewhere inApache'sconfiguration area that enables mod_auth_vas for the servletsyou wantto protect. For example, I test with this:

<Location "/servlets-examples">
    AuthType VAS
    Require valid-user
</Location>

Afterthis, the servlets' request.getAuthType() will return "VAS"and request.getRemoteUser() will return the User Principal Name ofthe authenticated user eg "user@DOMAIN.COM", (not the unix user name...unless you enable AuthVasLocalizeUserName, a new optioninmod_auth_vas-3.4.)

Please note that mod_auth_vas does not doNTLM authentication; it only does GSSAPI/Kerberos. You should look to Quest'sVSJ product to support NTLM, and for excellent supported integrationinto other application server products (like websphere, jboss, etc).

Cheers!

d