Bug 47327 - Return tomcat authenticated user back to mod_jk (AJP improvement)
Summary: Return tomcat authenticated user back to mod_jk (AJP improvement)
Status: NEW
Alias: None
Product: Tomcat Connectors
Classification: Unclassified
Component: mod_jk (show other bugs)
Version: 1.2.28
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2009-06-07 05:04 UTC by Martin Kofahl
Modified: 2019-06-16 14:22 UTC (History)
1 user (show)

make remote_user appear in apache access_log (1.35 KB, patch)
2009-06-07 05:04 UTC, Martin Kofahl
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Kofahl 2009-06-07 05:04:21 UTC
Created attachment 23769 [details]
make remote_user appear in apache access_log

Apache 2.2 (with no mo_auth_* compiled) does not log remote_user in its logifles if authentication is done by tomcat only. JkEnvVar REMOTE_USER does only forward usernames from apache to tomcat but not the other way round.

For audit reasons, it's wothwile to have username in the primarily logile, because '-' is logged otherwise which implies missconfiguration of tomcat.

The attached patch decoeds authentication header (http basic only!) itself if it's not already done by apache, because jk_ws_service_t->remote_user is not set by tomcat to inform mod_jk likewise. But actually, I would like to have mod_jk logging the user tomcat sees, so the patch is only some kind of workaround!
Comment 1 Rainer Jung 2011-10-25 19:05:40 UTC
This would be a protocol enhancement for AJP.

You can work around the issue by using a filter that returns the user id as a response header. Response headers can be logged with mod_log_config using the %{headername}o syntax in the LogFormat.

Note that a response header is sent to the client. Usually there should be no security issue in passing the user name back to the client, but in special cases it might be.