We are using Tomcat behind an Apache HTTPD with mod_proxy_ajp. The Apache HTTPD server is doing authentication by means of mod_auth_mellon and the authentication is propagated to Tomcat by using tomcatAuthorization="true" on the connector. This works perfectly. The problem is that request.getAuthType() ("Mellon" in our case) does not get propagated from Apache HTTPD if tomcatAuthentication is not explicitly set to "false", which does not conform to the documentation. The documentation of tomcatAuthentication says that: "The default value is true. If tomcatAuthorization is set to true this attribute has no effect." It has the effect that the AuthType is not set if not set to "false". In my opinion the propagation of this value should not be dependent on tomcatAuthentication being set to "false". The cause of this behavior is the following code snippet in AjpProcessor: case Constants.SC_A_AUTH_TYPE: if (protocol.getTomcatAuthentication()) { // ignore server requestHeaderMessage.getBytes(tmpMB); } else { requestHeaderMessage.getBytes(request.getAuthType()); } break; We could change the if condition to (protocol.getTomcatAuthentication() || protocaol.getTomcatAuthorization())? I would be willing to submit a pull request, if this solution is accepted.
The if condition should probably be: protocol.getTomcatAuthentication() && !protocol.getTomcatAuthorization()
Thanks for the report and the analysis. I opted to align the auth_type code with that for remote_user since they are doing broadly the same thing for the same reason. Fixed in: - 11.0.x for 11.0.0-M12 onwards - 10.1.x for 10.1.14 onwards - 9.0.x for 9.0.81 onwards - 8.5.x for 8.5.94 onwards