On 14 Mar 2015, at 3:43 PM, Graham Leggett <minf...@sharp.fm> wrote: > Changing the auth-type to CLIENT-CERT shows that the username has been > replaced by the subject-DN of the cert, which is progress.
Reverse engineering tomcat showed that the tomcatAuthentication parameter solved half the problem - when the webserver provided REMOTE_USER, this was used as the principal in the request, but as a side effect the role lookup was bypassed, and any web application using roles stopped working. The attached patches for tomcat v7.0.x, tomcat v8.0.x and tomcat 9.0.x introduce the tomcatAuthorization flag: https://bz.apache.org/bugzilla/show_bug.cgi?id=57708 The tomcatAuthorization flag, when true, takes the REMOTE_USER from the webserver, but ensures that all the role lookups occur as normal. This means you can drop in a webserver in front of a tomcat hosted web application, and automatically the authn of the webserver will replace the authn in the web application, leaving the authz intact and working. This solves my problem. Regards, Graham — --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org