How to pass REMOTE_USER from Apache to JBoss as an environment variable when using mod_proxy_ajp

Solution Verified - Updated 6 Aug 2024

Environment

Apache httpd
- mod_proxy
JBoss Enterprise Web Server (EWS)
JBoss Enterprise Application Platform (EAP)
- 4.x
- 5.x
- 6.x

Issue

Do you know any trick to pass JBoss a request attribute containing the apache variable REMOTE_USER via mod_proxy?
We are using Apache httpd/mod_proxy_ajp with JBoss EAP and need to have REMOTE_USER passed from Apache httpd to JBoss as an environment variable. We have found this is possible using mod_jk and JkEnvVar (see Content from tomcat.apache.org is not included.Content from tomcat.apache.org is not included.http://tomcat.apache.org/connectors-doc/reference/apache.html) but there is no mention of how to do the same using mod_proxy/mod_proxy_ajp.
What we are not able to do is to retrieve REMOTE_USER via request attributes. In the application code we want to do the following:
```
  String username = (String) request.getAttribute("REMOTE_USER");
```
I know the REMOTE_USER information can be retrieved via the following ways:
- Changing the application code to request.getRemoteUser() with tomcatAuthentication="false" set server.xml
- Changing the application code to request.getHeader("REMOTE_USER") and using the following rewrite rule in httpd:
```
  RewriteCond %{LA-U:REMOTE_USER} (.*) 
  RewriteRule .* - [E=MY_REMOTE_USER:%1] 
  RequestHeader add REMOTE_USER %{MY_REMOTE_USER}e 
```
However we need to get the same information using the request attribute for application compatibility reasons.

How to configure to allow JBoss to bypass its authentication and correctly populate getRemoteUser and getUserPrincipal from authentication information on the front-end Apache?

Resolution

It should be possible to use the mod_proxy_ajp environment variables ¹ instead of mod_jk JkEnvVar

From the docs/threads ² and ³ the following rewrite rule should make REMOTE_USER available as an environment variable in JBoss

RewriteCond %{LA-U:REMOTE_USER} (.*) 
RewriteRule .* - [E=AJP_REMOTE_USER:%{LA-U:REMOTE_USER}]

Content from httpd.apache.org is not included.Content from httpd.apache.org is not included.http://httpd.apache.org/docs/2.2/en/mod/mod_proxy_ajp.html#env
²: Content from httpd.apache.org is not included.Content from httpd.apache.org is not included.http://httpd.apache.org/docs/2.2/en/mod/mod_rewrite.html
³: Content from www.gossamer-threads.com is not included.Content from www.gossamer-threads.com is not included.http://www.gossamer-threads.com/lists/apache/users/394930

SBR

Webservers

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.