No principal in request after Apache basic authentication with mod_jk

Yet another software configuration issue that I wasted a few hours at today.

Environment

Apache 2.2.13 connect to Tomcat 5.5 with mod_jk (ajp13). Apache requires basic-auth for “/” i.e. for all URLs it serves. Just to be 100% precise, Tomcat runs as a WTP server “inside” Eclipse. However, the fact that it’s not a standalone instance has no effect to either the problem or the solution.

Problem

I noticed that request.getUserPrincipal() returned null in my Servlet filter although basic-auth in Apache was successful. By raising the mod_jk log level to debug (JkLogLevel debug) and looking at the mod_jk.log I could confirm, however, that mod_jk at least passed the remote user along in the request.

Solution

Set tomcatAuthentication=”false” for the AJP/1.3 connector in server.xml. The parameter is explained in the Tomcat connector documentation: “If set to true, the authentication will be done in Tomcat. Otherwise, the authenticated principal will be propagated from the native webserver and used for authorization in Tomcat. The default value is true.”

A thread from the tomcat-users mailing list archive helped a lot: http://www.mail-archive.com/users@tomcat.apache.org/msg55080.html. I didn’t initially find that through a web search because I kept looking for something like “principal null Tomcat Apache mod_jk” instead of “REMOTE_USER null”.

Leave a Reply

Your email address will not be published. Required fields are marked *