|
Problem |
You can configure your Web server with a third-party
authentication module and WebSphere plug-in to route requests to both
WebSphere® Application Server V4.0, and V5.0 or V5.1. The third-party
authentication module should set remote user information, if appropriate.
This document outlines the considerations for passing the remote user
information to V4.0, V5.0 or V5.1 plug-in so that the getRemoteUser() call
from a WebSphere application can retrieve it from the request. |
|
Cause |
How to pass remote user information to
WebSphere Application Server V4.0, V5.0 or V5.1 plug-in. |
|
Solution |
Background
If a WebSphere application calls the getRemoteUser() method, it relies on
a private HTTP header value parsed by the plug-in. The WebSphere plug-in
sets the private HTTP header value when a Web server authentication module
has populated the remote user in the Web server data structure.
If the private HTTP header value that carries remote user information is
not set, the WebSphere application call to getRemoteUser() returns a null
value.
Solution
The guidelines below are applicable to any third-party or custom built
authentication modules and to any Web server that is supported by the
WebSphere plug-in
If you use a different Web server than Apache or IBM HTTP Server (IHS),
the Web server APIs will be different than those provided in the examples.
Contact the Web server vendor for details about the APIs that your Web
server is using. For example, Domino APIs use an environment variable
called REMOTE_USER to pass the remote user information from a
security plug-in to other plug-ins, such as the WebSphere plug-in.
Construction of the WebSphere private header that carries the
remote user information
- In the case of IHS or Apache, the value is computed from
the associated request record.
- In the case of iPlanet, the value is computed from the
property auth_user, which is associated with each request. It is typically
set to the name of the local HTTP user of the Web browser, if HTTP access
authorization is activated for the URL.
- In the case of Domino, the value is computed from the
environment variable REMOTE_USER, which is set by the Web server to
anonymous for users who have not logged in and to the username for
users who are logged in.
- In the case of Internet Information Services (IIS), the
value is computed from the environment variable REMOTE_USER, which is set
by the Web server to the name of the user as it is derived from the
authorization header sent by the client.
What to do when the WebSphere private header is not being set
in the IHS or Apache WebSphere plug-in
- Verify that the authentication module sets the remote user
environmental variable.
- Verify that the authentication module saves the remote
user information in the Apache or IHS data structure.
- For Apache or IHS 1.3, the authentication module sets
conn_rec > user to save the remote user where the WebSphere
plug-in can access it
- For Apache or IHS 2.0, the authentication module sets
request_rec > user to save the remote user where the WebSphere
plug-in can access it
What to do when the WebSphere private header is not being set in the
iPlanet, IIS, Domino WebSphere plugin
- Verify the request data. It should have information about
the user requesting the data.
Case study from a previously-solved problem
A customer was using the SiteMinder module within IBM HTTP Server
2.0.42.2.
The customer had upgraded the SiteMinder module to the version supported
for IHS 2.0.42.2 (IHS 2.0.42.2 is based on Apache 2.0.46). This also
upgraded the WebAgent.
The upgrade stopped the correct population of the remote user information
into the IHS 2.0 data structure. To fix this, the customer had to set the
remote user parameter within the WebAgent to YES.
Conclusion
Use this document as a guideline for problem determination when
getRemoteUser() returns a null value.
Look for additional useful information in documents that describe Web
server APIs. If you suspect a defect in the third-party authentication
module, contact the vendor of the module for assistance. |
|
|
|
|
|
|