[ https://issues.jboss.org/browse/WFLY-2850?page=com.atlassian.jira.plugin.... ] Sylvain Brouillat commented on WFLY-2850: ----------------------------------------- Here are the full steps to be able to retreive the remote_user from front end server (like apache). Hope this will help someone. In my case, I don't want to use JAAS on wildfly side, and let apache take care of all the authentication. Indeed, if you just put in web.xml : <login-config> <auth-method>EXTERNAL</auth-method> </login-config> You'll get forbidden message from undertow. This is because ExternalAuthenticationMechanism use the default wildfly LoginModule that try to authenticate to default Realm. All you need to do is using the ClientLoginModule (see https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration) specifying your own security domain. Add the following to standalone.xml to add a security domain using ClientLoginModule : <security-domain name="mySecurityDomain" cache-type="default"> <authentication> <login-module code="Client" flag="optional"> </login-module> </authentication> </security-domain> Then, tell your war file to use mySecurityDomain as security-domain adding a jboss-web.xml file to the WEB-INF/ directory. jboss-web.xml looks like : <?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>mySecurityDomain</security-domain> </jboss-web> Actually, ClientLoginModule just put your principal and credential into securityContext without authenticating the user to any realm, so that HttpServletRequest impl (io.undertow.servlet.spec.HttpServletRequestImpl) can retreive the remote user from the security context when you call HttpServletRequest.getRemoteUser(). -- This message was sent by Atlassian JIRA (v6.3.8#6338)