tog-pegasus/pegasus-2.9.0-local-or-remote-auth.patch

diff -up pegasus/src/Executor/PAMAuth.h.local-or-remote-auth pegasus/src/Executor/PAMAuth.h
--- pegasus/src/Executor/PAMAuth.h.local-or-remote-auth	2009-12-15 11:52:33.000000000 +0100
+++ pegasus/src/Executor/PAMAuth.h	2011-05-19 14:26:12.849499761 +0200
@@ -49,6 +49,9 @@
 #include <Executor/Defines.h>
 #include <Executor/Socket.h>
 
+#include <syslog.h>
+typedef int Boolean;
+
 #ifdef PEGASUS_FLAVOR
 # define PAM_CONFIG_FILE "wbem" PEGASUS_FLAVOR
 #else
@@ -398,29 +401,60 @@ static int PAMValidateUserCallback(
 */
 
 static int PAMAuthenticateInProcess(
-    const char* username, const char* password)
+    const char* username, const char* password, const Boolean isRemoteUser)
 {
     PAMData data;
     struct pam_conv pconv;
     pam_handle_t* handle;
+    int retcode;
 
     data.password = password;
     pconv.conv = PAMAuthenticateCallback;
     pconv.appdata_ptr = &data;
 
+    // NOTE: if any pam call should log anything, our syslog socket will be redirected
+    //       to the AUTH facility, so we need to redirect it back after each pam call.
+
+    if ((retcode = pam_start(PAM_CONFIG_FILE, username, &pconv, &handle)) != PAM_SUCCESS)
+    {
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(handle, retcode));
+        syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+            isRemoteUser ? "remote" : "local", username);
+        return -1;
+    }
 
-    if (pam_start(PAM_CONFIG_FILE, username, &pconv, &handle) != PAM_SUCCESS)
+    if ((retcode = pam_set_item(handle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS)
+    {
+        pam_end(handle, 0);
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(handle, retcode));
+        syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+            isRemoteUser ? "remote" : "local", username);
         return -1;
+    }
 
-    if (pam_authenticate(handle, 0) != PAM_SUCCESS)
+    if ((retcode = pam_authenticate(handle, 0)) != PAM_SUCCESS)
     {
         pam_end(handle, 0);
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(handle, retcode));
+        syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+            isRemoteUser ? "remote" : "local", username);
         return -1;
     }
 
-    if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS)
+    if ((retcode = pam_acct_mgmt(handle, 0)) != PAM_SUCCESS)
     {
         pam_end(handle, 0);
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(handle, retcode));
+        syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+            isRemoteUser ? "remote" : "local", username);
         return -1;
     }
 
@@ -444,16 +478,34 @@ static int PAMValidateUserInProcess(cons
     PAMData data;
     struct pam_conv pconv;
     pam_handle_t* phandle;
+    int retcode;
 
     pconv.conv = PAMValidateUserCallback;
     pconv.appdata_ptr = &data;
 
-    if (pam_start(PAM_CONFIG_FILE, username, &pconv, &phandle) != PAM_SUCCESS)
+    if ((retcode = pam_start(PAM_CONFIG_FILE, username, &pconv, &phandle)) != PAM_SUCCESS)
+    {
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode));
         return -1;
+    }
+
+    if ((retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS)
+    {
+        pam_end(phandle, 0);
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode));
+        return -1;
+    }
 
-    if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS)
+    if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS)
     {
         pam_end(phandle, 0);
+        closelog();
+        openlog("cimserver", LOG_PID, LOG_DAEMON);
+        syslog(LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode));
         return -1;
     }
 
@@ -472,12 +524,12 @@ static int PAMValidateUserInProcess(cons
 **==============================================================================
 */
 
-static int PAMAuthenticate(const char* username, const char* password)
+static int PAMAuthenticate(const char* username, const char* password, const Boolean isRemoteUser)
 {
 #ifdef PEGASUS_USE_PAM_STANDALONE_PROC
     return CimserveraProcessOperation("authenticate", username, password);
 #else
-    return PAMAuthenticateInProcess(username, password);
+    return PAMAuthenticateInProcess(username, password, isRemoteUser);
 #endif
 }
 
diff -up pegasus/src/Executor/Parent.c.local-or-remote-auth pegasus/src/Executor/Parent.c
--- pegasus/src/Executor/Parent.c.local-or-remote-auth	2011-05-19 14:26:49.662347923 +0200
+++ pegasus/src/Executor/Parent.c	2011-05-19 14:44:30.248822405 +0200
@@ -635,7 +635,7 @@ static void HandleAuthenticatePasswordRe
 
 #if defined(PEGASUS_PAM_AUTHENTICATION)
 
-        if (PAMAuthenticate(request.username, request.password) != 0)
+        if (PAMAuthenticate(request.username, request.password, 0) != 0)
         {
             status = -1;
             break;
diff -up pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.local-or-remote-auth pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c
--- pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.local-or-remote-auth	2011-05-19 15:34:25.895309730 +0200
+++ pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c	2011-05-19 15:34:39.744506661 +0200
@@ -49,7 +49,7 @@ int main()
         sprintf(prompt, "Enter password for %s: ", PEGASUS_CIMSERVERMAIN_USER);
         pw = getpass(prompt);
 
-        if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw) == 0)
+        if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw, 0) == 0)
             printf("Correct password\n");
         else
             printf("Wrong password\n");
diff -up pegasus/src/Pegasus/Common/AuthenticationInfo.h.local-or-remote-auth pegasus/src/Pegasus/Common/AuthenticationInfo.h
--- pegasus/src/Pegasus/Common/AuthenticationInfo.h.local-or-remote-auth	2008-12-16 19:55:59.000000000 +0100
+++ pegasus/src/Pegasus/Common/AuthenticationInfo.h	2011-05-19 14:26:12.849499761 +0200
@@ -354,6 +354,22 @@ public:
         return _rep->getRemotePrivilegedUserAccessChecked();
     }
 
+    /** Indicate whether the user is Remote 
+    */
+    Boolean isRemoteUser() const
+    {
+        CheckRep(_rep);
+        return _rep->isRemoteUser();
+    }
+
+    /** Set the Remote User flag
+    */
+    void setRemoteUser(Boolean isRemoteUser)
+    {
+        CheckRep(_rep);
+        _rep->setRemoteUser(isRemoteUser);
+    }
+
 private:
 
     AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep)
diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp
--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.local-or-remote-auth	2010-07-28 16:37:52.000000000 +0200
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp	2011-05-19 14:26:12.850499919 +0200
@@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH
 
 AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag)
     : _connectionAuthenticated(false),
-      _wasRemotePrivilegedUserAccessChecked(false)
+      _wasRemotePrivilegedUserAccessChecked(false),
+      _isRemoteUser(true)
 {
     PEG_METHOD_ENTER(
         TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep");
@@ -79,6 +80,16 @@ AuthenticationInfoRep::~AuthenticationIn
     PEG_METHOD_EXIT();
 }
 
+void AuthenticationInfoRep::setRemoteUser(Boolean isRemoteUser)
+{
+    PEG_METHOD_ENTER(TRC_AUTHENTICATION,
+        "AuthenticationInfoRep::setRemoteUser");
+
+    _isRemoteUser = isRemoteUser;
+
+    PEG_METHOD_EXIT();
+}
+
 void AuthenticationInfoRep::setConnectionAuthenticated(
     Boolean connectionAuthenticated)
 {
diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.local-or-remote-auth pegasus/src/Pegasus/Common/AuthenticationInfoRep.h
--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.local-or-remote-auth	2008-12-16 19:55:59.000000000 +0100
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h	2011-05-19 14:26:12.851500077 +0200
@@ -147,6 +147,13 @@ public:
     void setSecurityAssociation();
 #endif
 
+    Boolean isRemoteUser() const
+    {
+        return _isRemoteUser;
+    }
+
+    void setRemoteUser(Boolean isRemoteUser);
+
     Array<SSLCertificateInfo*> getClientCertificateChain()
     {
         return _clientCertificate;
@@ -190,6 +197,7 @@ private:
     Boolean _wasRemotePrivilegedUserAccessChecked;
 
     Array<SSLCertificateInfo*> _clientCertificate;
+    Boolean _isRemoteUser;
 };
 
 PEGASUS_NAMESPACE_END
diff -up pegasus/src/Pegasus/Common/Executor.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/Executor.cpp
--- pegasus/src/Pegasus/Common/Executor.cpp.local-or-remote-auth	2010-10-29 07:29:50.000000000 +0200
+++ pegasus/src/Pegasus/Common/Executor.cpp	2011-05-19 14:26:12.852500235 +0200
@@ -126,7 +126,8 @@ public:
 
     virtual int authenticatePassword(
         const char* username,
-        const char* password) = 0;
+        const char* password,
+        Boolean isRemoteUser) = 0;
 
     virtual int validateUser(
         const char* username) = 0;
@@ -560,10 +561,11 @@ public:
 
     virtual int authenticatePassword(
         const char* username,
-        const char* password)
+        const char* password,
+        Boolean isRemoteUser)
     {
 #if defined(PEGASUS_PAM_AUTHENTICATION)
-        return PAMAuthenticate(username, password);
+        return PAMAuthenticate(username, password, isRemoteUser);
 #else
         // ATTN: not handled so don't call in this case.
         return -1;
@@ -904,7 +906,8 @@ public:
 
     virtual int authenticatePassword(
         const char* username,
-        const char* password)
+        const char* password,
+        Boolean isRemoteUser)
     {
         AutoMutex autoMutex(_mutex);
 
@@ -1173,10 +1176,11 @@ int Executor::reapProviderAgent(
 
 int Executor::authenticatePassword(
     const char* username,
-    const char* password)
+    const char* password,
+    Boolean isRemoteUser)
 {
     once(&_executorImplOnce, _initExecutorImpl);
-    return _executorImpl->authenticatePassword(username, password);
+    return _executorImpl->authenticatePassword(username, password, isRemoteUser);
 }
 
 int Executor::validateUser(
diff -up pegasus/src/Pegasus/Common/Executor.h.local-or-remote-auth pegasus/src/Pegasus/Common/Executor.h
--- pegasus/src/Pegasus/Common/Executor.h.local-or-remote-auth	2010-10-29 07:29:50.000000000 +0200
+++ pegasus/src/Pegasus/Common/Executor.h	2011-05-19 14:26:12.853500393 +0200
@@ -184,7 +184,8 @@ public:
     */
     static int authenticatePassword(
         const char* username,
-        const char* password);
+        const char* password,
+        Boolean isRemoteUser);
 
     /** Check whether the given user is valid for the underlying authentcation
         mechanism.
diff -up pegasus/src/Pegasus/Common/HTTPConnection.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/HTTPConnection.cpp
--- pegasus/src/Pegasus/Common/HTTPConnection.cpp.local-or-remote-auth	2011-04-19 12:39:52.000000000 +0200
+++ pegasus/src/Pegasus/Common/HTTPConnection.cpp	2011-05-19 14:26:12.854500551 +0200
@@ -2295,6 +2295,30 @@ void HTTPConnection::_handleReadEvent()
         message->contentLanguages = contentLanguages;
         message->dest = _outputMessageQueue->getQueueId();
 
+        // Allow authenticators to differentiate Remote and Local users:
+        struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ...
+        socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in);
+        uint32_t  sock = _socket.get()->getSocket() ;
+        memset(&sin_peer,'\0',slen1);
+        memset(&sin_svr, '\0',slen2);
+        if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 )
+           ||( ::getsockname( sock, (struct sockaddr*)&sin_svr,  &slen2) == 0 )
+           )
+        {
+            if( sin_peer.sin_family == AF_INET )
+            {
+                if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
+                    // message was sent FROM localhost interface
+                    message->isFromRemoteHost = false;
+            }
+            if( sin_svr.sin_family == AF_INET )
+            {
+                if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
+                    // message was sent TO localhost interface
+                    message->isFromRemoteHost = false;
+            }
+        }
+
         //
         // The _closeConnection method sets the _connectionClosePending flag.
         // If we are executing on the client side and the
diff -up pegasus/src/Pegasus/Common/HTTPMessage.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/HTTPMessage.cpp
--- pegasus/src/Pegasus/Common/HTTPMessage.cpp.local-or-remote-auth	2011-01-25 13:10:21.000000000 +0100
+++ pegasus/src/Pegasus/Common/HTTPMessage.cpp	2011-05-19 14:26:12.856500867 +0200
@@ -134,7 +134,8 @@ HTTPMessage::HTTPMessage(
     authInfo(0),
     acceptLanguagesDecoded(false),
     contentLanguagesDecoded(false),
-    binaryResponse(false)
+    binaryResponse(false),
+    isFromRemoteHost(true)
 {
     if (cimException_)
         cimException = *cimException_;
diff -up pegasus/src/Pegasus/Common/HTTPMessage.h.local-or-remote-auth pegasus/src/Pegasus/Common/HTTPMessage.h
--- pegasus/src/Pegasus/Common/HTTPMessage.h.local-or-remote-auth	2011-01-25 13:10:21.000000000 +0100
+++ pegasus/src/Pegasus/Common/HTTPMessage.h	2011-05-19 14:26:12.856500867 +0200
@@ -73,6 +73,7 @@ public:
     ContentLanguageList contentLanguages;
     Boolean acceptLanguagesDecoded;
     Boolean contentLanguagesDecoded;
+    Boolean isFromRemoteHost;
     CIMException cimException;
     bool binaryResponse;
 
diff -up pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.local-or-remote-auth pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp
--- pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.local-or-remote-auth	2010-10-29 07:29:50.000000000 +0200
+++ pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp	2011-05-19 14:26:12.857501025 +0200
@@ -76,7 +76,7 @@ void testExecutorLoopbackImpl()
 #endif
 
     PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
-        "xnonexistentuserx", "wrongpassword") == -1);
+        "xnonexistentuserx", "wrongpassword", true) == -1);
     PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
 
     char challengeFilePath[EXECUTOR_BUFFER_SIZE];
@@ -115,7 +115,7 @@ void testExecutorSocketImpl()
     PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0);
 
     PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
-        "xnonexistentuserx", "wrongpassword") == -1);
+        "xnonexistentuserx", "wrongpassword", true) == -1);
     PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
 
     char challengeFilePath[EXECUTOR_BUFFER_SIZE];
diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp
--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.local-or-remote-auth	2009-08-07 07:43:31.000000000 +0200
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp	2011-05-19 14:26:12.858501183 +0200
@@ -153,7 +153,7 @@ Boolean BasicAuthenticationHandler::auth
     }
     authInfo->setRemotePrivilegedUserAccessChecked();
 
-    authenticated = _basicAuthenticator->authenticate(userName, password);
+    authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser());
 
     // Log audit message.
     PEG_AUDIT_LOG(logBasicAuthentication(
diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h
--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.local-or-remote-auth	2008-12-16 19:57:08.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h	2011-05-19 14:26:12.858501183 +0200
@@ -65,7 +65,8 @@ public:
     */
     virtual Boolean authenticate(
         const String& userName,
-        const String& password) = 0;
+        const String& password,
+        Boolean isRemoteUser) = 0;
 
     /** Construct and return the HTTP Basic authentication challenge header
         @return A string containing the authentication challenge header.
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.local-or-remote-auth	2008-12-16 19:57:08.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h	2011-05-19 14:26:12.859501341 +0200
@@ -53,7 +53,8 @@ public:
 
     Boolean authenticate(
         const String& userName,
-        const String& password);
+        const String& password,
+        Boolean isRemoteUser);
 
     Boolean validateUser(const String& userName);
 
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.local-or-remote-auth	2008-12-16 19:57:08.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp	2011-05-19 14:26:12.859501341 +0200
@@ -73,7 +73,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
 
 Boolean PAMBasicAuthenticator::authenticate(
     const String& userName,
-    const String& password)
+    const String& password,
+    Boolean isRemoteUser)
 {
     PEG_METHOD_ENTER(TRC_AUTHENTICATION,
         "PAMBasicAuthenticator::authenticate()");
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.local-or-remote-auth	2008-12-16 19:57:08.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp	2011-05-19 14:26:12.860501499 +0200
@@ -64,13 +64,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
 
 Boolean PAMBasicAuthenticator::authenticate(
     const String& userName,
-    const String& password)
+    const String& password,
+    Boolean isRemoteUser)
 {
     PEG_METHOD_ENTER(TRC_AUTHENTICATION,
         "PAMBasicAuthenticator::authenticate()");
 
     if (Executor::authenticatePassword(
-        userName.getCString(), password.getCString()) != 0)
+        userName.getCString(), password.getCString(), isRemoteUser) != 0)
     {
         return false;
     }
diff -up pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.local-or-remote-auth pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp
--- pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.local-or-remote-auth	2009-04-17 16:39:31.000000000 +0200
+++ pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp	2011-05-19 14:26:12.860501499 +0200
@@ -236,7 +236,7 @@ Boolean SecureBasicAuthenticator::authen
         if (Executor::detectExecutor() == 0)
         {
             if (Executor::authenticatePassword(
-                userName.getCString(), password.getCString()) == 0)
+                userName.getCString(), password.getCString(), true) == 0)
             {
                 authenticated = true;
             }
diff -up pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.local-or-remote-auth pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp
--- pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.local-or-remote-auth	2009-08-07 07:43:31.000000000 +0200
+++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp	2011-05-19 14:26:12.862501815 +0200
@@ -421,6 +421,9 @@ void HTTPAuthenticatorDelegator::handleH
         Tracer::LEVEL3,
         "HTTPAuthenticatorDelegator - Authentication processing start");
 
+    // Let Authenticators know whether this user is Local or Remote:
+    httpMessage->authInfo->setRemoteUser( httpMessage->isFromRemoteHost );
+
     //
     // Handle authentication:
     //