On 17/06/2010 02:41, Marc Boorshtein wrote:
The problem with the Realm system is its designed with the assumption
that tomcat is doing the authentication which is not a valid
assumption in an environment where the authentication is seperated
from authorization. The entire point of container
I'm not looking to start a holy war here, but is there anything
incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement about container managed security which
implied that things should just work. Someone has to make them work.
As an app
On 17/06/2010 12:34, Marc Boorshtein wrote:
I'm not looking to start a holy war here, but is there anything
incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement about container managed security which
implied that things should just work.
Pid wrote:
On 17/06/2010 12:34, Marc Boorshtein wrote:
I'm not looking to start a holy war here, but is there anything
incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement about container managed security which
implied that things should
On 17/06/2010 13:26, André Warnier wrote:
I must say that, with my limited knowledge of the Tomcat internals taken
into consideration, I tend to agree with Marc in this case, if he is
right in claiming that the Tomcat Realm mixes authentication with
authorization and does not allow to separate
On 17/06/2010 13:26, André Warnier wrote:
Pid wrote:
On 17/06/2010 12:34, Marc Boorshtein wrote:
I'm not looking to start a holy war here, but is there anything
incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement about container managed
On Thu, Jun 17, 2010 at 9:11 AM, Mark Thomas ma...@apache.org wrote:
On 17/06/2010 13:26, André Warnier wrote:
I must say that, with my limited knowledge of the Tomcat internals taken
into consideration, I tend to agree with Marc in this case, if he is
right in claiming that the Tomcat Realm
Hi.
I must say that, with my limited knowledge of the Tomcat internals taken
into consideration, I tend to agree with Marc in this case, if he is
right in claiming that the Tomcat Realm mixes authentication with
authorization and does not allow to separate the two.
Well, he said he's
On 17/06/2010 15:08, Marc Boorshtein wrote:
Hi.
I must say that, with my limited knowledge of the Tomcat internals taken
into consideration, I tend to agree with Marc in this case, if he is
right in claiming that the Tomcat Realm mixes authentication with
authorization and does not allow to
You're talking about having to change your app, but you've only
described having to make modifications to a Tomcat internal support class.
You seem to be saying that Tomcat has a compliancy issue - IMO the
problem with leaving that unchallenged is that it breeds
misunderstanding that would
All,
I'm trying to setup apache in front of tomcat and have apache do the
authentication for access and pass the user's context back to tomcat.
I've seen documentation that says that I should set the JK_REMOTE_USER
environment variable but it doesn't seem to be working. Here is my
httpd
Marc Boorshtein wrote:
All,
I'm trying to setup apache in front of tomcat and have apache do the
authentication for access and pass the user's context back to tomcat.
I've seen documentation that says that I should set the JK_REMOTE_USER
environment variable but it doesn't seem to be working.
Also, it is *really really really* helpful, when you post a question, that you would
specify the precise versions of software you are talking about.
Like :
Apache httpd version : 2.2.3
Tomcat version : 5.5.21
mod_jk version : 1.2.18
.. the documentation .. : the documentation page at :
You should not need to do that, it should be automatic.
Just make sure that in the Tomcat Connector for AJP (in server.xml), you
set the attribute
tomcatAuthentication=false
If the request is authenticated by Apache, mod_jk will (always) pass it
internally to Tomcat, along with the
Marc Boorshtein wrote:
You should not need to do that, it should be automatic.
Just make sure that in the Tomcat Connector for AJP (in server.xml), you
set the attribute
tomcatAuthentication=false
If the request is authenticated by Apache, mod_jk will (always) pass it
internally to Tomcat,
OK, come context first:
What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM). In a typical WAM deployment there are AAA is broken up
into multiple layers:
Web Server - Authentication (via the WAM) and
On 6/16/2010 10:58 AM, Marc Boorshtein wrote:
...
That being said, the sequence of events should be:
1. Web server authenticates the user (works)
2. Pass the context to Tomcat (works)
3. Tomcat calls the realm to retrieve the user information and set
the context (doesn't presently occur)
Sent from my iPhone
On Jun 16, 2010, at 11:12 AM, David kerber dcker...@verizon.net wrote:
On 6/16/2010 10:58 AM, Marc Boorshtein wrote:
...
That being said, the sequence of events should be:
1. Web server authenticates the user (works)
2. Pass the context to Tomcat (works)
3. Tomcat
Marc Boorshtein wrote:
OK, come context first:
What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM). In a typical WAM deployment there are AAA is broken up
into multiple layers:
Web Server -
To look at this from a very strict point of view, the whole area is already
a bit stretched. Tomcat has this notion of roles (because the Servlet
Spec has this same notion). But if you look at common authentication
schemes, like NTLM or LDAP, they do not have this notion. It is possible
On 16/06/2010 18:27, Marc Boorshtein wrote:
To look at this from a very strict point of view, the whole area is already
a bit stretched. Tomcat has this notion of roles (because the Servlet
Spec has this same notion). But if you look at common authentication
schemes, like NTLM or LDAP, they
The problem with the Realm system is its designed with the assumption
that tomcat is doing the authentication which is not a valid
assumption in an environment where the authentication is seperated
from authorization. The entire point of container security is that as
a coder I don't have to
22 matches
Mail list logo
