We are in a conundrum, having planned to use our custom DCE/Kerberos
Apache BasicAA plug-in, and use Tomcat for servlets.
The idea is to rope off Tomcat+Apache into a trusted and isolated system,
available to users only via the Apache https service. Then Tomcat can
acquire credentials via a java utility that simply assumes getRemoteUser()
returns an authenticated user.
We can do that now in Netscape+JRun, figured it should work in
Apache+Tomcat.
But evidently it will not work, even if we hand edit our httpd.conf to
require basic authentication on servlet directories, Apache is handing off
to the tomcat web connector without calling the Apache BasicAA handler.
(Apache 1.3.17, Tomcat 3.2.1, ajp1.2)
Is there a fix or workaround?
Would AJP1.3 help?
Would Tomcat 4 webconnector call an Apache mod_auth module based on a
trigger in web.xml?
Thanks
Pat