Unfortunately, only the /repository/ section uses basic auth headers - so it might work for those, but not the webapp that relies on cookies being set. Even so, you'd have to hook it up to LDAP for the user details. At present, we don't store any roles in LDAP - they are always in the Archiva user database.
On 13/04/2011, at 4:13 AM, Dustin Parker wrote: > Hello all, > > Our httpd hosts a large variety of web applications using various > technologies, including a mod_jk proxy to Tomcat, where archiva is hosted. It > also protects everything with SSL and mod_sspi, meaning that users get an > authentication prompt and use their domain credentials to log in. Some > applications, like svn, can then use these credentials without having their > own authentication layer. I can't figure out how to get Archiva to do > something similar, however. mod_jk appears to be sending my username to > Tomcat: > > 02c0 63 3D 00 A0 08 00 01 30 00 03 00 14 46 4F 52 57 - c=.....0....FORW > 02d0 41 52 44 53 4C 4F 50 45 5C 64 70 61 72 6B 65 72 - ARDSLOPE\dparker > 02e0 00 04 00 04 4E 54 4C 4D 00 FF 00 00 00 00 00 00 - ....NTLM........ > > (See "Attributes" here: > http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html) > > (I can't find any docs that guarantee that getRemoteUser() responds with this > username. Is there any way for me to tell if it's propagating correctly?) > > Anyway, if it is propagating correctly, how can I convince Archiva and/or > Redback to just accept these credentials? Tomcat is only listening on local > interfaces and is hidden from the outside world, so I accept the security > risks of doing so. > > Bonus question: can user mapping against LDAP still succeed in this case? > (It'd be nice to grab roles for the current user from LDAP.) > > Thanks one million, > Dustin > -- Brett Porter br...@apache.org http://brettporter.wordpress.com/
