Sorry for jumping into the discussion. The comment I'd like to make is that you can't really separate the security realm from authentication. In other words, a security realm is an integral part of user authentication. If user authentication is done by apache, the "realm" (the term realm is kind of used for app servers exclusively) should be provided by apache. If it is done by tomcat, the tomcat realm should be used. In this case, one option is to use or customize the mod_auth of apache (http://localhost/manual/mod/mod_auth_dbm.html), which is the apache "realm" for doing authentication. Another option would be just letting tomcat do the authentication by setting the tomcatAuthentication field to true.
ND -----Original Message----- From: Mickael Goujon [mailto:[EMAIL PROTECTED] Sent: Friday, February 10, 2006 3:30 AM To: Tomcat Users List Subject: Re: Realm and Authentication with Tomcat 5.0, Apache 2 and mod_jk 1.2 Hi Bill, Thanks for your answer. The original design of this authentication/session creation mechanism was made by another developper who knows Tomcat better than I know (but not enough apparently ;) ). If I understand correctly, your suggestion is to write a custom valve which will be used as our missing link between the Apache authentication and the Tomcat Realm call. Is this correct? The Valve will access the username/password in the header and explicitly call the Realm (Kind of similar to the SSO Valve)? Cheers, Mickael Bill Barker wrote: > "Mickael Goujon" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > >>Hi, >> >>We have a web application deployed under Tomcat 5.0 which uses a custom >>Realm for authentication. This custom Realm basically does a web service >>call using the user's credentials to authenticate with the web service >>server (basic WS-I username/password authentication). >> >>If the web service call fails (user not allowed to call the web service >>with his credentials), then Tomcat authentication fails. >> >>If the web service call succeed (user has access to the web service), then >>Tomcat authentication succeed and the Realm will store the Session object >>returned by the web service in a ThreadLocalContext to be reused later in >>the web application. >> >>This works fine with Tomcat only, but as soon as I add mod_jk and try to >>use Apache to do the authentication and then pass the credentials to >>Tomcat (using tomcatAuthentication=false), I get the "403 - access denied" >>page. >> >>I'd like to know if, in my configuration (Apache authentication + Tomcat >>Realm + tomcatAuthentication=false), Apache is supposed to pass the user >>login/password to the Tomcat Realm or if the realm is not called at all >>(This would be the bad news I fear)? >> > > > Sorry for the bad news, but the Tomcat Realm is not called at all in this > situation. Also, Apache doesn't forward the password directly (although it > is still in encoded in the Header). > > >>My combination Apache/Tomcat/mod_jk works when I specify >>tomcatAuthentication=true. But, I'd like to have Apache authentication and >>the Tomcat Realm called automatically after that with the >>username/password... Is this possible or do I have to move my Session >>creation process somewhere else? >> > > > A custom Authenticator is probably over-kill here. I would probably just > use a custom Valve. But as-is, you do at least have to add something (or, > modify your copy of the Tomcat code :) to invoke the Realm. > > >>Hope you understood my problem, >> >>Cheers, >> >>Mickael >> >>-- >>Mickael Goujon >>Software Engineer >>Lion Bioscience Ltd > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
