Hello everyone,
I'm successfully using Tomcat 7.0.55 configured with Spnego
authentication against Active Directory running Windows 2008 Server and
Java 1.7.0.51. However, after switching to Java 1.8.0_20, authentication
does not work anymore, Tomcat logs the following error message:
SEVERE: Exception performing authentication
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (
Mechanism level: Failed to find any Kerberos tgt)]]; remaining name
'CN=Users,DC=example,DC=com'
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:169)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:236)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2696)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2670)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1941)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1446)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1297)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1233)
at
org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2049)
at
org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:1965)
at
org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:513)
at
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:309)
at
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:249)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:255)
Tomcat is configured according to the "Windows Authentication How-To"
document, I'm attaching the krb5.ini, jaas.conf and server.xml that
contains the JNDIRealm definition.
I have investigated the problem and I believe it is related to the Kerberos
constraint delegation support added in Java 8, see:
Java Generic Security Services API and Kerberos Enhancements for Java SE 8
<http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html>
JDK-6355584 : introduce constrained Kerberos delegation
<http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6355584>
It seems that per default, GSS API in Java 8 will attempt constraint
delegation on the acceptor side, see referenced changes and in particular
the getCredDelegState() method:
http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/a1bbb8805e22
The result of this, is that Tomcat's JNDIRealm now finds the delegated
credential delivered with the constraint delegation and switches GSSAPI
security mechanism for JNDI/LDAP (this was not the case on Java 7).
However, the Kerberos initiation during LDAP authentication does not find
the Kerberos TGT in the Subject. After digging further, I noticed that the
Subject used during the LDAP authentication is not set. Though the
SpnegoAuthenticator initializes a Subject instance using Kerberos login via
JAAS and this contains the obtained TGT, this Subject instance is not used
for performing the LDAP authentication. I saw the following comment in
JNDIRealm.getPrincipal:
// Note: Subject already set in SPNEGO authenticator so no need for
Subject.doAs() here
So I decided to modify this and execute the getPrincipal using
Subject.doAs() and the Subject instance available after the Kerberos login.
This lead to successful authentication to LDAP and I was able to access the
Spnego-secured webapp again.
Please note that this setup is not using any file-system Kerberos
credential cache (I have none on the Tomcat server machine), so it seems to
require that the Kerberos TGT is available in the Subject.
I'm wondering if there is any integration test in Tomcat that uses a
similar scenario and Java 8? I would be happy if anyone more experienced in
similar setups can shed some light on this - if you agree that the issue
might be in Tomcat, I will file a defect about it.
I'm attaching a log file with the actual error (please note that I have
modified it a bit in order not to disclose the DNS of our domain
controller).
Thanks in advance for any help,
Detelin
Sep 26, 2014 12:17:49 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version
1.4.8.
Sep 26, 2014 12:17:49 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true].
Sep 26, 2014 12:17:50 AM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1h 5 Jun 2014)
Sep 26, 2014 12:17:50 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-9090"]
Sep 26, 2014 12:17:50 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-9009"]
Sep 26, 2014 12:17:50 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1445 ms
Sep 26, 2014 12:17:50 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Sep 26, 2014 12:17:50 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.55
Sep 26, 2014 12:17:50 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\docs
Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase
startInternal
FINE: No SingleSignOn Valve is present
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\docs
has finished in 514 ms
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\examples
Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase
startInternal
FINE: No SingleSignOn Valve is present
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\examples
has finished in 484 ms
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\host-manager
Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase
startInternal
FINE: No SingleSignOn Valve is present
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\host-manager
has finished in 78 ms
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\manager
Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase
startInternal
FINE: No SingleSignOn Valve is present
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\manager
has finished in 109 ms
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\ROOT
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\ROOT
has finished in 47 ms
Sep 26, 2014 12:17:51 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-9090"]
Sep 26, 2014 12:17:51 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-9009"]
Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1397 ms
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Security checking request GET /docs/
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET
/index.html --> true
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET
/index.html --> true
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET
/index.html --> true
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling hasUserDataPermission()
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint has no restrictions
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling authenticate()
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.SpnegoAuthenticator
authenticate
FINE: No authorization header sent by client
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Failed authenticate() test
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Security checking request GET /docs/
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET
/index.html --> true
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET
/index.html --> true
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET
/index.html --> true
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling hasUserDataPermission()
Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint has no restrictions
Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
C:/Users/Administrator/Downloads/apache-tomcat
-7.0.55-windows-x64/conf/bob.keytab refreshKrb5Config is false principal is
b...@example.com tryFirstPass is false useFirstPass is false storePass is false
clearPass is fa
lse
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): bob
>>> KeyTab: load() entry length: 54; type: 23
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): bob
>>> KeyTab: load() entry length: 62; type: 16
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): bob
>>> KeyTab: load() entry length: 46; type: 1
Looking for keys for: b...@example.com
Java config name:
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\conf\krb5.ini
Loaded from Java config
Found unsupported keytype (1) for b...@example.com
Added key: 16version: 0
Added key: 23version: 0
>>> KdcAccessibility: reset
Looking for keys for: b...@example.com
Found unsupported keytype (1) for b...@example.com
Added key: 16version: 0
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dc.example.com UDP:88, timeout=30000, number of retries
>>> =3, #bytes=140
>>> KDCCommunication: kdc=dc.example.com UDP:88, timeout=30000,Attempt =1,
>>> #bytes=140
>>> KrbKdcReq send: #bytes read=189
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove dc.example.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri Sep 26 00:18:16 CEST 2014 1411683496000
suSec is 698497
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/example....@example.com
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: b...@example.com
Found unsupported keytype (1) for b...@example.com
Added key: 16version: 0
Added key: 23version: 0
Looking for keys for: b...@example.com
Found unsupported keytype (1) for b...@example.com
Added key: 16version: 0
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dc.example.com UDP:88, timeout=30000, number of retries
>>> =3, #bytes=223
>>> KDCCommunication: kdc=dc.example.com UDP:88, timeout=30000,Attempt =1,
>>> #bytes=223
>>> KrbKdcReq send: #bytes read=1308
>>> KdcAccessibility: remove dc.example.com
Looking for keys for: b...@example.com
Found unsupported keytype (1) for b...@example.com
Added key: 16version: 0
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply bob
principal is b...@example.com
Will use keytab
Commit Succeeded
Found KeyTab
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\conf\bob.keytab
for b...@example.com
Found KeyTab
C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\conf\bob.keytab
for b...@example.com
Found ticket for b...@example.com to go to krbtgt/example....@example.com
expiring on Fri Sep 26 10:18:16 CEST 2014
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: b...@example.com
Found unsupported keytype (1) for b...@example.com
Added key: 16version: 0
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
MemoryCache: add
1411683484/001310/72262323B45A6BB57A04A11ECE498474/al...@example.com to
al...@example.com|HTTP/ws.example....@example.com
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 369612387
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 478724801
>>> Constrained deleg from GSSCaller{UNKNOWN}
Found ticket for b...@example.com to go to krbtgt/example....@example.com
expiring on Fri Sep 26 10:18:16 CEST 2014
Sep 26, 2014 12:18:05 AM org.apache.catalina.realm.CombinedRealm authenticate
FINE: Attempting to authenticate user "al...@example.com" with realm
"org.apache.catalina.realm.JNDIRealm/1.0"
Sep 26, 2014 12:18:05 AM org.apache.catalina.realm.JNDIRealm getPrincipal
SEVERE: Exception performing authentication
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (
Mechanism level: Failed to find any Kerberos tgt)]]; remaining name
'CN=Users,DC=example,DC=com'
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:169)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:236)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2696)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2670)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1941)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1446)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1297)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1233)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2049)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:1965)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:513)
at
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:309)
at
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:249)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:255)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:125)
... 34 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 35 more
Sep 26, 2014 12:18:05 AM org.apache.catalina.realm.CombinedRealm authenticate
FINE: combinedRealm.authFail
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Sep 26, 2014 12:18:05 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Failed authenticate() test
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="9090" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="9009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://dc.example.com:3268";
connectionName="CN=Bob,CN=Users,DC=example,DC=com"
connectionPassword="password"
userSearch="(sAMAccountName={0})"
userBase="CN=Users,DC=example,DC=com"
userSubtree="true"
roleSearch="(member={0})"
roleBase="DC=example,DC=com"
roleName="cn"
roleSubtree="true"
roleNested="true"
/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
