Hello everyone, I'm successfully using Tomcat 7.0.55 configured with Spnego authentication against Active Directory running Windows 2008 Server and Java 1.7.0.51. However, after switching to Java 1.8.0_20, authentication does not work anymore, Tomcat logs the following error message:
SEVERE: Exception performing authentication javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided ( Mechanism level: Failed to find any Kerberos tgt)]]; remaining name 'CN=Users,DC=example,DC=com' at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:169) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:236) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2696) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2670) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1941) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1446) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1297) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1233) at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2049) at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:1965) at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:513) at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:309) at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:249) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:255) Tomcat is configured according to the "Windows Authentication How-To" document, I'm attaching the krb5.ini, jaas.conf and server.xml that contains the JNDIRealm definition. I have investigated the problem and I believe it is related to the Kerberos constraint delegation support added in Java 8, see: Java Generic Security Services API and Kerberos Enhancements for Java SE 8 <http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html> JDK-6355584 : introduce constrained Kerberos delegation <http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6355584> It seems that per default, GSS API in Java 8 will attempt constraint delegation on the acceptor side, see referenced changes and in particular the getCredDelegState() method: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/a1bbb8805e22 The result of this, is that Tomcat's JNDIRealm now finds the delegated credential delivered with the constraint delegation and switches GSSAPI security mechanism for JNDI/LDAP (this was not the case on Java 7). However, the Kerberos initiation during LDAP authentication does not find the Kerberos TGT in the Subject. After digging further, I noticed that the Subject used during the LDAP authentication is not set. Though the SpnegoAuthenticator initializes a Subject instance using Kerberos login via JAAS and this contains the obtained TGT, this Subject instance is not used for performing the LDAP authentication. I saw the following comment in JNDIRealm.getPrincipal: // Note: Subject already set in SPNEGO authenticator so no need for Subject.doAs() here So I decided to modify this and execute the getPrincipal using Subject.doAs() and the Subject instance available after the Kerberos login. This lead to successful authentication to LDAP and I was able to access the Spnego-secured webapp again. Please note that this setup is not using any file-system Kerberos credential cache (I have none on the Tomcat server machine), so it seems to require that the Kerberos TGT is available in the Subject. I'm wondering if there is any integration test in Tomcat that uses a similar scenario and Java 8? I would be happy if anyone more experienced in similar setups can shed some light on this - if you agree that the issue might be in Tomcat, I will file a defect about it. I'm attaching a log file with the actual error (please note that I have modified it a bit in order not to disclose the DNS of our domain controller). Thanks in advance for any help, Detelin
Sep 26, 2014 12:17:49 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version 1.4.8. Sep 26, 2014 12:17:49 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Sep 26, 2014 12:17:50 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1h 5 Jun 2014) Sep 26, 2014 12:17:50 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-9090"] Sep 26, 2014 12:17:50 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-9009"] Sep 26, 2014 12:17:50 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1445 ms Sep 26, 2014 12:17:50 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Sep 26, 2014 12:17:50 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.55 Sep 26, 2014 12:17:50 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\docs Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase startInternal FINE: No SingleSignOn Valve is present Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\docs has finished in 514 ms Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\examples Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase startInternal FINE: No SingleSignOn Valve is present Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\examples has finished in 484 ms Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\host-manager Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase startInternal FINE: No SingleSignOn Valve is present Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\host-manager has finished in 78 ms Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\manager Sep 26, 2014 12:17:51 AM org.apache.catalina.authenticator.AuthenticatorBase startInternal FINE: No SingleSignOn Valve is present Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\manager has finished in 109 ms Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\ROOT Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\webapps\ROOT has finished in 47 ms Sep 26, 2014 12:17:51 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-9090"] Sep 26, 2014 12:17:51 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-9009"] Sep 26, 2014 12:17:51 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 1397 ms Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /docs/ Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase findSecurityConstraints FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET /index.html --> true Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase findSecurityConstraints FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET /index.html --> true Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase findSecurityConstraints FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET /index.html --> true Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling hasUserDataPermission() Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase hasUserDataPermission FINE: User data constraint has no restrictions Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling authenticate() Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate FINE: No authorization header sent by client Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /docs/ Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase findSecurityConstraints FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET /index.html --> true Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase findSecurityConstraints FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET /index.html --> true Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase findSecurityConstraints FINE: Checking constraint 'SecurityConstraint[All HTML Files]' against GET /index.html --> true Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling hasUserDataPermission() Sep 26, 2014 12:18:04 AM org.apache.catalina.realm.RealmBase hasUserDataPermission FINE: User data constraint has no restrictions Sep 26, 2014 12:18:04 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling authenticate() Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Users/Administrator/Downloads/apache-tomcat -7.0.55-windows-x64/conf/bob.keytab refreshKrb5Config is false principal is b...@example.com tryFirstPass is false useFirstPass is false storePass is false clearPass is fa lse >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): bob >>> KeyTab: load() entry length: 54; type: 23 >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): bob >>> KeyTab: load() entry length: 62; type: 16 >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): bob >>> KeyTab: load() entry length: 46; type: 1 Looking for keys for: b...@example.com Java config name: C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\conf\krb5.ini Loaded from Java config Found unsupported keytype (1) for b...@example.com Added key: 16version: 0 Added key: 23version: 0 >>> KdcAccessibility: reset Looking for keys for: b...@example.com Found unsupported keytype (1) for b...@example.com Added key: 16version: 0 Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=dc.example.com UDP:88, timeout=30000, number of retries >>> =3, #bytes=140 >>> KDCCommunication: kdc=dc.example.com UDP:88, timeout=30000,Attempt =1, >>> #bytes=140 >>> KrbKdcReq send: #bytes read=189 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove dc.example.com >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Fri Sep 26 00:18:16 CEST 2014 1411683496000 suSec is 698497 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/example....@example.com eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 17. Looking for keys for: b...@example.com Found unsupported keytype (1) for b...@example.com Added key: 16version: 0 Added key: 23version: 0 Looking for keys for: b...@example.com Found unsupported keytype (1) for b...@example.com Added key: 16version: 0 Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=dc.example.com UDP:88, timeout=30000, number of retries >>> =3, #bytes=223 >>> KDCCommunication: kdc=dc.example.com UDP:88, timeout=30000,Attempt =1, >>> #bytes=223 >>> KrbKdcReq send: #bytes read=1308 >>> KdcAccessibility: remove dc.example.com Looking for keys for: b...@example.com Found unsupported keytype (1) for b...@example.com Added key: 16version: 0 Added key: 23version: 0 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply bob principal is b...@example.com Will use keytab Commit Succeeded Found KeyTab C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\conf\bob.keytab for b...@example.com Found KeyTab C:\Users\Administrator\Downloads\apache-tomcat-7.0.55-windows-x64\conf\bob.keytab for b...@example.com Found ticket for b...@example.com to go to krbtgt/example....@example.com expiring on Fri Sep 26 10:18:16 CEST 2014 Entered Krb5Context.acceptSecContext with state=STATE_NEW Looking for keys for: b...@example.com Found unsupported keytype (1) for b...@example.com Added key: 16version: 0 Added key: 23version: 0 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 17 16 23. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType MemoryCache: add 1411683484/001310/72262323B45A6BB57A04A11ECE498474/al...@example.com to al...@example.com|HTTP/ws.example....@example.com >>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 369612387 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 478724801 >>> Constrained deleg from GSSCaller{UNKNOWN} Found ticket for b...@example.com to go to krbtgt/example....@example.com expiring on Fri Sep 26 10:18:16 CEST 2014 Sep 26, 2014 12:18:05 AM org.apache.catalina.realm.CombinedRealm authenticate FINE: Attempting to authenticate user "al...@example.com" with realm "org.apache.catalina.realm.JNDIRealm/1.0" Sep 26, 2014 12:18:05 AM org.apache.catalina.realm.JNDIRealm getPrincipal SEVERE: Exception performing authentication javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided ( Mechanism level: Failed to find any Kerberos tgt)]]; remaining name 'CN=Users,DC=example,DC=com' at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:169) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:236) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2696) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2670) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1941) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1446) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1297) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1233) at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2049) at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:1965) at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:513) at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:309) at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:249) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:255) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:125) ... 34 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ... 35 more Sep 26, 2014 12:18:05 AM org.apache.catalina.realm.CombinedRealm authenticate FINE: combinedRealm.authFail [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject Sep 26, 2014 12:18:05 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test
<?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/server.html --> <Server port="8005" shutdown="SHUTDOWN"> <!-- Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> --> <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> <Listener className="org.apache.catalina.core.JasperListener" /> <!-- Prevent memory leaks due to use of particular java/javax APIs--> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <!-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html --> <GlobalNamingResources> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/service.html --> <Service name="Catalina"> <!--The connectors can use a shared executor, you can define one or more named thread pools--> <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/> --> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector port="9090" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the BIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="9009" protocol="AJP/1.3" redirectPort="8443" /> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> <Engine name="Catalina" defaultHost="localhost"> <!--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) --> <!-- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> --> <!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://dc.example.com:3268" connectionName="CN=Bob,CN=Users,DC=example,DC=com" connectionPassword="password" userSearch="(sAMAccountName={0})" userBase="CN=Users,DC=example,DC=com" userSubtree="true" roleSearch="(member={0})" roleBase="DC=example,DC=com" roleName="cn" roleSubtree="true" roleNested="true" /> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> </Service> </Server>
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org