Greetings, all....
I have a web app server that has Apache in front of Tomcat. Apache is handling user authentication and security checking (through an experimental X.509 <-> Kerberos gateway service being developed by others in my group, but that is neither here nor there), and passes the username (as either REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to work, we had to include the 'request.tomcatAuthentication="false"' directive in the AJP block of server.xml. Unfortunately, this kills the Tomcat manager, as it will no longer allow us to log into it. We use it extensively to deploy new versions of our web apps, etc. I have tried putting my authenticated username into tomcat-users.xml as a user with the manager role, and it still does not allow me to use the manger, with error "403: Access to the requested resource has been denied". I check the tomcat-users.xml file, and it has added a password entry (password="null") to my user define. So what I want to know is, can I get tomcat to accept the username passed in from Apache without a password (the only connection allowed into Tomcat is AJP) so that I can put the users allowed to access the manager app into tomcat-users.xml, and let Apache do all of the authentication? Any pointers would be greatly appreciated, thanks in advance. JDK 1.6.0 Tomcat 5.5.23 mod-jk 1.2.21 http 2.2.4 RHEL 5 shibboleth sp 1.3.1 -- View this message in context: http://www.nabble.com/Disable-password-checking-for-Manager-app-tp18537331p18537331.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
