dracus wrote:
Greetings, all....
I have a web app server that has Apache in front of Tomcat. Apache is
handling user authentication and security checking (through an experimental
X.509 <-> Kerberos gateway service being developed by others in my group,
but that is neither here nor there), and passes the username (as either
REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to work, we
had to include the 'request.tomcatAuthentication="false"' directive in the
AJP block of server.xml. Unfortunately, this kills the Tomcat manager, as
it will no longer allow us to log into it. We use it extensively to deploy
new versions of our web apps, etc. I have tried putting my authenticated
username into tomcat-users.xml as a user with the manager role, and it still
does not allow me to use the manger, with error "403: Access to the
requested resource has been denied". I check the tomcat-users.xml file, and
it has added a password entry (password="null") to my user define. So what
I want to know is, can I get tomcat to accept the username passed in from
Apache without a password (the only connection allowed into Tomcat is AJP)
so that I can put the users allowed to access the manager app into
tomcat-users.xml, and let Apache do all of the authentication? Any pointers
would be greatly appreciated, thanks in advance.
JDK 1.6.0
Tomcat 5.5.23
mod-jk 1.2.21
http 2.2.4 RHEL 5
shibboleth sp 1.3.1
Just to add that I am also interested in the question above, or more
generally to learn if there exists a way to pass, from Apache through
mod_jk to Tomcat, some form of "Tomcat role" for a user already
authenticated by Apache.
On the other hand, might it not be possible to modify the
<auth-constraint> section of the web.xml of the manager application, so
that instead of requiring a "role = manager", it would instead require a
specific authenticated user (which could then be the one passed from
Apache) ?
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
