Rainer Jung wrote:
dracus schrieb:
Greetings, all....
I have a web app server that has Apache in front of Tomcat. Apache is
handling user authentication and security checking (through an
experimental
X.509 <-> Kerberos gateway service being developed by others in my group,
but that is neither here nor there), and passes the username (as either
REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to
work, we
had to include the 'request.tomcatAuthentication="false"' directive in
the
AJP block of server.xml. Unfortunately, this kills the Tomcat
manager, as
it will no longer allow us to log into it. We use it extensively to
deploy
new versions of our web apps, etc. I have tried putting my authenticated
username into tomcat-users.xml as a user with the manager role, and it
still
does not allow me to use the manger, with error "403: Access to the
requested resource has been denied". I check the tomcat-users.xml
file, and
it has added a password entry (password="null") to my user define. So
what
I want to know is, can I get tomcat to accept the username passed in from
Apache without a password (the only connection allowed into Tomcat is
AJP)
so that I can put the users allowed to access the manager app into
tomcat-users.xml, and let Apache do all of the authentication? Any
pointers
would be greatly appreciated, thanks in advance.
JDK 1.6.0 Tomcat 5.5.23 mod-jk 1.2.21 http 2.2.4 RHEL 5 shibboleth
sp 1.3.1
What about using a different connector to use the manager webapp? It
wouldn't be to uncommon to let customer traffic in via the AJP
connector, and local admin traffic via the/an http connector. Since that
one wouldn't have the tomcatAuthentication="false", it should rely on
the defined Realm.
Doesn't that work?
I suppose you could also have a second AJP connector using a different
port (e.g. 8010 instead of 8009), with
request.tomcatAuthentication="true" and with "JkMount /manager
ajp13manager" in Apache (and the corresponding worker etc..).
But still, what about changing the manager application's security
constraints, to make it depend on a user-id rather than a role ?
Is that possible ?
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]