You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Mead, Jen L" <Me...@con-way.com> on 2012/09/19 23:31:37 UTC
very basic question about apache and tomcat
Hi Everybody,
Now I will show my real ignorance about what I know after NOT working with Apache or Tomcat for several years now. I have been working on a project that allows our CGI web pages to authenticate users from their windows desktop against Windows AD and not requiring any kind of unix account. I am slowly getting the information I need to move forward but information is just not out there to get. I am just chipping away at it.
My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL
Any help is appreciated in regard to helping me wrap my brain around this. ARGH
Regards,
Jen
Jen L Mead | Sys Admin | ICC Operations | Con-way | Office 503-450-8641
SAFETY| LEADERSHIP | INTEGRITY | COMMITMENT | EXCELLENCE | Driven by Integrity
Re: very basic question about apache and tomcat
Posted by Thomas Rohde <tr...@ordix.de>.
Am 19.09.2012 23:31, schrieb Mead, Jen L:
> Hi Everybody,
>
> Now I will show my real ignorance about what I know after NOT working with Apache or Tomcat for several years now. I have been working on a project that allows our CGI web pages to authenticate users from their windows desktop against Windows AD and not requiring any kind of unix account. I am slowly getting the information I need to move forward but information is just not out there to get. I am just chipping away at it.
>
> My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL
>
> Any help is appreciated in regard to helping me wrap my brain around this. ARGH
>
> Regards,
> Jen
>
> Jen L Mead | Sys Admin | ICC Operations | Con-way | Office 503-450-8641
> SAFETY| LEADERSHIP | INTEGRITY | COMMITMENT | EXCELLENCE | Driven by Integrity
>
>
>
Hi Jen,
basic answer:
Apache HTTPD and Apache Tomcat have generally nothing in common. They
are totally different.
The httpd.conf is the main configuration file for the Apache HTTPD
Webserver. It comes with the installation of an Apache HTTPD Webserver
and is located in <apache_home>/conf/httpd.conf. Tomcat neither
generates nor reads this file.
Bye
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re: very basic question about apache and tomcat
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 9/20/2012 4:24 PM, Mark Thomas wrote:
> "Terence M. Bandoian" <te...@tmbsw.com> wrote:
>
>> On 9/19/2012 6:38 PM, Jeff wrote:
>>> I have a related question since we recently implemented
>> authentication to
>>> AD via LDAP in our Tomcat WebApp but it currently prompts the user
>> for
>>> every new session, even if they are hitting the site from their
>> windows
>>> workstation that is already authenticated to the domain.
>>>
>>> Is there a way to do it that detects the user's current AD session
>> and
>>> eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
>>> independent? If so, it would be great!
>> You might try Waffle.
> Waffle is a Windows native solution. The OP wants Tomcat running on AIX. Waffle is not going to work. If moving Tomcat to Windows was an option, then Waffle would be a possibility (and that is made clear in Tomcat's docs - as are a number of other options).
>
> Mark
>
Hi, Mark-
You're right. I should have prefaced that with "If you're running on
Windows". However, a second person (see above) asked basically the same
question as the OP and I'm not sure what platform they're on. The
built-in Java implementation sounds great if Tomcat 7 is being used.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by Mark Thomas <ma...@apache.org>.
"Terence M. Bandoian" <te...@tmbsw.com> wrote:
>On 9/19/2012 6:38 PM, Jeff wrote:
>> I have a related question since we recently implemented
>authentication to
>> AD via LDAP in our Tomcat WebApp but it currently prompts the user
>for
>> every new session, even if they are hitting the site from their
>windows
>> workstation that is already authenticated to the domain.
>>
>> Is there a way to do it that detects the user's current AD session
>and
>> eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
>> independent? If so, it would be great!
>
>You might try Waffle.
Waffle is a Windows native solution. The OP wants Tomcat running on AIX. Waffle is not going to work. If moving Tomcat to Windows was an option, then Waffle would be a possibility (and that is made clear in Tomcat's docs - as are a number of other options).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 9/19/2012 6:38 PM, Jeff wrote:
> I have a related question since we recently implemented authentication to
> AD via LDAP in our Tomcat WebApp but it currently prompts the user for
> every new session, even if they are hitting the site from their windows
> workstation that is already authenticated to the domain.
>
> Is there a way to do it that detects the user's current AD session and
> eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
> independent? If so, it would be great!
You might try Waffle.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeff,
On 9/19/12 7:38 PM, Jeff wrote:
> I have a related question since we recently implemented
> authentication to AD via LDAP in our Tomcat WebApp but it currently
> prompts the user for every new session, even if they are hitting
> the site from their windows workstation that is already
> authenticated to the domain.
>
> Is there a way to do it that detects the user's current AD session
> and eliminates the need to prompt them, preferably browser
> (Chrome/FF/IE) independent? If so, it would be great!
I believe this is possible, but you need your browser to be complicit
by sending your Kerberos token(s). I have no idea how to do that, but
I believe others on the list (André? Warnier) have done such things.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBbJzoACgkQ9CaO5/Lv0PBk+wCfQgsPrw1+zbSv7KvtpyYeM5y5
X/0An2KDNsv+OXSoTI0blxpJFeDcUKvV
=DiiC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by Jeff <pr...@gmail.com>.
I have a related question since we recently implemented authentication to
AD via LDAP in our Tomcat WebApp but it currently prompts the user for
every new session, even if they are hitting the site from their windows
workstation that is already authenticated to the domain.
Is there a way to do it that detects the user's current AD session and
eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
independent? If so, it would be great!
On Wed, Sep 19, 2012 at 5:06 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jen,
>
> On 9/19/12 5:52 PM, Mead, Jen L wrote:
> > That was very insightful. All the documentation that I am looking
> > into specifies apache as the application. Maybe, just maybe the
> > server.xml file will contain what I need to move forward. The lack
> > of documentation for what I am trying to do is frustrating. I am
> > not even sure I can do it without loading apache with or instead of
> > tomcat. Thanks for the info.
>
> Can you describe what you need to accomplish without specifically
> referring to Apache httpd or Apache Tomcat?
>
> Something like:
>
> "We have a Java web application that needs to authentication against
> Microsoft AD server, and there are no other moving parts required
> unless we need them to support this configuration."
>
> The reason that I ask is that Tomcat (with some special support
> libraries and configuration) can authenticate directly against
> Microsoft AD and Apache httpd isn't necessary at all. If you /require/
> Apache httpd to perform the authentication, then we can tell you how
> to do that, too.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ
> 6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT
> =javS
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Jeff Vincent
predatorvi@gmail.com
See my LinkedIn profile at:
http://www.linkedin.com/in/rjeffreyvincent
I ♥ DropBox <http://db.tt/9O6LfBX> !!
Re: very basic question about apache and tomcat
Posted by André Warnier <aw...@ice-sa.com>.
Mead, Jen L wrote:
> Yes, I did not find that useful. It is very vague to say the least. If I am missing something please let me know. I want to use Built-in Tomcat support.
>
Simplify your life and have a look at Jespa (www.ioplex.com). It is free for testing, and
not expensive for production. Download the Operator's Guide and read it.
It works all in Tomcat and doesn't require any other pieces than itself (*) - and a
Windows domain environment of course.
There are several other ways, but I am not familiar with them.
Any type of web-based "Windows Integrated Authentication" (to give it one of it's many
names) requires that the browser supports it. I can confirm that it works with IE and with
Firefox. I do not know about the others.
(*) Sorry, ooops, it does require a jar from Samba (jcifs.jar). The Operator Manual tells
you that, and where to get it from.
> Jen
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Thursday, September 20, 2012 9:20 AM
> To: Tomcat Users List
> Subject: RE: very basic question about apache and tomcat
>
> "Mead, Jen L" <Me...@con-way.com> wrote:
>
>> Hi Chris,
>>
>> I met you at a PERL conference years and years ago along with a bunch
>> of other people you met. Anyways. Exactly what I am trying to do is
>> allow folks to use their web browser (I would like to stick with tomcat
>> 7.0.27 on aix 6.1) from their windows workstation and authenticate
>> against the windows domain. I am hoping this can be accomplished
>> without creating unix accounts. The permissions for it, page access or
>> run the tool would reside in the tomcat configuration side, but all
>> authentification would be from the windows side. If you can tell me
>> how to do that I would be pretty happy. I cannot find documentation on
>> how to do it
>
> Did you find this?
>
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
> I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work.
>
> I'll add looking at this to my to do list but it is a long list...
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: question about krb5.conf file
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Mead, Jen L wrote:
> Hi,
>
> I am trying to get my AIX box configured to use Windows Authentication from the tomcat server (web browser). I have been relying on the example that is at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance. Here is my question. The example is using all windows and not unix, so I am not 100% sure on my syntax AND I have two domains I am working with. One for the tomcat server and one for the windows domain controller. The example shows them all on the same domain and I have tried a few different configurations and they haven't worked. So I am hoping to get an answer here.
>
I am not sure, but I believe, that the SPNEGO authentication which is included in Tomcat
right now presupposes that the Tomcat host itself is a Windows machine, and member of the
Windows domain in which you want the authentication to take place (or probably at least a
trusted domain).
If that were the case, then you may be better off having a look at the other alternatives
indicated in that documentation page, or at Jespa (www.ioplex.com) which is a commercial
(but affordable) solution which works with whatever OS Tomcat is running under.
I can't figure out from the Waffle website if Waffle works on other than on Windows Tomcat
hosts either.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: question about krb5.conf file
Posted by Pid <pi...@pidster.com>.
On 18/10/2012 21:15, Mead, Jen L wrote:
> Hi,
>
> I am trying to get my AIX box configured to use Windows Authentication from the tomcat server (web browser). I have been relying on the example that is at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance. Here is my question. The example is using all windows and not unix, so I am not 100% sure on my syntax AND I have two domains I am working with. One for the tomcat server and one for the windows domain controller. The example shows them all on the same domain and I have tried a few different configurations and they haven't worked. So I am hoping to get an answer here.
New topic; new thread please. Don't just edit your previous one.
p
> This is my info:
>
> AIX 6100-04-11-1140
> apache-tomcat-7.0.27
> tomcat server domain: CON-WAY.COM
> windows AD domain: CONWAY.PROD.CON-WAY.COM
>
> Here is what I currently have in the krb5.conf file (it has changed many times LOL):
> [libdefaults]
> default_realm = CONWAY.PROD.CON-WAY.COM
> default_keytab_name = FILE:/opt/apache-tomcat-7.0.27/conf/tomcat.keytab
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> forwardable=true
>
> [realms]
> CONWAY.PROD.CON-WAY.COM = {
> kdc = ciits003.conway.prod.con-way.com:88
> }
>
> [domain_realm]
> con-way.com = CONWAY.PROD.CON-WAY.COM
> .con-way.com = CONWAY.PROD.CON-WAY.COM
>
> [logging]
> kdc = FILE:/var/krb5/log/krb5kdc.log
> admin_server = FILE:/var/krb5/log/kadmin.log
> default = FILE:/var/krb5/log/krb5lib.log
>
> Anyone see any blaring errors? I am not sure I need to put the word FILE in front of all file locations, but it was in the Windows example....
> Jen
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
question about krb5.conf file
Posted by "Mead, Jen L" <Me...@con-way.com>.
Hi,
I am trying to get my AIX box configured to use Windows Authentication from the tomcat server (web browser). I have been relying on the example that is at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance. Here is my question. The example is using all windows and not unix, so I am not 100% sure on my syntax AND I have two domains I am working with. One for the tomcat server and one for the windows domain controller. The example shows them all on the same domain and I have tried a few different configurations and they haven't worked. So I am hoping to get an answer here.
This is my info:
AIX 6100-04-11-1140
apache-tomcat-7.0.27
tomcat server domain: CON-WAY.COM
windows AD domain: CONWAY.PROD.CON-WAY.COM
Here is what I currently have in the krb5.conf file (it has changed many times LOL):
[libdefaults]
default_realm = CONWAY.PROD.CON-WAY.COM
default_keytab_name = FILE:/opt/apache-tomcat-7.0.27/conf/tomcat.keytab
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
forwardable=true
[realms]
CONWAY.PROD.CON-WAY.COM = {
kdc = ciits003.conway.prod.con-way.com:88
}
[domain_realm]
con-way.com = CONWAY.PROD.CON-WAY.COM
.con-way.com = CONWAY.PROD.CON-WAY.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
Anyone see any blaring errors? I am not sure I need to put the word FILE in front of all file locations, but it was in the Windows example....
Jen
RE: very basic question about apache and tomcat
Posted by "Mead, Jen L" <Me...@con-way.com>.
Hey I wanted to thank everyone for their suggestions and input. I just got my keytab file from the windows administrators yesterday and am ready to fiddle with tomcat and Kerberos on the unix side to start testing. I like what Mark wrote below about using VMs to set things up, learn the environment and then tweak for AIX. However, I don't have that option, I have one AIX box and that is it to test with. I got a lot of great suggestions and think I can wrap my mind around it, yesterday I compiled a full version of Kerberos on my AIX server so I could test out kinit and make sure communication is flowing before I start setting up the tomcat server. I think that most people are going to be coming in on Windows Explorer so I will set that up as well as Firefox. I feel 50/50 about getting it running but certainly more ready than I was before I got responses from this group. Thanks again,
Jen
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Thursday, September 20, 2012 3:05 PM
To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat
"Mead, Jen L" <Me...@con-way.com> wrote:
>Thanks. I am in the process of testing. The earlier answer from Chris
>suggested that I might need some additional modules / libraries. I am
>following it step by step and I do see the unix part.
>
>I have sent my windows domain people a request to create a Kerberos key
>and an account I can test with. However, they provided one on a box I
>did not have root on and it was way too frustrating trying to get unix
>admin in India to understand what to do. I now have a sandbox
>environment with root and am trying different things, it has not worked
>so far.
Setting up this for the first time is rather like setting up SSL CLIENT-AUTH for the first time. There are lots of moving parts and if you get just one thing wrong the whole lot fails. The error messages may not be too helpful when this happens. Posting the full error message, associated stack trace and exactly what you did to get to that point well help us to help you. Without those specifics, there is little the folks here can do to help and so far you have not provided any details apart from "it has not worked".
You will find this a whole lot easier if you can start from a known working configuration and take little steps towards the configuration you want. There are so many things that can go wrong that going directly to the configuration you want is going to be very high risk.
I'd strongly recommend that you following something like the following approach:
Part one
1. Create a three local Windows VMs (domain controller, server, client) and do a clean install of the OS.
2. Snapshot the VMs.
3. Configure them as per the Tomcat docs so Windows auth works. The Tomcat docs should take you through this step by step (although they do not try and are not intended to teach Windows administration).
4. Make notes as you go so you can repeat this. If you spot any errors or omissions in the Tomcat docs, report them.
5. Snapshot the working configuration.
6. Revert to the clean VMs and make sure you can repeat the configuration.
Part two
Repeat part one but in your dev environment but use the domain controller from the dev environment rather than your VM (so you only have two VMs). You'll need co-operation from the domain admins but since you'll have your notes from part one you'll be able to tell them exactly what to do (which unfortunately it sounds like they need).
Part three
Repeat part one but with all machines in the dev environment rather than VMs.
Part 4
Repeat part one but with Tomcat on an AIX machine. By this point, you should be familiar enough with the process that any problems will be because of running on AIX. Again, report any issues here and we'll do what we can to help. My best guess at this point is that it will either just work or you'll need to install samba, add the machine to the domain and do some additional (currently unknown) configuration. I'm leaning towards the just work option since I can't see why the Tomcat server needs to be part of the domain if it has it's own service account. On the other hand, I'm not that familiar wth the details of the Kerberos protocol and it is a while since I looked at all of this so I could easily be wrong.
Part 5
Repeat part 4 on your live environment.
Thinking about this, you might want to move Tomcat to AIX as part 2 since at that point (assuming you have root access to an AIX dev machine) you'll still be in full control and a fair amount of tweaking may be required.
>Have you tried using this documentation?
Actually no, I haven't tried using that documentation. On the other hand I implemented that feature. I figured out how to make built-in Windows authentication work (the JVM does the hard work) from the references linked in the documentation and then I implemented Tomcat's built-in support for Windows authentication and also wrote the documentation. And I have a working configuration in a series of VMs on the machine in front of me. The documentation very deliberately provides detailed step-by-step instructions that are known to work. If you find any errors or omissions let us know.
> If not then please don't
>comment on how easy it is and straight forward. I am doing my best and
>have been in computing, unix in particular, for over 30yrs.
Given that intended tone is not something that comes across well in e-mail communication, your final paragraph reads as arrogant rather than the tone you intended (I'm assuming you weren't aiming for arrogance). That is unlikely to encourage anyone here to help. That is particularly unfortunate when the person you are directing your comments at implemented the feature you are trying to use and could be the person best placed to help you.
Mark
>
>Regards,
>Jen
>
>-----Original Message-----
>From: Mark Thomas [mailto:markt@apache.org]
>Sent: Thursday, September 20, 2012 10:09 AM
>To: Tomcat Users List
>Subject: RE: very basic question about apache and tomcat
>
>
>
>"Mead, Jen L" <Me...@con-way.com> wrote:
>
>>Yes, I did not find that useful. It is very vague to say the least.
>
>You are the one being vague. You are not being very forthcoming. That
>page provides detailed, step-by-step configuration instructions. As I
>said, the page assumes Tomcat is running on a Windows machine but that
>may be necessary for Windows authentication to work. I haven't tested
>it and performing that testing is at the end of a long to do list.
>There is nothing stopping you from testing this.
>
>>If I am missing something please let me know. I want to use Built-in
>>Tomcat support.
>
>You appear to have missed the section entitled "built-in Tomcat
>support" which is an exact match for what you are looking for.
>
>Mark
>
>
>>
>>Jen
>>
>>-----Original Message-----
>>From: Mark Thomas [mailto:markt@apache.org]
>>Sent: Thursday, September 20, 2012 9:20 AM
>>To: Tomcat Users List
>>Subject: RE: very basic question about apache and tomcat
>>
>>"Mead, Jen L" <Me...@con-way.com> wrote:
>>
>>>Hi Chris,
>>>
>>>I met you at a PERL conference years and years ago along with a bunch
>
>>>of other people you met. Anyways. Exactly what I am trying to do is
>
>>>allow folks to use their web browser (I would like to stick with
>>tomcat
>>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>>against the windows domain. I am hoping this can be accomplished
>>>without creating unix accounts. The permissions for it, page access
>>or
>>>run the tool would reside in the tomcat configuration side, but all
>>>authentification would be from the windows side. If you can tell me
>>>how to do that I would be pretty happy. I cannot find documentation
>>on
>>>how to do it
>>
>>Did you find this?
>>
>>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>>
>>I haven't tested this when Tomcat is on a non-Windows platform. It is
>>certainly possible for this to work although whether any other pieces
>>(such as samba) are required and what their configuration might be I
>>don't know. OTOH, it might just work.
>>
>>I'll add looking at this to my to do list but it is a long list...
>>
>>Mark
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by Mark Thomas <ma...@apache.org>.
"Mead, Jen L" <Me...@con-way.com> wrote:
>Thanks. I am in the process of testing. The earlier answer from Chris
>suggested that I might need some additional modules / libraries. I am
>following it step by step and I do see the unix part.
>
>I have sent my windows domain people a request to create a Kerberos key
>and an account I can test with. However, they provided one on a box I
>did not have root on and it was way too frustrating trying to get unix
>admin in India to understand what to do. I now have a sandbox
>environment with root and am trying different things, it has not worked
>so far.
Setting up this for the first time is rather like setting up SSL CLIENT-AUTH for the first time. There are lots of moving parts and if you get just one thing wrong the whole lot fails. The error messages may not be too helpful when this happens. Posting the full error message, associated stack trace and exactly what you did to get to that point well help us to help you. Without those specifics, there is little the folks here can do to help and so far you have not provided any details apart from "it has not worked".
You will find this a whole lot easier if you can start from a known working configuration and take little steps towards the configuration you want. There are so many things that can go wrong that going directly to the configuration you want is going to be very high risk.
I'd strongly recommend that you following something like the following approach:
Part one
1. Create a three local Windows VMs (domain controller, server, client) and do a clean install of the OS.
2. Snapshot the VMs.
3. Configure them as per the Tomcat docs so Windows auth works. The Tomcat docs should take you through this step by step (although they do not try and are not intended to teach Windows administration).
4. Make notes as you go so you can repeat this. If you spot any errors or omissions in the Tomcat docs, report them.
5. Snapshot the working configuration.
6. Revert to the clean VMs and make sure you can repeat the configuration.
Part two
Repeat part one but in your dev environment but use the domain controller from the dev environment rather than your VM (so you only have two VMs). You'll need co-operation from the domain admins but since you'll have your notes from part one you'll be able to tell them exactly what to do (which unfortunately it sounds like they need).
Part three
Repeat part one but with all machines in the dev environment rather than VMs.
Part 4
Repeat part one but with Tomcat on an AIX machine. By this point, you should be familiar enough with the process that any problems will be because of running on AIX. Again, report any issues here and we'll do what we can to help. My best guess at this point is that it will either just work or you'll need to install samba, add the machine to the domain and do some additional (currently unknown) configuration. I'm leaning towards the just work option since I can't see why the Tomcat server needs to be part of the domain if it has it's own service account. On the other hand, I'm not that familiar wth the details of the Kerberos protocol and it is a while since I looked at all of this so I could easily be wrong.
Part 5
Repeat part 4 on your live environment.
Thinking about this, you might want to move Tomcat to AIX as part 2 since at that point (assuming you have root access to an AIX dev machine) you'll still be in full control and a fair amount of tweaking may be required.
>Have you tried using this documentation?
Actually no, I haven't tried using that documentation. On the other hand I implemented that feature. I figured out how to make built-in Windows authentication work (the JVM does the hard work) from the references linked in the documentation and then I implemented Tomcat's built-in support for Windows authentication and also wrote the documentation. And I have a working configuration in a series of VMs on the machine in front of me. The documentation very deliberately provides detailed step-by-step instructions that are known to work. If you find any errors or omissions let us know.
> If not then please don't
>comment on how easy it is and straight forward. I am doing my best and
>have been in computing, unix in particular, for over 30yrs.
Given that intended tone is not something that comes across well in e-mail communication, your final paragraph reads as arrogant rather than the tone you intended (I'm assuming you weren't aiming for arrogance). That is unlikely to encourage anyone here to help. That is particularly unfortunate when the person you are directing your comments at implemented the feature you are trying to use and could be the person best placed to help you.
Mark
>
>Regards,
>Jen
>
>-----Original Message-----
>From: Mark Thomas [mailto:markt@apache.org]
>Sent: Thursday, September 20, 2012 10:09 AM
>To: Tomcat Users List
>Subject: RE: very basic question about apache and tomcat
>
>
>
>"Mead, Jen L" <Me...@con-way.com> wrote:
>
>>Yes, I did not find that useful. It is very vague to say the least.
>
>You are the one being vague. You are not being very forthcoming. That
>page provides detailed, step-by-step configuration instructions. As I
>said, the page assumes Tomcat is running on a Windows machine but that
>may be necessary for Windows authentication to work. I haven't tested
>it and performing that testing is at the end of a long to do list.
>There is nothing stopping you from testing this.
>
>>If I am missing something please let me know. I want to use Built-in
>>Tomcat support.
>
>You appear to have missed the section entitled "built-in Tomcat
>support" which is an exact match for what you are looking for.
>
>Mark
>
>
>>
>>Jen
>>
>>-----Original Message-----
>>From: Mark Thomas [mailto:markt@apache.org]
>>Sent: Thursday, September 20, 2012 9:20 AM
>>To: Tomcat Users List
>>Subject: RE: very basic question about apache and tomcat
>>
>>"Mead, Jen L" <Me...@con-way.com> wrote:
>>
>>>Hi Chris,
>>>
>>>I met you at a PERL conference years and years ago along with a bunch
>
>>>of other people you met. Anyways. Exactly what I am trying to do is
>
>>>allow folks to use their web browser (I would like to stick with
>>tomcat
>>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>>against the windows domain. I am hoping this can be accomplished
>>>without creating unix accounts. The permissions for it, page access
>>or
>>>run the tool would reside in the tomcat configuration side, but all
>>>authentification would be from the windows side. If you can tell me
>>>how to do that I would be pretty happy. I cannot find documentation
>>on
>>>how to do it
>>
>>Did you find this?
>>
>>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>>
>>I haven't tested this when Tomcat is on a non-Windows platform. It is
>>certainly possible for this to work although whether any other pieces
>>(such as samba) are required and what their configuration might be I
>>don't know. OTOH, it might just work.
>>
>>I'll add looking at this to my to do list but it is a long list...
>>
>>Mark
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by "Mead, Jen L" <Me...@con-way.com>.
Thanks. I am in the process of testing. The earlier answer from Chris suggested that I might need some additional modules / libraries. I am following it step by step and I do see the unix part.
I have sent my windows domain people a request to create a Kerberos key and an account I can test with. However, they provided one on a box I did not have root on and it was way too frustrating trying to get unix admin in India to understand what to do. I now have a sandbox environment with root and am trying different things, it has not worked so far.
Have you tried using this documentation? If not then please don't comment on how easy it is and straight forward. I am doing my best and have been in computing, unix in particular, for over 30yrs.
Regards,
Jen
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Thursday, September 20, 2012 10:09 AM
To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat
"Mead, Jen L" <Me...@con-way.com> wrote:
>Yes, I did not find that useful. It is very vague to say the least.
You are the one being vague. You are not being very forthcoming. That page provides detailed, step-by-step configuration instructions. As I said, the page assumes Tomcat is running on a Windows machine but that may be necessary for Windows authentication to work. I haven't tested it and performing that testing is at the end of a long to do list. There is nothing stopping you from testing this.
>If I am missing something please let me know. I want to use Built-in
>Tomcat support.
You appear to have missed the section entitled "built-in Tomcat support" which is an exact match for what you are looking for.
Mark
>
>Jen
>
>-----Original Message-----
>From: Mark Thomas [mailto:markt@apache.org]
>Sent: Thursday, September 20, 2012 9:20 AM
>To: Tomcat Users List
>Subject: RE: very basic question about apache and tomcat
>
>"Mead, Jen L" <Me...@con-way.com> wrote:
>
>>Hi Chris,
>>
>>I met you at a PERL conference years and years ago along with a bunch
>>of other people you met. Anyways. Exactly what I am trying to do is
>>allow folks to use their web browser (I would like to stick with
>tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>against the windows domain. I am hoping this can be accomplished
>>without creating unix accounts. The permissions for it, page access
>or
>>run the tool would reside in the tomcat configuration side, but all
>>authentification would be from the windows side. If you can tell me
>>how to do that I would be pretty happy. I cannot find documentation
>on
>>how to do it
>
>Did you find this?
>
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
>I haven't tested this when Tomcat is on a non-Windows platform. It is
>certainly possible for this to work although whether any other pieces
>(such as samba) are required and what their configuration might be I
>don't know. OTOH, it might just work.
>
>I'll add looking at this to my to do list but it is a long list...
>
>Mark
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by Mark Thomas <ma...@apache.org>.
"Mead, Jen L" <Me...@con-way.com> wrote:
>Yes, I did not find that useful. It is very vague to say the least.
You are the one being vague. You are not being very forthcoming. That page provides detailed, step-by-step configuration instructions. As I said, the page assumes Tomcat is running on a Windows machine but that may be necessary for Windows authentication to work. I haven't tested it and performing that testing is at the end of a long to do list. There is nothing stopping you from testing this.
>If I am missing something please let me know. I want to use Built-in
>Tomcat support.
You appear to have missed the section entitled "built-in Tomcat support" which is an exact match for what you are looking for.
Mark
>
>Jen
>
>-----Original Message-----
>From: Mark Thomas [mailto:markt@apache.org]
>Sent: Thursday, September 20, 2012 9:20 AM
>To: Tomcat Users List
>Subject: RE: very basic question about apache and tomcat
>
>"Mead, Jen L" <Me...@con-way.com> wrote:
>
>>Hi Chris,
>>
>>I met you at a PERL conference years and years ago along with a bunch
>>of other people you met. Anyways. Exactly what I am trying to do is
>>allow folks to use their web browser (I would like to stick with
>tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>against the windows domain. I am hoping this can be accomplished
>>without creating unix accounts. The permissions for it, page access
>or
>>run the tool would reside in the tomcat configuration side, but all
>>authentification would be from the windows side. If you can tell me
>>how to do that I would be pretty happy. I cannot find documentation
>on
>>how to do it
>
>Did you find this?
>
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
>I haven't tested this when Tomcat is on a non-Windows platform. It is
>certainly possible for this to work although whether any other pieces
>(such as samba) are required and what their configuration might be I
>don't know. OTOH, it might just work.
>
>I'll add looking at this to my to do list but it is a long list...
>
>Mark
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by "Mead, Jen L" <Me...@con-way.com>.
Yes, I did not find that useful. It is very vague to say the least. If I am missing something please let me know. I want to use Built-in Tomcat support.
Jen
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Thursday, September 20, 2012 9:20 AM
To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat
"Mead, Jen L" <Me...@con-way.com> wrote:
>Hi Chris,
>
>I met you at a PERL conference years and years ago along with a bunch
>of other people you met. Anyways. Exactly what I am trying to do is
>allow folks to use their web browser (I would like to stick with tomcat
>7.0.27 on aix 6.1) from their windows workstation and authenticate
>against the windows domain. I am hoping this can be accomplished
>without creating unix accounts. The permissions for it, page access or
>run the tool would reside in the tomcat configuration side, but all
>authentification would be from the windows side. If you can tell me
>how to do that I would be pretty happy. I cannot find documentation on
>how to do it
Did you find this?
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work.
I'll add looking at this to my to do list but it is a long list...
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
I've never tried with Tomcat, but it's not hard to get other Unix
applications to authenticate against the Kerberos component of ADS. I
logon to Linux every day with ADS credentials, using Kerberos.
o Browsers will need to be set up to use GSSAPI authentication with
the affected site. There's a plugin for Firefox that helps to
manage the way it does this, where it's called Integrated
Authentication for some reason. I don't know how to manage that in
IE since there isn't an IE for Linux. :-/
o The server will need to offer GSSAPI authentication and know how to
validate tickets. A lot of that is standard JRE equipment.
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
looks like good information on gluing it into Tomcat.
If I were doing this, I'd first stop thinking of it as Windows or ADS
authentication and think in terms of GSSAPI/Kerberos.
Searching for "firefox kerberos authentication" showed me a lot of
hits that might help you on the client side.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
Re: very basic question about apache and tomcat
Posted by Brett Delle Grazie <br...@gmail.com>.
On 20 September 2012 17:20, Mark Thomas <ma...@apache.org> wrote:
> "Mead, Jen L" <Me...@con-way.com> wrote:
>
>>Hi Chris,
>>
>>I met you at a PERL conference years and years ago along with a bunch
>>of other people you met. Anyways. Exactly what I am trying to do is
>>allow folks to use their web browser (I would like to stick with tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>against the windows domain. I am hoping this can be accomplished
>>without creating unix accounts. The permissions for it, page access or
>>run the tool would reside in the tomcat configuration side, but all
>>authentification would be from the windows side. If you can tell me
>>how to do that I would be pretty happy. I cannot find documentation on
>>how to do it
>
> Did you find this?
>
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
> I haven't tested this when Tomcat is on a non-Windows platform. It is
> certainly possible for this to work although whether any other pieces
> (such as samba) are required and what their configuration might be I
> don't know. OTOH, it might just work.
>
Samba is one way, in that context the AIX box becomes a member of the
Windows AD.
If that isn't possible:
Another alternative is bi or uni-directional cross-realm trusts.
That's where there is a Unix Kerberos realm and the Windows AD realm
and there is a trust
either between each realm or in one direction only. Cross-realm keys
are quite easy to create
in the more recent versions of Windows Server (2008+)
In this situation, the authentication trust could be configured only
one way (i.e. Windows AD users
are trusted for authentication purposes to the AIX Tomcat service).
I'm a bit fuzzy on the details since I last looked at this several
years ago. From what I remember
the following is needed:
(a) cross-realm keys in one or both directions (i.e. resulting in one
or two sets of keys)
- getting this right on the Windows side was quite difficult due to
different encryption standards
in use, different 'versions' of keys etc. modern versions of Windows
Server do make this easier.
(b) a key on the AIX box representing the service (Tomcat) but in this
case the service key is for
the local Unix Kerberos realm, not the Windows AD realm
(c) A browser that permits Kerberos based authentication (e.g.
Firefox, or IE with the site
added to the trusted sites area).
(d) Patience, luck and lots of log perusal.
I've used this in a managed service environment but its complicated
and error prone to configure.
> I'll add looking at this to my to do list but it is a long list...
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by Mark Thomas <ma...@apache.org>.
"Mead, Jen L" <Me...@con-way.com> wrote:
>Hi Chris,
>
>I met you at a PERL conference years and years ago along with a bunch
>of other people you met. Anyways. Exactly what I am trying to do is
>allow folks to use their web browser (I would like to stick with tomcat
>7.0.27 on aix 6.1) from their windows workstation and authenticate
>against the windows domain. I am hoping this can be accomplished
>without creating unix accounts. The permissions for it, page access or
>run the tool would reside in the tomcat configuration side, but all
>authentification would be from the windows side. If you can tell me
>how to do that I would be pretty happy. I cannot find documentation on
>how to do it
Did you find this?
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
I haven't tested this when Tomcat is on a non-Windows platform. It is
certainly possible for this to work although whether any other pieces
(such as samba) are required and what their configuration might be I
don't know. OTOH, it might just work.
I'll add looking at this to my to do list but it is a long list...
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by "Mead, Jen L" <Me...@con-way.com>.
Hi Chris,
See responses below:
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, September 20, 2012 8:50 AM
To: Tomcat Users List
Subject: Re: very basic question about apache and tomcat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-Jen,
On 9/20/12 11:19 AM, Mead, Jen L wrote:
> I met you at a PERL conference years and years ago along with a bunch
> of other people you met.
-Unlikely... I've never been to a Perl conference.
-[OT NB: I've found out that I'm not the only Christopher Schultz in the world -- even in my ---own local region. I got pulled-over for speeding one time and was told that my license had ----been -suspended
-*and* revoked (I'm not sure how that's different than just being revoked, but what the hey). --Anyhow, turns out that the state I was living in used soundex codes for driver's license ------numbers and another (apparently evil) Christopher Schultz and I had license numbers differing -only by one digit, so the cop had it all wrong. Fun ride.]
LOL, bummer. Yes you do have a "famous" name.
> Anyways. Exactly what I am trying to do is allow folks to use their
> web browser (I would like to stick with tomcat 7.0.27 on aix
> 6.1) from their windows workstation and authenticate against the
> windows domain.
-Ok.
> I am hoping this can be accomplished without creating unix accounts.
-Mirroring AD in UNIX would be foolish. It wouldn't get you anywhere, anyway, since Tomcat -----doesn't have a module to authenticate against the local UNIX environment, anyway.
> The permissions for it, page access or run the tool would reside in
> the tomcat configuration side, but all authentication would be from
> the windows side.
-So you want your clients to provide Kerberos tokens to Tomcat? Have you arranged for that kind -of thing?
- -chris
Yes I have to a point. We have HP support and mostly it is in India and we don't direct access with them. I opened a ticket but they are requesting that I tell them exactly how to do it. I am working with them on that. They are waiting for me to test from my AIX environment to iron out all those pieces. I know they need to configure my server into their environment and maybe it will require a special user account. If you have info on that that would be good.
Could you tell me which modules / libraries I need to download and install for tomcat to authenticate against the windows environment and how to tweak them? I am ready to dig into this.
Jen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBbO0QACgkQ9CaO5/Lv0PATtwCgg8Lqf2fu+NXSDHY6h+IKg8ag
rMwAnjH2bKM7P+DvmjDYQJ+tU/WyAwjw
=ylwm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jen,
On 9/20/12 11:19 AM, Mead, Jen L wrote:
> I met you at a PERL conference years and years ago along with a
> bunch of other people you met.
Unlikely... I've never been to a Perl conference.
[OT NB: I've found out that I'm not the only Christopher Schultz in
the world -- even in my own local region. I got pulled-over for
speeding one time and was told that my license had been suspended
*and* revoked (I'm not sure how that's different than just being
revoked, but what the hey). Anyhow, turns out that the state I was
living in used soundex codes for driver's license numbers and another
(apparently evil) Christopher Schultz and I had license numbers
differing only by one digit, so the cop had it all wrong. Fun ride.]
> Anyways. Exactly what I am trying to do is allow folks to use
> their web browser (I would like to stick with tomcat 7.0.27 on aix
> 6.1) from their windows workstation and authenticate against the
> windows domain.
Ok.
> I am hoping this can be accomplished without creating unix
> accounts.
Mirroring AD in UNIX would be foolish. It wouldn't get you anywhere,
anyway, since Tomcat doesn't have a module to authenticate against the
local UNIX environment, anyway.
> The permissions for it, page access or run the tool would reside in
> the tomcat configuration side, but all authentication would be from
> the windows side.
So you want your clients to provide Kerberos tokens to Tomcat? Have
you arranged for that kind of thing?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBbO0QACgkQ9CaO5/Lv0PATtwCgg8Lqf2fu+NXSDHY6h+IKg8ag
rMwAnjH2bKM7P+DvmjDYQJ+tU/WyAwjw
=ylwm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by "Mead, Jen L" <Me...@con-way.com>.
Hi Chris,
I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it and I am not a java person nor have I touched this stuff in a very long time. I was doing strictly unix admin work until a few months ago. That doesn't mean I won't hack and experiment, I have a sandbox here at work that I can do anything on to get this configuration figured out. Thanks in advance and happy to be working with you!
Jen
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, September 19, 2012 4:07 PM
To: Tomcat Users List
Subject: Re: very basic question about apache and tomcat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jen,
On 9/19/12 5:52 PM, Mead, Jen L wrote:
> That was very insightful. All the documentation that I am looking
> into specifies apache as the application. Maybe, just maybe the
> server.xml file will contain what I need to move forward. The lack of
> documentation for what I am trying to do is frustrating. I am not
> even sure I can do it without loading apache with or instead of
> tomcat. Thanks for the info.
Can you describe what you need to accomplish without specifically referring to Apache httpd or Apache Tomcat?
Something like:
"We have a Java web application that needs to authentication against Microsoft AD server, and there are no other moving parts required unless we need them to support this configuration."
The reason that I ask is that Tomcat (with some special support libraries and configuration) can authenticate directly against Microsoft AD and Apache httpd isn't necessary at all. If you /require/ Apache httpd to perform the authentication, then we can tell you how to do that, too.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ
6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT
=javS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jen,
On 9/19/12 5:52 PM, Mead, Jen L wrote:
> That was very insightful. All the documentation that I am looking
> into specifies apache as the application. Maybe, just maybe the
> server.xml file will contain what I need to move forward. The lack
> of documentation for what I am trying to do is frustrating. I am
> not even sure I can do it without loading apache with or instead of
> tomcat. Thanks for the info.
Can you describe what you need to accomplish without specifically
referring to Apache httpd or Apache Tomcat?
Something like:
"We have a Java web application that needs to authentication against
Microsoft AD server, and there are no other moving parts required
unless we need them to support this configuration."
The reason that I ask is that Tomcat (with some special support
libraries and configuration) can authenticate directly against
Microsoft AD and Apache httpd isn't necessary at all. If you /require/
Apache httpd to perform the authentication, then we can tell you how
to do that, too.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ
6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT
=javS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: very basic question about apache and tomcat
Posted by "Mead, Jen L" <Me...@con-way.com>.
That was very insightful. All the documentation that I am looking into specifies apache as the application. Maybe, just maybe the server.xml file will contain what I need to move forward. The lack of documentation for what I am trying to do is frustrating. I am not even sure I can do it without loading apache with or instead of tomcat. Thanks for the info.
J
-----Original Message-----
From: David A. Rush [mailto:david@rushtone.com]
Sent: Wednesday, September 19, 2012 2:45 PM
To: users@tomcat.apache.org
Subject: Re: very basic question about apache and tomcat
On 2012-09-19 17:31, Mead, Jen L wrote:
> My basic question is: do I need to install apache as well as tomcat to
> have an httpd.conf file? I have tomcat running on several AIX
> servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a
> simple search to find the httpd.conf file when I realized none of my
> servers have it installed. When I try to find out which app creates
> it I get the answer apache (from google searches). So I guess that
> tomcat is a subset of apache? A virtual java app I suppose? See I
> told you the questions were basic. Yikes it is hard to understand as
> a newbie, especially when I can load tomcat and get web pages working
> in a few minutes. LOL
>
Tomcat and HTTPD (Apache web server) are two different things, though often used together. Both are projects of the Apache Software Foundation.
Tomcat is capable of running standalone. It is not a subset of of the Apache HTTPD. For various reasons many folks run Tomcat "behind" Apache HTTPD, but that isn't necessary.
There's overlap between the functionality of Tomcat and HTTPD. Whether you need just Tomcat, just HTTPD, or both, depends on what you want to do.
httpd.conf is the typical name of the primary HTTPD configuration file (although that may be different depending on who built the distribution you're using and on what kind of OS).
Tomcat uses server.xml as it's primary configuration file.
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
On 9/19/12 5:45 PM, David A. Rush wrote:
>
> On 2012-09-19 17:31, Mead, Jen L wrote:
>> My basic question is: do I need to install apache as well as
>> tomcat to have an httpd.conf file? I have tomcat running on
>> several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed.
>> I was doing a simple search to find the httpd.conf file when I
>> realized none of my servers have it installed. When I try to
>> find out which app creates it I get the answer apache (from
>> google searches). So I guess that tomcat is a subset of apache?
>> A virtual java app I suppose? See I told you the questions were
>> basic. Yikes it is hard to understand as a newbie, especially
>> when I can load tomcat and get web pages working in a few
>> minutes. LOL
>>
> Tomcat and HTTPD (Apache web server) are two different things,
> though often used together. Both are projects of the Apache
> Software Foundation.
>
> Tomcat is capable of running standalone. It is not a subset of of
> the Apache HTTPD. For various reasons many folks run Tomcat
> "behind" Apache HTTPD, but that isn't necessary.
>
> There's overlap between the functionality of Tomcat and HTTPD.
> Whether you need just Tomcat, just HTTPD, or both, depends on what
> you want to do.
>
> httpd.conf is the typical name of the primary HTTPD configuration
> file (although that may be different depending on who built the
> distribution you're using and on what kind of OS).
>
> Tomcat uses server.xml as it's primary configuration file.
+1
David, great reply.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBaT4YACgkQ9CaO5/Lv0PD1dACgjOllONmS3IcsSrMHsp9di59X
h/IAn0Y0oHdocLVwC6rfgbeIxMiMufj9
=Ppae
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: very basic question about apache and tomcat
Posted by "David A. Rush" <da...@rushtone.com>.
On 2012-09-19 17:31, Mead, Jen L wrote:
> My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL
>
Tomcat and HTTPD (Apache web server) are two different things, though
often used together. Both are projects of the Apache Software Foundation.
Tomcat is capable of running standalone. It is not a subset of of the
Apache HTTPD. For various reasons many folks run Tomcat "behind" Apache
HTTPD, but that isn't necessary.
There's overlap between the functionality of Tomcat and HTTPD. Whether
you need just Tomcat, just HTTPD, or both, depends on what you want to do.
httpd.conf is the typical name of the primary HTTPD configuration file
(although that may be different depending on who built the distribution
you're using and on what kind of OS).
Tomcat uses server.xml as it's primary configuration file.
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org