You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by dfobox <df...@gmail.com> on 2009/05/29 20:20:46 UTC
Php, tomcat, mappings and authentication.
I'm new to this forum and already fan of it :)
Here's the story:
I have a website hosted on a remote server with private JVM. It consists of
two parts - client and admin (which is actually CMS). There is NGASI
installed. I enabled wildcard mapping so all request to web server are
forwarded to tomcat.
Client part of website is located in
appserver/apache-tomcat-6x/webapps/ROOT. There is web.xml file in
ROOT/WEB-INF folders, in which I set <security-constraint> for admin part.
Admin part itself is in ROOT/admin directory.
I should say that I didn't write the application, but my work requires to
change it sometimes. Now I need to add mailing and registration forms. I'm
thinking of using php for that.
Can I make php work under Tomcat? Can I make apache render php pages, while
Tomcat renders jsp?
Is it easier to implement mailing and registration on php instead of jsp, as
it seems to me?
Another question - authentication for admin part. I'm using basic
authentication provided by tomcat, with username and password stored in
tomcat-users.xml file in apache-tomcat-6x/conf directory. Does it have any
security issues?
Any comments and suggestions would be greatly appreciated.
--
View this message in context: http://www.nabble.com/Php%2C-tomcat%2C-mappings-and-authentication.-tp23784848p23784848.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Php, tomcat, mappings and authentication.
Posted by Rainer Jung <ra...@kippdata.de>.
On 29.05.2009 23:01, André Warnier wrote:
>> Or you can use a popular filter with more options:
>> http://securityfilter.sourceforge.net/
>>
> Or, if you decide to do the PHP part and do it under Apache httpd, then
> you could do all the authentication at the Apache httpd level, and pass
> the authenticated user-id to Tomcat (at least when using the mod_jk
> connector).
This works whenever AJP is used as the protocol between the web server
and Tomcat, so even with mod_proxy_ajp. You though need to set
tomcatAuthentication to false on the AJP connector for Tomcat to blindly
trust any user information it gets on the AJP connector.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Php, tomcat, mappings and authentication.
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: dfobox [mailto:dfobox@gmail.com]
>> Subject: Php, tomcat, mappings and authentication.
>>
>> Can I make php work under Tomcat?
>
> It can be done, but it's less painful to do with httpd.
>
>> Can I make apache render php pages, while Tomcat renders jsp?
>
> That's probably better.
>
>> Is it easier to implement mailing and registration on php
>> instead of jsp, as it seems to me?
>
> That may well be only because you're more familiar with PHP. Personally, I would keep everything on Tomcat, in Java (admittedly, I am less familiar with PHP, plus it can become a maze of twisty little passages rather quickly).
>
>> I'm using basic authentication provided by tomcat, with
>> username and password stored in tomcat-users.xml file in
>> apache-tomcat-6x/conf directory.
>
> Definitely wouldn't recommend such a mechanism for production use - not terribly robust, and subject to hacking if anyone has read access to the conf directory. Tomcat provides several alternative built-in realms:
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
>
> Or you can use a popular filter with more options:
> http://securityfilter.sourceforge.net/
>
Or, if you decide to do the PHP part and do it under Apache httpd, then
you could do all the authentication at the Apache httpd level, and pass
the authenticated user-id to Tomcat (at least when using the mod_jk
connector).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Php, tomcat, mappings and authentication.
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: dfobox [mailto:dfobox@gmail.com]
> Subject: Php, tomcat, mappings and authentication.
>
> Can I make php work under Tomcat?
It can be done, but it's less painful to do with httpd.
> Can I make apache render php pages, while Tomcat renders jsp?
That's probably better.
> Is it easier to implement mailing and registration on php
> instead of jsp, as it seems to me?
That may well be only because you're more familiar with PHP. Personally, I would keep everything on Tomcat, in Java (admittedly, I am less familiar with PHP, plus it can become a maze of twisty little passages rather quickly).
> I'm using basic authentication provided by tomcat, with
> username and password stored in tomcat-users.xml file in
> apache-tomcat-6x/conf directory.
Definitely wouldn't recommend such a mechanism for production use - not terribly robust, and subject to hacking if anyone has read access to the conf directory. Tomcat provides several alternative built-in realms:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
Or you can use a popular filter with more options:
http://securityfilter.sourceforge.net/
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org