You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Matt Bockol <mb...@carleton.edu> on 2007/02/23 20:34:45 UTC
WEB-INF/context.xml ignored
Hi Folks,
I'm having trouble getting a context.xml file to be obeyed.
I'm using:
Tomcat 5.5.20, the stock install from tomcat.apache.org.
JDK 1.6, direct from Sun.
RedHat Enterprise Linux AS3
The application I'm installing is the Shibboleth Identity Provider
(IdP). The installation process generates a shibboleth-idp.war file
which deploys fine when I start tomcat.
Out of the box, the IdP relies on Apache to handle authentication, but
form based auth is more desirable. I edited the WEB-INF/web.xml file to
add a security-contraint, login-config, and security-role, then added a
realm block to the engine block in $CATALINA_HOME/conf/server.xml like this:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.carleton.edu:636"
userPattern="netid={0}, dc=carleton, dc=edu"
userRoleName="objectclass"
/>
With this Shibboleth works fine, and there was much rejoicing.
This, though, breaks authentication to the Tomcat admin/manager apps
which usually use the UserDatabase resource (specified in a realm block
I had to comment out when adding the one above). Placing the Realm in
Engine makes it the default for the whole container, so I started
looking at how to make it specific to the shibboleth-idp.
Everything I've read says you should place a Context block in either:
$CATALINA_HOME/webapps/shibboleth-idp/META-INF/context.xml
or in
$CATALINA_HOME/conf/Catalina/localhost/shibboleth.xml
I've tried both (not at the same time, and having removed the JNDI realm
from server.xml and restored the UserDatabase based realm), with the
following config:
<Context>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.carleton.edu:636"
userPattern="netid={0}, dc=carleton, dc=edu"
userRoleName="objectclass"
/>
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="shibboleth_access_log." suffix=".txt"
directory="/tmp/"
pattern="common"/>
</Context>
In both cases the /tmp/shibboleth_access_log.DATE.txt file was not
created and the login form only accepted credentials from
tomcat-users.xml, not LDAP. I restarted tomcat with each change. It
seems like the context.xml file is being completely ignored.
When I place a context block in server.xml's host block like so:
<Host ... >
<Context path="/shibboleth-idp"
docBase="/usr/local/tomcat/webapps/shibboleth-idp" debug="0"
reloadable="true" crossContext="true">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.carleton.edu:636"
userPattern="netid={0}, dc=carleton, dc=edu"
userRoleName="objectclass"
/>
</Context>
</Host>
and remove the other context.xml / shibboleth-idp.xml files then the
tomcat-users.xml credentials work for the manager apps and the LDAP
credentials work for Shibboleth. This is what I want, but upon typing
that I exepect the Tomcat gods to smite me for placing the Context in
server.xml since it's explicitly frowned upon.
Is there a flag somewhere that I'm missing to enable
META-INF/context.xml files? I tried using <Context override="true"> in
context.xml but that didn't do what I hoped it would.
Any help would be much appreciated.
Thanks,
Matt Bockol
Web Technical Administrator
Carleton College / 507-646-4432
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: META-INF/context.xml ignored
Posted by Matt Bockol <mb...@carleton.edu>.
Obviously the subject should have been META-INF/context.xml
Sorry 'bout that.
Matt Bockol wrote:
> Hi Folks,
>
> I'm having trouble getting a context.xml file to be obeyed.
>
> I'm using:
>
> Tomcat 5.5.20, the stock install from tomcat.apache.org.
> JDK 1.6, direct from Sun.
> RedHat Enterprise Linux AS3
>
> The application I'm installing is the Shibboleth Identity Provider
> (IdP). The installation process generates a shibboleth-idp.war file
> which deploys fine when I start tomcat.
>
> Out of the box, the IdP relies on Apache to handle authentication, but
> form based auth is more desirable. I edited the WEB-INF/web.xml file
> to add a security-contraint, login-config, and security-role, then
> added a realm block to the engine block in
> $CATALINA_HOME/conf/server.xml like this:
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://ldap.carleton.edu:636"
> userPattern="netid={0}, dc=carleton, dc=edu"
> userRoleName="objectclass"
> />
>
> With this Shibboleth works fine, and there was much rejoicing.
>
> This, though, breaks authentication to the Tomcat admin/manager apps
> which usually use the UserDatabase resource (specified in a realm
> block I had to comment out when adding the one above). Placing the
> Realm in Engine makes it the default for the whole container, so I
> started looking at how to make it specific to the shibboleth-idp.
>
> Everything I've read says you should place a Context block in either:
>
> $CATALINA_HOME/webapps/shibboleth-idp/META-INF/context.xml
> or in
> $CATALINA_HOME/conf/Catalina/localhost/shibboleth.xml
>
> I've tried both (not at the same time, and having removed the JNDI
> realm from server.xml and restored the UserDatabase based realm), with
> the following config:
>
> <Context>
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://ldap.carleton.edu:636"
> userPattern="netid={0}, dc=carleton, dc=edu"
> userRoleName="objectclass"
> />
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> prefix="shibboleth_access_log." suffix=".txt"
> directory="/tmp/"
> pattern="common"/>
>
> </Context>
>
> In both cases the /tmp/shibboleth_access_log.DATE.txt file was not
> created and the login form only accepted credentials from
> tomcat-users.xml, not LDAP. I restarted tomcat with each change. It
> seems like the context.xml file is being completely ignored.
>
> When I place a context block in server.xml's host block like so:
>
> <Host ... >
> <Context path="/shibboleth-idp"
> docBase="/usr/local/tomcat/webapps/shibboleth-idp" debug="0"
> reloadable="true" crossContext="true">
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldaps://ldap.carleton.edu:636"
> userPattern="netid={0}, dc=carleton, dc=edu"
> userRoleName="objectclass"
> />
>
> </Context>
> </Host>
>
> and remove the other context.xml / shibboleth-idp.xml files then the
> tomcat-users.xml credentials work for the manager apps and the LDAP
> credentials work for Shibboleth. This is what I want, but upon typing
> that I exepect the Tomcat gods to smite me for placing the Context in
> server.xml since it's explicitly frowned upon.
>
> Is there a flag somewhere that I'm missing to enable
> META-INF/context.xml files? I tried using <Context override="true"> in
> context.xml but that didn't do what I hoped it would.
>
> Any help would be much appreciated.
>
> Thanks,
> Matt Bockol
> Web Technical Administrator
> Carleton College / 507-646-4432
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org