You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ophusky <op...@163.com> on 2017/06/01 07:02:29 UTC
a question about Realm config
Tomcat version:8.0.43.0
Nginx version:openresty/1.11.2.2
OS:CentOS Linux release 7.3.1611 (Core)
I have already configure tomcat to use the DIGEST certification,
When I have direct access to Tomcat all normal,
http://192.168.122.130:8080/sample/test/test.html can trigger the certification and passed.
But when I through the nginx proxy access,
http://192.168.122.130/tomcat/sample/test/test.html have a few problems,can trigger the certification but can't passed ,repeated authentication dialog.
CATALINA_HOME/conf/server.xml:
<Context path="/sample" docBase="/home/coremail/tomcat/webapps_exp/sample">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="MD5"/>
</Realm>
</Context>
CATALINA_HOME/conf/tomcat-users.xml :
<role rolename="testuser"/>
<user username="testdigest" password="7dc963c3bdf9849f880b9562c5b08cf1" roles="testuser"/>
CATALINA_HOME/webapps_exp/sample/WEB-INF/web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>
my sample webapp
</web-resource-name>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>testuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>webapp</realm-name>
</login-config>
<security-role>
<role-name>testuser</role-name>
</security-role>
nginx.conf
location ~ /tomcat/ {
rewrite ^/tomcat/(.*) /$1 break;
proxy_pass http://192.168.122.130:8080;
}
Why cannot be accessed through the nginx and certified ? please help me ,thanks!
Re: a question about Realm config
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ophusky,
On 6/1/17 5:09 AM, ophusky wrote:
> Thank you very much! I according to what you said it and solved the
> problem. I have modified CATALINA_HOME/conf/server.xml to :
>
> <Context path="/sample"
> docBase="/home/coremail/tomcat/webapps_exp/sample"> <Realm
> className="org.apache.catalina.realm.LockOutRealm"> <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="MD5"/> </Realm> <Valve
> className="org.apache.catalina.authenticator.DigestAuthenticator"
> validateUri="false"/> </Context>
>
> Everything is all right,thanks again!
I'd highly recommend removing the URL rewriting if possible. Either
remove the leading /tomcat from your URI space on the proxy or re-name
your application's WAR (or exploded WAR directory) to
tomcat#sample.war (or tomcat#sample directory).
- -chris
> 发件人:Mark Thomas <ma...@apache.org> 发送时间:2017-06-01 15:50 主题:Re: a
> question about Realm config 收件人:"Tomcat Users
> List"<us...@tomcat.apache.org> 抄送:
>
> This time to the list...
>
> On 01/06/17 08:02, ophusky wrote:
>> Tomcat version:8.0.43.0 Nginx version:openresty/1.11.2.2
>> OS:CentOS Linux release 7.3.1611 (Core)
>>
>> I have already configure tomcat to use the DIGEST certification,
>> When I have direct access to Tomcat all normal,
>> http://192.168.122.130:8080/sample/test/test.html can trigger
>> the certification and passed. But when I through the nginx proxy
>> access, http://192.168.122.130/tomcat/sample/test/test.html
>> have a few problems,can trigger the certification but can't
>> passed ,repeated authentication dialog.
>
> <snip/>
>
>> nginx.conf
>>
>> location ~ /tomcat/ { rewrite ^/tomcat/(.*) /$1 break; proxy_pass
>> http://192.168.122.130:8080; }
>>
>> Why cannot be accessed through the nginx and certified ? please
>> help me ,thanks!
>
> The request URL forms part of the DIGEST authentication process. By
> changing it in the reverse proxy, you are breaking the
> authentication process.
>
> You can disable the URI validation. See the validateUri attribute
> in
> http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Digest_Authe
nticator_Valve/Attributes
>
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZMCaPAAoJEBzwKT+lPKRYO9sQAMTdzpfJDX/tjcYErAbZl4Rb
tG22YjSGdlfS1mAx+4CPX+zOnCiaA4vyl3QtEQ3vfPSGfdMq+Rcl/LObMChNQ3Gs
zkZBtdUCPx70bNRTCndtBHKzLjbPJkBqtE5WMytOMKH41PMlIj8ZISBE04G8D/KK
nqnsxlerm36W7TSR7gLieIZWd0mgJwQ/5UlsTcdJRq8YhQ2LFSARt2sZGK00p+qM
rJKsbnaVXodq0vVHBinibBmnotRZsvIdvqAZerv8WUKCj4doKaDv4XLM0vEuQIBY
bjRc8n/etyTSgSIS7P2anPYlN8T6DhA/8Pafh8DFfiRXygtxIp0brYwrHjNpvpEc
i0rzlVo8zf6lKN3WEFFAlHxsRDr5N+7K92uATdCpXIxH9uSR7xIYhl7fvAC9pDJ0
Vrf4Rc/pxVBvggpXeKYWbP2/m/T4E4nqCGHSW4T2Xji/FWM6LkdNW7mfPF8mPRdt
qORmDpbvygEhOG3qbjBgPpArjVsvgVS48/B4zO3GyeZS9VZiB+6u9V8+yD4fzIcf
Eohh4l2CuRgGatntehjkRM2bqdYgTXeseWUskXvZlMkx2gjHH5N6XyNcQsfvUxNl
mbh3HSKGZDU59AhqNS9Vqi5IQrhl7SuXKseW2tU+m8k8Z1nEvEtyYpl8BSNYuA7q
tnNhJ5OzWVIm63uHUmXG
=nWiX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re: a question about Realm config
Posted by ophusky <op...@163.com>.
Thank you very much! I according to what you said it and solved the problem.
I have modified CATALINA_HOME/conf/server.xml to :
<Context path="/sample" docBase="/home/coremail/tomcat/webapps_exp/sample">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="MD5"/>
</Realm>
<Valve className="org.apache.catalina.authenticator.DigestAuthenticator" validateUri="false"/>
</Context>
Everything is all right,thanks again!
2017-06-01
ophusky
发件人:Mark Thomas <ma...@apache.org>
发送时间:2017-06-01 15:50
主题:Re: a question about Realm config
收件人:"Tomcat Users List"<us...@tomcat.apache.org>
抄送:
This time to the list...
On 01/06/17 08:02, ophusky wrote:
> Tomcat version:8.0.43.0
> Nginx version:openresty/1.11.2.2
> OS:CentOS Linux release 7.3.1611 (Core)
>
> I have already configure tomcat to use the DIGEST certification,
> When I have direct access to Tomcat all normal,
> http://192.168.122.130:8080/sample/test/test.html can trigger the
> certification and passed.
> But when I through the nginx proxy access,
> http://192.168.122.130/tomcat/sample/test/test.html have a few
> problems,can trigger the certification but can't passed ,repeated
> authentication dialog.
<snip/>
> nginx.conf
>
> location ~ /tomcat/ {
> rewrite ^/tomcat/(.*) /$1 break;
> proxy_pass http://192.168.122.130:8080;
> }
>
> Why cannot be accessed through the nginx and certified ? please help me
> ,thanks!
The request URL forms part of the DIGEST authentication process. By
changing it in the reverse proxy, you are breaking the authentication
process.
You can disable the URI validation. See the validateUri attribute in
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Digest_Authenticator_Valve/Attributes
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: a question about Realm config
Posted by Mark Thomas <ma...@apache.org>.
This time to the list...
On 01/06/17 08:02, ophusky wrote:
> Tomcat version:8.0.43.0
> Nginx version:openresty/1.11.2.2
> OS:CentOS Linux release 7.3.1611 (Core)
>
> I have already configure tomcat to use the DIGEST certification,
> When I have direct access to Tomcat all normal,
> http://192.168.122.130:8080/sample/test/test.html can trigger the
> certification and passed.
> But when I through the nginx proxy access,
> http://192.168.122.130/tomcat/sample/test/test.html have a few
> problems,can trigger the certification but can't passed ,repeated
> authentication dialog.
<snip/>
> nginx.conf
>
> location ~ /tomcat/ {
> rewrite ^/tomcat/(.*) /$1 break;
> proxy_pass http://192.168.122.130:8080;
> }
>
> Why cannot be accessed through the nginx and certified ? please help me
> ,thanks!
The request URL forms part of the DIGEST authentication process. By
changing it in the reverse proxy, you are breaking the authentication
process.
You can disable the URI validation. See the validateUri attribute in
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Digest_Authenticator_Valve/Attributes
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org