You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mickael Goujon <mi...@uk.lionbioscience.com> on 2006/02/09 12:40:05 UTC
Realm and Authentication with Tomcat 5.0, Apache 2 and mod_jk 1.2
Hi,
We have a web application deployed under Tomcat 5.0 which uses a custom
Realm for authentication. This custom Realm basically does a web service
call using the user's credentials to authenticate with the web service
server (basic WS-I username/password authentication).
If the web service call fails (user not allowed to call the web service
with his credentials), then Tomcat authentication fails.
If the web service call succeed (user has access to the web service),
then Tomcat authentication succeed and the Realm will store the Session
object returned by the web service in a ThreadLocalContext to be reused
later in the web application.
This works fine with Tomcat only, but as soon as I add mod_jk and try to
use Apache to do the authentication and then pass the credentials to
Tomcat (using tomcatAuthentication=false), I get the "403 - access
denied" page.
I'd like to know if, in my configuration (Apache authentication + Tomcat
Realm + tomcatAuthentication=false), Apache is supposed to pass the user
login/password to the Tomcat Realm or if the realm is not called at
all (This would be the bad news I fear)?
My combination Apache/Tomcat/mod_jk works when I specify
tomcatAuthentication=true. But, I'd like to have Apache authentication
and the Tomcat Realm called automatically after that with the
username/password... Is this possible or do I have to move my Session
creation process somewhere else?
Hope you understood my problem,
Cheers,
Mickael
--
Mickael Goujon
Software Engineer
Lion Bioscience Ltd
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm and Authentication with Tomcat 5.0, Apache 2 and mod_jk
1.2
Posted by Mickael Goujon <mi...@uk.lionbioscience.com>.
Hi Bill,
Thanks for your answer.
The original design of this authentication/session creation mechanism
was made by another developper who knows Tomcat better than I know (but
not enough apparently ;) ).
If I understand correctly, your suggestion is to write a custom valve
which will be used as our missing link between the Apache authentication
and the Tomcat Realm call. Is this correct?
The Valve will access the username/password in the header and explicitly
call the Realm (Kind of similar to the SSO Valve)?
Cheers,
Mickael
Bill Barker wrote:
> "Mickael Goujon" <mi...@uk.lionbioscience.com> wrote in message
> news:43EB2A15.1040304@uk.lionbioscience.com...
>
>>Hi,
>>
>>We have a web application deployed under Tomcat 5.0 which uses a custom
>>Realm for authentication. This custom Realm basically does a web service
>>call using the user's credentials to authenticate with the web service
>>server (basic WS-I username/password authentication).
>>
>>If the web service call fails (user not allowed to call the web service
>>with his credentials), then Tomcat authentication fails.
>>
>>If the web service call succeed (user has access to the web service), then
>>Tomcat authentication succeed and the Realm will store the Session object
>>returned by the web service in a ThreadLocalContext to be reused later in
>>the web application.
>>
>>This works fine with Tomcat only, but as soon as I add mod_jk and try to
>>use Apache to do the authentication and then pass the credentials to
>>Tomcat (using tomcatAuthentication=false), I get the "403 - access denied"
>>page.
>>
>>I'd like to know if, in my configuration (Apache authentication + Tomcat
>>Realm + tomcatAuthentication=false), Apache is supposed to pass the user
>>login/password to the Tomcat Realm or if the realm is not called at all
>>(This would be the bad news I fear)?
>>
>
>
> Sorry for the bad news, but the Tomcat Realm is not called at all in this
> situation. Also, Apache doesn't forward the password directly (although it
> is still in encoded in the Header).
>
>
>>My combination Apache/Tomcat/mod_jk works when I specify
>>tomcatAuthentication=true. But, I'd like to have Apache authentication and
>>the Tomcat Realm called automatically after that with the
>>username/password... Is this possible or do I have to move my Session
>>creation process somewhere else?
>>
>
>
> A custom Authenticator is probably over-kill here. I would probably just
> use a custom Valve. But as-is, you do at least have to add something (or,
> modify your copy of the Tomcat code :) to invoke the Realm.
>
>
>>Hope you understood my problem,
>>
>>Cheers,
>>
>>Mickael
>>
>>--
>>Mickael Goujon
>>Software Engineer
>>Lion Bioscience Ltd
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm and Authentication with Tomcat 5.0, Apache 2 and mod_jk 1.2
Posted by Bill Barker <wb...@wilshire.com>.
"Mickael Goujon" <mi...@uk.lionbioscience.com> wrote in message
news:43EB2A15.1040304@uk.lionbioscience.com...
> Hi,
>
> We have a web application deployed under Tomcat 5.0 which uses a custom
> Realm for authentication. This custom Realm basically does a web service
> call using the user's credentials to authenticate with the web service
> server (basic WS-I username/password authentication).
>
> If the web service call fails (user not allowed to call the web service
> with his credentials), then Tomcat authentication fails.
>
> If the web service call succeed (user has access to the web service), then
> Tomcat authentication succeed and the Realm will store the Session object
> returned by the web service in a ThreadLocalContext to be reused later in
> the web application.
>
> This works fine with Tomcat only, but as soon as I add mod_jk and try to
> use Apache to do the authentication and then pass the credentials to
> Tomcat (using tomcatAuthentication=false), I get the "403 - access denied"
> page.
>
> I'd like to know if, in my configuration (Apache authentication + Tomcat
> Realm + tomcatAuthentication=false), Apache is supposed to pass the user
> login/password to the Tomcat Realm or if the realm is not called at all
> (This would be the bad news I fear)?
>
Sorry for the bad news, but the Tomcat Realm is not called at all in this
situation. Also, Apache doesn't forward the password directly (although it
is still in encoded in the Header).
> My combination Apache/Tomcat/mod_jk works when I specify
> tomcatAuthentication=true. But, I'd like to have Apache authentication and
> the Tomcat Realm called automatically after that with the
> username/password... Is this possible or do I have to move my Session
> creation process somewhere else?
>
A custom Authenticator is probably over-kill here. I would probably just
use a custom Valve. But as-is, you do at least have to add something (or,
modify your copy of the Tomcat code :) to invoke the Realm.
> Hope you understood my problem,
>
> Cheers,
>
> Mickael
>
> --
> Mickael Goujon
> Software Engineer
> Lion Bioscience Ltd
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org