You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by oh...@cox.net on 2012/06/04 04:30:17 UTC
Followup old thread(s) about Apache, AJP, and tomcatAuthentication,
and roles
Hi,
Awhile ago, I had this thread, where I originally trying to see if I could get Tomcat, using the AJP connector and "tomcatAuthentication" to work, when I had an OAM webgate installed on the Apache proxy fronting the Tomcat:
http://tomcat.10.n6.nabble.com/Do-any-of-the-Tomcat-LDAP-type-realms-support-quot-no-password-quot-authentication-td2055999.html
The bottom line at the time was that it didn't seem to work, probably because the user name wasn't being populated in the AJP packet.
I'm picking this subject up again, from scratch, because I happened to find out that mod_ssl has a directive, SSLUserName that is suppose to populate the user name after 2-way SSL authentication.
So, I set up a new Apache and Tomcat, and I added that SSLUserName directive to the Apache httpd-ssl.conf, but not with the OAM agent yet, and did some tests, and it looks like it ALMOST worked, i.e., it looks like *A* user name is being passed to Tomcat (in Tomcat logs, I see "already authenticated" and the username from the SSL client cert.
However, I get a 403/access denied on my test web app.
This is even though I have a role in the realm (the original/default flatfile realm), so it looks like even though the tomcatAuthentication="false" is kind of working, the user is not picking up the Tomcat roles.
So, I've been googling, and found this:
http://tomcat.10.n6.nabble.com/Container-managed-security-and-Proxy-support-td2168081.html
which seems to describes the problem I'm encountering, but that thread didn't seem to conclude.
So, does anyway know, when a user is asserted into Tomcat via tomcatAuthentication='false', does that authenticated user pickup the Tomcat roles from the realm?
There's one msg in the thread from "Pid" saying that a custom realm is needed, and then Andre Warnier seemed to think that wasn't the case, but then nothing after that.
Thanks,
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org