You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Molloy <mo...@eeng.dcu.ie> on 2001/08/22 10:52:18 UTC
Sharing Authorization Between TC4 + Apache
I am currently working on a project where users log into a
Tomcat servlet-based system, which does numerous wonderful
things :) However, one additional thing I would like to
implement is to allow users authorized through the servlets
(using sessions etc.) to be also authorized for various apache
secure pages. There are numerous reasons why those pages
must remain on Apache and I haven't got TC4 and Apache linked
as yet (not sure if it's widely done as yet).
Is there any way of passing htpasswd authorization from a
servlet to Apache or any clever way of doing it? Essentially,
I would like the htpasswd dialogs to be transparent if the
correct person is logged into the servlet system. Any ideas
please?
Dave
Re: Sharing Authorization Between TC4 + Apache
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 22 Aug 2001, David Molloy wrote:
> I am currently working on a project where users log into a
> Tomcat servlet-based system, which does numerous wonderful
> things :) However, one additional thing I would like to
> implement is to allow users authorized through the servlets
> (using sessions etc.) to be also authorized for various apache
> secure pages. There are numerous reasons why those pages
> must remain on Apache and I haven't got TC4 and Apache linked
> as yet (not sure if it's widely done as yet).
>
> Is there any way of passing htpasswd authorization from a
> servlet to Apache or any clever way of doing it? Essentially,
> I would like the htpasswd dialogs to be transparent if the
> correct person is logged into the servlet system. Any ideas
> please?
>
To physically share the databases of username information, you would have
to write a TC$ "Realm" implementation that read the corresponding password
files (.htpasswd or whatever) that Apache is reading. However, you would
still need to set up your security constraints with URL patterns that map
how Apache applies protections hierarchically.
I will let Pier talk about the technology issues of sharing authentication
information at runtime between Tomcat and Apache, but here's one
completely stand alone approach that should work:
* Use BASIC authentication in both Apache and Tomcat
* Use the same "Realm Name" strings in both Apache
and Tomcat
* Make sure that the username, password, and group
(for servlets, this is the same as role) information
is identical in both user databases.
The reason this works is that the username and password are sent (by the
browser) along with every request that has a matching realm name on the
same host. Thus, the user will authenticate themselves the first time
that they run into a protected resource on either side, and the other side
will automatically recognize it.
> Dave
Craig