You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jack Yu <ja...@jackyu.org> on 2006/11/21 01:50:31 UTC

Howto Apache LDAP ACL pass to Tomcat ??

Try to pass apache ACL authenticated user credential to Tomcat, but failed.



System: FreeBSD 6.1, Apache 2.2.3, SUN jdk 1.4.2, Tomcat 5.5

Apache is setup to authenticate against LDAP server

<Directory />
    AuthLDAPURL ldap://ldap.jackyu.org/dc=jackyu,dc=org?uid
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    AuthLDAPBindDN cn=bind,ou=SystemAccounts,dc=jackyu,dc=org
    AuthLDAPBindPassword ******
    AuthType basic
    AuthName "AAA"
    AuthBasicProvider ldap
    require ldap-group cn=test,ou=Groups,dc=jackyu,dc=org
    AllowOverride None
    Order deny,allow
    Deny from all
    AuthzLDAPAuthoritative on
</Directory>

Users with LDAP group membership of test can authenticated themselves while
accessing the home page in apache, http://jackyu.org/index.html.



When apache ACL authenticated users go to http://jackyu.org/xyz/index.jsp,
the page will go through mod_jk and parse to tomcat server (on the same
host)

here is the mod_jk in httpd.conf.
# mod_jk.so settings
JkWorkersFile "/usr/local/etc/apache22/workers.properties"
JkLogFile "/var/log/mod_jk.log"
JkLogLevel debug
JkMount /xyz abc
JkMount /zyx/* abc
# end of mod_jk.so settings


here is the workers.propertises

worker.list=abc
worker.abc.port=8009
worker.abc.host=localhost
worker.abc.type=ajp13
worker.abc.lbfactor=1
worker.abc.cachesize=10
worker.abc.cache_timeout=600
worker.abc.socket_keepalive=1
worker.abc.recycle_timeout=300



I have also added tomcatAuthentication="false" to the server.xml in tomcat.

    <Connector port="8009"
            enableLookups="false" redirectPort="8443"
		protocol="AJP/1.3" tomcatAuthentication="false" />





in the tomcat webapp /xyz, added the following the the web.xml

 <!-- Define a Security Constraint on this Application -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name> AAA </web-resource-name>
                <url-pattern>/*</url-pattern>
                <http-method>HTTP</http-method>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
                <http-method>PUT</http-method>
                <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
       <role-name>test</role-name>
    </auth-constraint>
  </security-constraint>

 <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>AAA</realm-name>
  </login-config>

  <!-- Security roles referenced by this web application -->
  <security-role>
    <description>
      The role that is required to log in to the AAA
    </description>
    <role-name>test</role-name>
  </security-role>



The apache authenticated user credential (with ldap group test) didn't pass
to tomcat properly. The log file displayed null for user.


Also, if users copy paste the url, http://jackyu.org/xyz/index.jsp, to a new
browser, no apache ACL login popup.


Anyone knows how to make this work?


Thanks


Jack Yu
jack@jackyu.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org