You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kishore Kumar Manthangod <mk...@gmail.com> on 2010/06/20 09:34:54 UTC
Pointing Multiple contexts to single webapp
I have a single webapp. But this has to be accessed from multiple contexts
for example : http://localhost:8080/abc
http://localhost:8080/cde
http://localhost:8080/xyz
I did this using having multiple context tags in the <Host> tag similar to
the following
<Context path="abc" docBase="MY_WEBAPP_FOLDER" />
<Context path="abc" docBase="MY_WEBAPP_FOLDER" />
<Context path="abc" docBase="MY_WEBAPP_FOLDER" />
The problem with this is, it is duplicating all the resources in the webapp
and starting up all the path by loading all resources. As a reason, I am
getting MemoryOutOfErrors. I want this to be done with single resource.
Any help??
- Kishore
RE: Cleartrust RSA integration
Posted by "dB." <db...@dblock.org>.
This all sounds very unnecessarily complicated.
Maybe you want to look at authentication at the Tomcat level alone? Writing an authenticator is rather simple (and there're plenty of examples) provided that ClearTrust has an API, which I am sure it does.
dB. @ dblock.org
Moscow|Geneva|Seattle|New York
-----Original Message-----
From: Ron McNulty [mailto:rmcnulty@clear.net.nz]
Sent: Tuesday, June 22, 2010 2:45 AM
To: Tomcat Users List
Subject: Re: Cleartrust RSA integration
Hi Martin
>> could you briefly explain the need for 2 apache webservers?
I wish I could :) We currently have our secure web apps fronted by an IBM
product, which seems to be a munged version of Apache. This has the
Cleartrust pluin in place and working fine. In the DMZ we have various web
servers, and the system architects are insisting that these servers do an
independent Cleartrust authentication. As we want to put a Tomcat machine or
three in this zone, it would need to be fronted by Apache to acheive
independent Cleartrust authentication. This sounds like overkill to me...
Regards
Ron
----- Original Message -----
From: "Martin Gainty" <mg...@hotmail.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 21, 2010 11:45 PM
Subject: RE: Cleartrust RSA integration
could you briefly explain the need for 2 apache webservers?
thanks,
Martin
_____________________________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
dient lediglich dem Austausch von Informationen und entfaltet keine
rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire
informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
de ceci est interdite. Ce message sert à l'information seulement et n'aura
pas n'importe quel effet légalement obligatoire. Étant donné que les email
peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
aucune responsabilité pour le contenu fourni.
> Date: Mon, 21 Jun 2010 20:22:44 +1200
> From: rmcnulty@clear.net.nz
> Subject: Re: Cleartrust RSA integration
> To: users@tomcat.apache.org
>
> Hi Andre
>
> Thanks for the reply.
>
> I had a long discussion with our architecture group today. Basically they
> want Cleartrust authentication at the web gateway (in place now) and again
> at the web server. The gateway (an Apache instance) and the Tomcat server
> would not be on the same physical box - they would be in separate security
> zones.
>
> An option is to use yet another Apache instance fronting Tomcat. I'm not
> sure what sort of performance hit this would be (i.e. Apache -> Apache ->
> Tomcat) - do you have any insight?
>
> Regards
>
> Ron
>
> ----- Original Message -----
> From: "André Warnier" <aw...@ice-sa.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Sunday, June 20, 2010 9:37 PM
> Subject: Re: Cleartrust RSA integration
>
>
> > Ron McNulty wrote:
> >> Hi All
> >>
> >> We are thinking of bringing some of our apps off proprietary J2EE
> >> servers
> >> to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and
> >> Linux
> >> on a VM (not sure of versions). One of the requirements is to
> >> authenticate using RSA Cleartrust.
> >>
> >>> From my reading, Tomcat does not support this. The recommended
> >>> solution
> >>> is
> >> to front Tomcat with Apache, and let Apache do the Cleartrust
> >> integration.
> >>
> >> The links I have found are a bit ancient - are my assumptions still
> >> correct? Also, our system architects seem to think this setup is
> >> insufficiently secure - comments?
> >>
> > Assuming the Apache Cleartrust authentication is secure..
> > If Apache authenticates a request, and if the Apache/Tomcat connector is
> > mod_jk, then the authenticated user-id is propagated from Apache to
> > Tomcat
> > (*).
> > (Additionals info could be propagated via additional HTTP headers, or
> > "request attributes").
> > If the link between Apache and Tomcat is secure (like for example both
> > run
> > on the same machine and the connection is purely internal), then there
> > is
> > no reason why this would be less secure.
> >
> >
> > (*) whether Tomcat actually uses it, is determined by the
> > "tomcatAuthentication" attribute of the AJP <Connector>.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with
Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cleartrust RSA integration
Posted by Ron McNulty <rm...@clear.net.nz>.
Hi Martin
>> could you briefly explain the need for 2 apache webservers?
I wish I could :) We currently have our secure web apps fronted by an IBM
product, which seems to be a munged version of Apache. This has the
Cleartrust pluin in place and working fine. In the DMZ we have various web
servers, and the system architects are insisting that these servers do an
independent Cleartrust authentication. As we want to put a Tomcat machine or
three in this zone, it would need to be fronted by Apache to acheive
independent Cleartrust authentication. This sounds like overkill to me...
Regards
Ron
----- Original Message -----
From: "Martin Gainty" <mg...@hotmail.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 21, 2010 11:45 PM
Subject: RE: Cleartrust RSA integration
could you briefly explain the need for 2 apache webservers?
thanks,
Martin
_____________________________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
dient lediglich dem Austausch von Informationen und entfaltet keine
rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire
informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
de ceci est interdite. Ce message sert à l'information seulement et n'aura
pas n'importe quel effet légalement obligatoire. Étant donné que les email
peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
aucune responsabilité pour le contenu fourni.
> Date: Mon, 21 Jun 2010 20:22:44 +1200
> From: rmcnulty@clear.net.nz
> Subject: Re: Cleartrust RSA integration
> To: users@tomcat.apache.org
>
> Hi Andre
>
> Thanks for the reply.
>
> I had a long discussion with our architecture group today. Basically they
> want Cleartrust authentication at the web gateway (in place now) and again
> at the web server. The gateway (an Apache instance) and the Tomcat server
> would not be on the same physical box - they would be in separate security
> zones.
>
> An option is to use yet another Apache instance fronting Tomcat. I'm not
> sure what sort of performance hit this would be (i.e. Apache -> Apache ->
> Tomcat) - do you have any insight?
>
> Regards
>
> Ron
>
> ----- Original Message -----
> From: "André Warnier" <aw...@ice-sa.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Sunday, June 20, 2010 9:37 PM
> Subject: Re: Cleartrust RSA integration
>
>
> > Ron McNulty wrote:
> >> Hi All
> >>
> >> We are thinking of bringing some of our apps off proprietary J2EE
> >> servers
> >> to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and
> >> Linux
> >> on a VM (not sure of versions). One of the requirements is to
> >> authenticate using RSA Cleartrust.
> >>
> >>> From my reading, Tomcat does not support this. The recommended
> >>> solution
> >>> is
> >> to front Tomcat with Apache, and let Apache do the Cleartrust
> >> integration.
> >>
> >> The links I have found are a bit ancient - are my assumptions still
> >> correct? Also, our system architects seem to think this setup is
> >> insufficiently secure - comments?
> >>
> > Assuming the Apache Cleartrust authentication is secure..
> > If Apache authenticates a request, and if the Apache/Tomcat connector is
> > mod_jk, then the authenticated user-id is propagated from Apache to
> > Tomcat
> > (*).
> > (Additionals info could be propagated via additional HTTP headers, or
> > "request attributes").
> > If the link between Apache and Tomcat is secure (like for example both
> > run
> > on the same machine and the connection is purely internal), then there
> > is
> > no reason why this would be less secure.
> >
> >
> > (*) whether Tomcat actually uses it, is determined by the
> > "tomcatAuthentication" attribute of the AJP <Connector>.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with
Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cleartrust RSA integration
Posted by Martin Gainty <mg...@hotmail.com>.
could you briefly explain the need for 2 apache webservers?
thanks,
Martin
_____________________________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Mon, 21 Jun 2010 20:22:44 +1200
> From: rmcnulty@clear.net.nz
> Subject: Re: Cleartrust RSA integration
> To: users@tomcat.apache.org
>
> Hi Andre
>
> Thanks for the reply.
>
> I had a long discussion with our architecture group today. Basically they
> want Cleartrust authentication at the web gateway (in place now) and again
> at the web server. The gateway (an Apache instance) and the Tomcat server
> would not be on the same physical box - they would be in separate security
> zones.
>
> An option is to use yet another Apache instance fronting Tomcat. I'm not
> sure what sort of performance hit this would be (i.e. Apache -> Apache ->
> Tomcat) - do you have any insight?
>
> Regards
>
> Ron
>
> ----- Original Message -----
> From: "André Warnier" <aw...@ice-sa.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Sunday, June 20, 2010 9:37 PM
> Subject: Re: Cleartrust RSA integration
>
>
> > Ron McNulty wrote:
> >> Hi All
> >>
> >> We are thinking of bringing some of our apps off proprietary J2EE servers
> >> to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux
> >> on a VM (not sure of versions). One of the requirements is to
> >> authenticate using RSA Cleartrust.
> >>
> >>> From my reading, Tomcat does not support this. The recommended solution
> >>> is
> >> to front Tomcat with Apache, and let Apache do the Cleartrust
> >> integration.
> >>
> >> The links I have found are a bit ancient - are my assumptions still
> >> correct? Also, our system architects seem to think this setup is
> >> insufficiently secure - comments?
> >>
> > Assuming the Apache Cleartrust authentication is secure..
> > If Apache authenticates a request, and if the Apache/Tomcat connector is
> > mod_jk, then the authenticated user-id is propagated from Apache to Tomcat
> > (*).
> > (Additionals info could be propagated via additional HTTP headers, or
> > "request attributes").
> > If the link between Apache and Tomcat is secure (like for example both run
> > on the same machine and the connection is purely internal), then there is
> > no reason why this would be less secure.
> >
> >
> > (*) whether Tomcat actually uses it, is determined by the
> > "tomcatAuthentication" attribute of the AJP <Connector>.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
Re: Cleartrust RSA integration
Posted by Ron McNulty <rm...@clear.net.nz>.
Hi Andre
Thanks for the reply.
I had a long discussion with our architecture group today. Basically they
want Cleartrust authentication at the web gateway (in place now) and again
at the web server. The gateway (an Apache instance) and the Tomcat server
would not be on the same physical box - they would be in separate security
zones.
An option is to use yet another Apache instance fronting Tomcat. I'm not
sure what sort of performance hit this would be (i.e. Apache -> Apache ->
Tomcat) - do you have any insight?
Regards
Ron
----- Original Message -----
From: "André Warnier" <aw...@ice-sa.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Sunday, June 20, 2010 9:37 PM
Subject: Re: Cleartrust RSA integration
> Ron McNulty wrote:
>> Hi All
>>
>> We are thinking of bringing some of our apps off proprietary J2EE servers
>> to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux
>> on a VM (not sure of versions). One of the requirements is to
>> authenticate using RSA Cleartrust.
>>
>>> From my reading, Tomcat does not support this. The recommended solution
>>> is
>> to front Tomcat with Apache, and let Apache do the Cleartrust
>> integration.
>>
>> The links I have found are a bit ancient - are my assumptions still
>> correct? Also, our system architects seem to think this setup is
>> insufficiently secure - comments?
>>
> Assuming the Apache Cleartrust authentication is secure..
> If Apache authenticates a request, and if the Apache/Tomcat connector is
> mod_jk, then the authenticated user-id is propagated from Apache to Tomcat
> (*).
> (Additionals info could be propagated via additional HTTP headers, or
> "request attributes").
> If the link between Apache and Tomcat is secure (like for example both run
> on the same machine and the connection is purely internal), then there is
> no reason why this would be less secure.
>
>
> (*) whether Tomcat actually uses it, is determined by the
> "tomcatAuthentication" attribute of the AJP <Connector>.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Cleartrust RSA integration
Posted by André Warnier <aw...@ice-sa.com>.
Ron McNulty wrote:
> Hi All
>
> We are thinking of bringing some of our apps off proprietary J2EE
> servers to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6
> and Linux on a VM (not sure of versions). One of the requirements is to
> authenticate using RSA Cleartrust.
>
>> From my reading, Tomcat does not support this. The recommended
>> solution is
> to front Tomcat with Apache, and let Apache do the Cleartrust integration.
>
> The links I have found are a bit ancient - are my assumptions still
> correct? Also, our system architects seem to think this setup is
> insufficiently secure - comments?
>
Assuming the Apache Cleartrust authentication is secure..
If Apache authenticates a request, and if the Apache/Tomcat connector is mod_jk, then the
authenticated user-id is propagated from Apache to Tomcat (*).
(Additionals info could be propagated via additional HTTP headers, or "request attributes").
If the link between Apache and Tomcat is secure (like for example both run on the same
machine and the connection is purely internal), then there is no reason why this would be
less secure.
(*) whether Tomcat actually uses it, is determined by the "tomcatAuthentication" attribute
of the AJP <Connector>.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Cleartrust RSA integration
Posted by Ron McNulty <rm...@clear.net.nz>.
Hi All
We are thinking of bringing some of our apps off proprietary J2EE servers to
Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux on a
VM (not sure of versions). One of the requirements is to authenticate using
RSA Cleartrust.
>From my reading, Tomcat does not support this. The recommended solution is
to front Tomcat with Apache, and let Apache do the Cleartrust integration.
The links I have found are a bit ancient - are my assumptions still correct?
Also, our system architects seem to think this setup is insufficiently
secure - comments?
Regards
Ron
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Pointing Multiple contexts to single webapp
Posted by André Warnier <aw...@ice-sa.com>.
Kishore Kumar Manthangod wrote:
> I have a single webapp. But this has to be accessed from multiple contexts
>
> for example : http://localhost:8080/abc
> http://localhost:8080/cde
> http://localhost:8080/xyz
>
Have a look at UrlRewriteFilter : http://www.tuckey.org
...
As a reason, I am
> getting MemoryOutOfErrors.
Have you thought of patenting that code ? A lot of vendors would be interested in
something like that.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org