You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by ToFu <su...@spankhouse.com> on 2003/08/29 18:44:29 UTC

application working only partially with mod_jk2

Hi All,

I've got an app that is configured and working with mod_jk2 -- using apache 2.0x and tomcat 4.1.24.  It's running fast, and stable.  However, I'm having some problems with securing the app.  Here's the deal.

Security is configured at the application level (i.e. tomcat application) using the <security-constraint> configurations in the application specific web.xml file.  Works fine going straight to tomcat ( via port 8080).  All files are locked down.

However, I find that going through Apache, via mod_jk2, only the files that are specified in the workers2.properties are actually being triggered for authentication by the app server.  This is fine for the .jsp files or .do (struts) directives that I've got in workers2.properties, but not fine for all the images and videos that I've got behind the secuiryt constraint (or want to, at least).

I've changed the workers2.properties file to include the other image and video files types, and this works.  This seems klugey though, as I would prefer if apache serves up these files.

Does anyone have a better solution to locking down ALL files in a webapp using mod_jk2?  Apache authentication won't work for me, as I'm using authentication information within my application.

Any ideas would help.


Todd

##################### FROM WORKERS2.PROPERTIES ##################### 

# MEMBERS.MYAPP.COM WORKER
[ajp13:chihuahua:8009]
channel=channel.socket:chihuahua:8009

[uri:members.myapp.com/*.jsp]
worker=ajp13:chihuahua:8009

[uri:members.myapp.com/*.do]
worker=ajp13:chihuahua:8009

#[uri:members.myapp.com/*.wmv]    # UNCOMMENTED, AND THE APP SECURITY WORKS FOR THESE FILES, OTHERWISE, NOT
#worker=ajp13:chihuahua:8009

#[uri:members.myapp.com/*.mpg]    # UNCOMMENTED, AND THE APP SECURITY WORKS FOR THESE FILES, OTHERWISE, NOT
#worker=ajp13:chihuahua:8009

#[uri:members.myapp.com/*.jpg]    # UNCOMMENTED, AND THE APP SECURITY WORKS FOR THESE FILES, OTHERWISE, NOT
#worker=ajp13:chihuahua:8009

#####################  FROM WEB.XML FILE ##################### 

 <!-- Define a Security Constraint on this Application -->
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>Entire Application</web-resource-name>
   <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>member</role-name>
  </auth-constraint>
 </security-constraint>
 
<!-- Define the Login Configuration for this Application -->
<login-config>
    <auth-method>BASIC</auth-method>
     <realm-name>Application Realm</realm-name>
</login-config>
<security-role>
    <role-name>member</role-name>
</security-role>

Re: application working only partially with mod_jk2

Posted by Bill Barker <wb...@wilshire.com>.

Basically:  no.  The AJP13 protocol (used by mod_jk(2)) currently does not
have an 'authorize' state.  The request currently must be handled entirely
either by Apache or Tomcat.

"ToFu" <su...@spankhouse.com> wrote in message
news:000d01c36e4c$d0784a60$326aa8c0@juarez...
Hi All,

I've got an app that is configured and working with mod_jk2 -- using apache
2.0x and tomcat 4.1.24.  It's running fast, and stable.  However, I'm having
some problems with securing the app.  Here's the deal.

Security is configured at the application level (i.e. tomcat application)
using the <security-constraint> configurations in the application specific
web.xml file.  Works fine going straight to tomcat ( via port 8080).  All
files are locked down.

However, I find that going through Apache, via mod_jk2, only the files that
are specified in the workers2.properties are actually being triggered for
authentication by the app server.  This is fine for the .jsp files or .do
(struts) directives that I've got in workers2.properties, but not fine for
all the images and videos that I've got behind the secuiryt constraint (or
want to, at least).

I've changed the workers2.properties file to include the other image and
video files types, and this works.  This seems klugey though, as I would
prefer if apache serves up these files.

Does anyone have a better solution to locking down ALL files in a webapp
using mod_jk2?  Apache authentication won't work for me, as I'm using
authentication information within my application.

Any ideas would help.


Todd

##################### FROM WORKERS2.PROPERTIES #####################

# MEMBERS.MYAPP.COM WORKER
[ajp13:chihuahua:8009]
channel=channel.socket:chihuahua:8009

[uri:members.myapp.com/*.jsp]
worker=ajp13:chihuahua:8009

[uri:members.myapp.com/*.do]
worker=ajp13:chihuahua:8009

#[uri:members.myapp.com/*.wmv]    # UNCOMMENTED, AND THE APP SECURITY WORKS
FOR THESE FILES, OTHERWISE, NOT
#worker=ajp13:chihuahua:8009

#[uri:members.myapp.com/*.mpg]    # UNCOMMENTED, AND THE APP SECURITY WORKS
FOR THESE FILES, OTHERWISE, NOT
#worker=ajp13:chihuahua:8009

#[uri:members.myapp.com/*.jpg]    # UNCOMMENTED, AND THE APP SECURITY WORKS
FOR THESE FILES, OTHERWISE, NOT
#worker=ajp13:chihuahua:8009

#####################  FROM WEB.XML FILE #####################

 <!-- Define a Security Constraint on this Application -->
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>Entire Application</web-resource-name>
   <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>member</role-name>
  </auth-constraint>
 </security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
    <auth-method>BASIC</auth-method>
     <realm-name>Application Realm</realm-name>
</login-config>
<security-role>
    <role-name>member</role-name>
</security-role>