You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ron Gomes <ro...@morganstanley.com> on 2004/06/22 16:49:09 UTC
Use of roles when tomcatAuthentication=false
We use Tomcat with a fronting Web server (Apache) which provides Basic
authentication, so we need to run with 'tomcatAuthentication="false"'
in the Ajp13Connector. But we also want to make use of the servlet
"roles" concept to protect applications (including the Manager app)
from arbitrary access.
Is there any simple way to do this? We've tried mapping user names to
roles in the usual way in tomcat-users.xml, in the hope that Tomcat
(with tomcatAuthentication set to false) would take the user name from
the Apache-supplied basic-auth credentials, but use the roles from
tomcat-users.xml. But the behavior suggests that tomcat-users.xml is
not consulted at all in this situation.
This is with Tomcat 4.1.30.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Use of roles when tomcatAuthentication=false
Posted by Tim Funk <fu...@joedog.org>.
None of the Realms will be usefull when tomcatAuthentication="false". You'd
need to roll your own.
-Tim
Ron Gomes wrote:
> We use Tomcat with a fronting Web server (Apache) which provides Basic
> authentication, so we need to run with 'tomcatAuthentication="false"'
> in the Ajp13Connector. But we also want to make use of the servlet
> "roles" concept to protect applications (including the Manager app)
> from arbitrary access.
>
> Is there any simple way to do this? We've tried mapping user names to
> roles in the usual way in tomcat-users.xml, in the hope that Tomcat
> (with tomcatAuthentication set to false) would take the user name from
> the Apache-supplied basic-auth credentials, but use the roles from
> tomcat-users.xml. But the behavior suggests that tomcat-users.xml is
> not consulted at all in this situation.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org