You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jorge Medina <jm...@e-dialog.com> on 2008/06/17 22:08:54 UTC

[users@httpd] Using Apache to secure Tomcat Manager App

Hi, 

   I have Apache 2.2 in front of Tomcat 6 using the mod_jk module. 

 

   I disabled the HTTP connector in Tomcat, therefore, all my requests
go through Apache.

   My Apache web server is configured to authenticate users using an
LDAP server.

 

   I would like to keep access to the Tomcat Manager application, but
right now I am getting asked for two set of credentials when accessing
the manager application: the first set is asked by Apache (the LDAP
credentials) and the second time is Tomcat  (using the credentials in
tomcat-users.xml). 

 

   I would like to only be asked once for credentials, the LDAP
credentials.

   

a)       Is there a way to disable in Tomcat 6 the security built-in
around the manager application and let Apache manage the access to  it?

b)       Or, should I configure the JNDIRealm of Tomcat to use the same
LDAP server? Would I still be asked twice for credentials?

 

I was trying option (b) but I haven't been able to authenticate to LDAP
on Tomcat, but then I thought option (a) would be better,

 

   Does anybody have secured the Tomcat manager web application using
Apache?

 

Thanks

 

-Jorge

RE: [users@httpd] Using Apache to secure Tomcat Manager App

Posted by Jorge Medina <jm...@e-dialog.com>.
Never mind, I was able to configure Tomcat to use LDAP. The browser does
not ask twice for credentials. Life is good.

 

________________________________

From: Jorge Medina [mailto:jmedina@e-dialog.com] 
Sent: Tuesday, June 17, 2008 4:09 PM
To: users@httpd.apache.org
Subject: [users@httpd] Using Apache to secure Tomcat Manager App

 

Hi, 

   I have Apache 2.2 in front of Tomcat 6 using the mod_jk module. 

 

   I disabled the HTTP connector in Tomcat, therefore, all my requests
go through Apache.

   My Apache web server is configured to authenticate users using an
LDAP server.

 

   I would like to keep access to the Tomcat Manager application, but
right now I am getting asked for two set of credentials when accessing
the manager application: the first set is asked by Apache (the LDAP
credentials) and the second time is Tomcat  (using the credentials in
tomcat-users.xml). 

 

   I would like to only be asked once for credentials, the LDAP
credentials.

   

a)       Is there a way to disable in Tomcat 6 the security built-in
around the manager application and let Apache manage the access to  it?

b)       Or, should I configure the JNDIRealm of Tomcat to use the same
LDAP server? Would I still be asked twice for credentials?

 

I was trying option (b) but I haven't been able to authenticate to LDAP
on Tomcat, but then I thought option (a) would be better,

 

   Does anybody have secured the Tomcat manager web application using
Apache?

 

Thanks

 

-Jorge

Re: [users@httpd] Using Apache to secure Tomcat Manager App

Posted by André Warnier <aw...@ice-sa.com>.
Jorge Medina wrote:
> Hi, 
> 
>    I have Apache 2.2 in front of Tomcat 6 using the mod_jk module. 
>    I disabled the HTTP connector in Tomcat, therefore, all my requests
> go through Apache.
>    My Apache web server is configured to authenticate users using an
> LDAP server.
>    I would like to keep access to the Tomcat Manager application, but
> right now I am getting asked for two set of credentials when accessing
> the manager application: the first set is asked by Apache (the LDAP
> credentials) and the second time is Tomcat  (using the credentials in
> tomcat-users.xml). 
>    I would like to only be asked once for credentials, the LDAP
> credentials.
  > a)       Is there a way to disable in Tomcat 6 the security built-in
> around the manager application and let Apache manage the access to  it?
[...]

You may be able to use this :
http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
and look at the end of the page for the "tomcatAuthentication" attribute 
of the <Connector> element (which is in Tomcat's server.xml).  If I 
understand this correctly, by explicitly setting the attribute
tomcatAuthentication="false"
, it should be so that the user-id, as already authenticated by Apache, 
should be carried over to Tomcat via the mod_jk connector.
Thus Tomcat should no longer ask for user authentication, but "believe" 
what the front-end Apache tells it.

Now, Tomcat will receive the user-id from Apache (the "authentication" 
part).  But you should still handle the "role" part in Tomcat (the 
"authorisation" part).

This is what I infer from the documentation, but I have not tried it 
yet, so could maybe a Tomcat/mod_jk/AJP expert confirm this ?


André

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org