httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jorge Medina" <jmed...@e-dialog.com>
Subject [users@httpd] Protecting mod_jk status pages with LDAP: Is there anything special about protecting content provided by an Apache module?
Date Mon, 11 Aug 2008 19:04:41 GMT
Hello, 

I have a server with Apache (v2.2.8) configured to use mod_jk (1.2.26)
to communicate with Tomcat (6.0.16)
I am using LDAP to provide basic authentication. I configured mod_jk to
provide status information in the URLs /private/admin/watch/jk and
/private/admin/manage/jk as shown in the uriworkermap.properties file at
the end of this message. I also included my workers.properties file.

In my tests, I am able to protect the URLs of the Tomcat Example
application using the segment below. I do get asked to provide the LDAP
credentials by the browser when requesting pages from the example
application.

<Location /examples/* >
  AuthType basic
  AuthName "LDAP credentials"
  AuthBasicProvider ldap
  AuthLDAPUrl
ldaps://ldap.example.com:636/ou=people,dc=example,dc=com?uid?sub?(object
Class=inetOrgPerson)
  AuthzLDAPAuthoritative on
  AuthLDAPGroupAttribute memberUid
  AuthLDAPGroupAttributeIsDN off
  Require ldap-group cn=regular-users,ou=groups,dc=example,dc=com
</Location>

But I have not been able to protect the URIs of the mod_jk status.
Anybody knowing the URL can access the pages. Below is the segment I am
using to protect the mod_jk pages, nevertheless I don't get asked for a
user name and password at all.

<Location /private/* >
  AuthType basic
  AuthName "LDAP credentials"
  AuthBasicProvider ldap
  AuthLDAPUrl
ldaps://ldap.example.com:636/ou=people,dc=example,dc=com?uid?sub?(object
Class=inetOrgPerson)
  AuthzLDAPAuthoritative on
  AuthLDAPGroupAttribute memberUid
  AuthLDAPGroupAttributeIsDN off
  Require ldap-group cn=super-users,ou=groups,dc=example,dc=com 
</Location>

Is there anything special about protecting content provided by an Apache
module?
Any help or pointers are appreciated.

-Jorge


######## uriworkermap.properties ##############################

# This file provides mapping for the wlb worker
# defined in workers.properties.
# The general syntax for this file is:
# [URL]=[Worker name]

# Lets allow access to the examples web app bundled with Tomcat
/examples=wlb
/examples/*=wlb

/manager=wlb
/manager/*=wlb

/host-manager=wlb
/host-manager/*=wlb

# Lets also define an URI to access the status workers
/private/admin/watch/jk=jkwatch
/private/admin/manage/jk=jkmanage


######### workers.properties ###################################

# Lets define some environment properties (Not sure this is needed for
ajp workers)
workers.tomcat_home=/opt/myapp-1.0/tomcat
workers.java_home=/usr/java/jdk1.6.0_07
ps=/


# The list of workers
# Worker names may only contain characters from the set [a-zA-Z0-9\-_]
worker.list= wlb, jkwatch, jkmanage


# Now define some properties for the workers.
# A worker type must be one of: [ajp12 | ajp13 | jni | lb | status]

# Properties for worker: localworker
worker.localworker.type=ajp13 
worker.localworker.host=localhost
worker.localworker.port=8009
worker.localworker.lbfactor=1
worker.localworker.connection_pool_timeout=600
worker.localworker.socket_keepalive=1
worker.localworker.socket_timeout=60

# Defining a load balancer (with a single worker, the local worker)
worker.wlb.type=lb
worker.wlb.balance_workers=localworker

# Defining the status workers, one is read-only
worker.jkwatch.type=status
worker.jkwatch.read_only=True
worker.jkwatch.mount=/private/admin/watch/jk

worker.jkmanage.type=status
worker.jkmanage.mount=/private/admin/manage/jk



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message