tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: WWW-Authentication using Tomcat-form-based-login and Apache
Date Thu, 16 Nov 2000 18:12:15 GMT
Marco van Meegen wrote:

> sounds like I've got exactly the same problem. I didn't follow the thread in
> the dev-mailinglist,
> so I'm sorry if I repeat problems already solved there...
> I'd like to set up exactly the same thing and found the same source in the
> Professional JSP-book.
> The questions for me are:
> 1) Tomcat 3.1 declares security-related features as alpha; anyone got an idea,
> if security in 3.2b7
>     might be suitable for production use already ?

Yes -- BASIC and FORM-BASED authentication should work well in 3.2b7.  For DIGEST
or CLIENT-CERT you will need Tomcat 4.0.

> 2) If I define a security-constraint in Tomcat, using Apache and Tomcat; will
> Apache know about this constraint ?

No.  The easiest way to understand what Apache knows about and what it doesn't is
that the part of Tomcat that creates "tomcat-apache.conf" does *not* read web.xml
-- it only reads server.xml.  Therefore, it does not know anything about security
constraints you've defined there.  You will need to configure them separately in

This is something that is going to change in the Tomcat 4.0 web connectors -- they
are webapp-aware, so you won't need to worry about double configuring anything.

>    Or do I have to serve all files under security constraints using tomcat,
> even the static ones ?
>    If so, would there be any reason for using Apache at all ?

For Tomcat 3.x, if you are running behind Apache, the web server gets first crack
at security and imposes it's own rules.  Because Apache is handling the static
resources, Tomcat never even finds out about those requests -- so you *must* use
Apache security if you want to protect the static resources.  Servlet security
only applies to the requests that are actually forwarded to Tomcat (i.e. JSP pages
and /servlet/* patterns).

For Tomcat 4.0, the servlet 2.3 spec requires that the "server" (in our case, that
means the Apache+Tomcat combination) must impose the security constraints in
web.xml for both dynamic and static resources.  This is one of the major reasons a
new connector is being written.

> Thanks for any clue in the darkness of authentication...
> Marco

Craig McClanhaan

View raw message