tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Lawrence Murphy <ga...@canada.com>
Subject Re: (urgent!!!)authorization required in tomcat working with apache
Date Sat, 12 May 2001 18:58:43 GMT
>>>>> "m" == mohamed imdadullah <imdad_md@hotmail.com> writes:

    m> i have .htaccess file which checks for the users against a
    m> database to restrict access to particular directories served by
    m> apache; after installing tomcat and running it under apache, i
    m> tried to copy the .htaccess file in the apache-tomcat config
    m> file to have the same restriction as in apache. It doesnt seem
    m> to work, apache doesnt seem to recognise the .htaccess file in
    m> the /webapps directory.

A basic (but common) misunderstanding about how Tomcat works:

- Tomcat is not part of Apache, it is a seperate server that receives
  requests redirected from Apache.  This is why you must include the
  Alias lines in your mod_jk.conf before you will see any non-Tomcat
  content such as images: Images are served by Apache, but anything
  which matches the JkMount patterns is redirected.

- When you have authentication issues, this means you have two
  _parallel_ systems of authentication: Apache uses .htaccess to protect
  the Apache content, and Tomcat uses WEB-INF/web.xml's
  security-constraint section to protect the Tomcat content.

This gives you a bit of a headache if security is really important:
If you need to protect unauthorized viewing of _both_ Apache and Tomcat
content within the same directories, your users will be asked to
login twice _unless_ you use the BASIC Auth-method and the _same_
realm name for both Apache and Tomcat.  

  NOTE: If you only use the Tomcat login-conf, only *.jsp and servlets
  will be password protected, gifs and HTML files will be publically
  accessible.  If you only use the Apache .htaccess, only *.html,
  images and other apache-specific content will be protected.

   REMEMBER: You are not running _one_ Apache/Tomcat server, you are
   really running _two_ *independent* web-server systems!  The Apache
   redirection through the JkMount ajp13 port only makes it _seem_
   like one unified server.  You have the same problem if you use
   mod_rewrite to split Apache content from mod_perl or fastcgi
   content.

Now, configuring Tomcat web.xml files for password protect is not
entirely obvious from the admin example and different versions of
Tomcat do this in different ways; the primary difference is the
way you add new users (what are the conf/user/*-users.xml files??)
but once you have your user in the database, the _role_ assigned to
them gives their login access to all webapps assigned to that same
role.

Many people are frightened by the following advice because they think
the document will be highly technical; it is not.  The _reason_ the
Tomcat docs are so slim is because Sun Microsystems has already
documented all of the interesting parts, and their paper is very
readable and current with the Tomcat release.

We say this a lot on this list because it is _so_ important:

  _Please_ read JSR-000053, the Servlet 2.3 and JSP 1.2 Specifications
  http://java.sun.com/aboutJava/communityprocess/first/jsr053/index.html

-- 
Gary Lawrence Murphy <garym@teledyn.com> TeleDynamics Communications Inc
Business Innovations Through Open Source Systems: http://www.teledyn.com
"Computers are useless.  They can only give you answers."(Pablo Picasso)


Mime
View raw message