tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Use of roles when tomcatAuthentication=false
Date Wed, 23 Jun 2004 00:53:06 GMT
None of the Realms will be usefull when tomcatAuthentication="false". You'd 
need to roll your own.


Ron Gomes wrote:
> We use Tomcat with a fronting Web server (Apache) which provides Basic
> authentication, so we need to run with 'tomcatAuthentication="false"'
> in the Ajp13Connector.  But we also want to make use of the servlet
> "roles" concept to protect applications (including the Manager app)
> from arbitrary access.
> Is there any simple way to do this?  We've tried mapping user names to
> roles in the usual way in tomcat-users.xml, in the hope that Tomcat
> (with tomcatAuthentication set to false) would take the user name from
> the Apache-supplied basic-auth credentials, but use the roles from
> tomcat-users.xml.  But the behavior suggests that tomcat-users.xml is
> not consulted at all in this situation.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message