tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Gomes <>
Subject Use of roles when tomcatAuthentication=false
Date Tue, 22 Jun 2004 14:49:09 GMT
We use Tomcat with a fronting Web server (Apache) which provides Basic
authentication, so we need to run with 'tomcatAuthentication="false"'
in the Ajp13Connector.  But we also want to make use of the servlet
"roles" concept to protect applications (including the Manager app)
from arbitrary access.

Is there any simple way to do this?  We've tried mapping user names to
roles in the usual way in tomcat-users.xml, in the hope that Tomcat
(with tomcatAuthentication set to false) would take the user name from
the Apache-supplied basic-auth credentials, but use the roles from
tomcat-users.xml.  But the behavior suggests that tomcat-users.xml is
not consulted at all in this situation.

This is with Tomcat 4.1.30.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message