tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mickael Goujon <>
Subject Re: Realm and Authentication with Tomcat 5.0, Apache 2 and mod_jk 1.2
Date Fri, 10 Feb 2006 08:29:45 GMT
Hi Bill,

Thanks for your answer.

The original design of this authentication/session creation mechanism 
was made by another developper who knows Tomcat better than I know (but 
not enough apparently ;) ).

If I understand correctly, your suggestion is to write a custom valve 
which will be used as our missing link between the Apache authentication 
and the Tomcat Realm call. Is this correct?
The Valve will access the username/password in the header and explicitly 
call the Realm (Kind of similar to the SSO Valve)?



Bill Barker wrote:
> "Mickael Goujon" <> wrote in message 
>>We have a web application deployed under Tomcat 5.0 which uses a custom 
>>Realm for authentication. This custom Realm basically does a web service 
>>call using the user's credentials to authenticate with the web service 
>>server (basic WS-I username/password authentication).
>>If the web service call fails (user not allowed to call the web service 
>>with his credentials), then Tomcat authentication fails.
>>If the web service call succeed (user has access to the web service), then 
>>Tomcat authentication succeed and the Realm will store the Session object 
>>returned by the web service in a ThreadLocalContext to be reused later in 
>>the web application.
>>This works fine with Tomcat only, but as soon as I add mod_jk and try to 
>>use Apache to do the authentication and then pass the credentials to 
>>Tomcat (using tomcatAuthentication=false), I get the "403 - access denied" 
>>I'd like to know if, in my configuration (Apache authentication + Tomcat 
>>Realm + tomcatAuthentication=false), Apache is supposed to pass the user 
>>login/password to the Tomcat Realm or if the realm is not called at all 
>>(This would be the bad news I fear)?
> Sorry for the bad news, but the Tomcat Realm is not called at all in this 
> situation.  Also, Apache doesn't forward the password directly (although it 
> is still in encoded in the Header).
>>My combination Apache/Tomcat/mod_jk works when I specify 
>>tomcatAuthentication=true. But, I'd like to have Apache authentication and 
>>the Tomcat Realm called automatically after that with the 
>>username/password... Is this possible or do I have to move my Session 
>>creation process somewhere else?
> A custom Authenticator is probably over-kill here.  I would probably just 
> use a custom Valve.  But as-is, you do at least have to add something (or, 
> modify your copy of the Tomcat code :) to invoke the Realm.
>>Hope you understood my problem,
>>Mickael Goujon
>>Software Engineer
>>Lion Bioscience Ltd 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message