tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Realm and Authentication with Tomcat 5.0, Apache 2 and mod_jk 1.2
Date Fri, 10 Feb 2006 03:45:21 GMT

"Mickael Goujon" <mickael.goujon@uk.lionbioscience.com> wrote in message 
news:43EB2A15.1040304@uk.lionbioscience.com...
> Hi,
>
> We have a web application deployed under Tomcat 5.0 which uses a custom 
> Realm for authentication. This custom Realm basically does a web service 
> call using the user's credentials to authenticate with the web service 
> server (basic WS-I username/password authentication).
>
> If the web service call fails (user not allowed to call the web service 
> with his credentials), then Tomcat authentication fails.
>
> If the web service call succeed (user has access to the web service), then 
> Tomcat authentication succeed and the Realm will store the Session object 
> returned by the web service in a ThreadLocalContext to be reused later in 
> the web application.
>
> This works fine with Tomcat only, but as soon as I add mod_jk and try to 
> use Apache to do the authentication and then pass the credentials to 
> Tomcat (using tomcatAuthentication=false), I get the "403 - access denied" 
> page.
>
> I'd like to know if, in my configuration (Apache authentication + Tomcat 
> Realm + tomcatAuthentication=false), Apache is supposed to pass the user 
> login/password to the Tomcat Realm or if the realm is not called at all 
> (This would be the bad news I fear)?
>

Sorry for the bad news, but the Tomcat Realm is not called at all in this 
situation.  Also, Apache doesn't forward the password directly (although it 
is still in encoded in the Header).

> My combination Apache/Tomcat/mod_jk works when I specify 
> tomcatAuthentication=true. But, I'd like to have Apache authentication and 
> the Tomcat Realm called automatically after that with the 
> username/password... Is this possible or do I have to move my Session 
> creation process somewhere else?
>

A custom Authenticator is probably over-kill here.  I would probably just 
use a custom Valve.  But as-is, you do at least have to add something (or, 
modify your copy of the Tomcat code :) to invoke the Realm.

> Hope you understood my problem,
>
> Cheers,
>
> Mickael
>
> --
> Mickael Goujon
> Software Engineer
> Lion Bioscience Ltd 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message