tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Kahn" <citizenk...@gmail.com>
Subject Re: Adding NTLM Auth to the Entire tomcat instance
Date Fri, 26 Oct 2007 14:03:06 GMT
Thanks P.  I followed your advice and it worked.

Here is what I did in case someone else is wrestling with this problem

Overview

1. disabled my Perl::AuthNTLM
2. got mod_jk communication path working between apache and tomcat
3. added auth back in
4. tested

End Point - File contents

in my apache conf   (available-sites/opengrok)
---------------------------------
# Configure communications between apache and tomcat
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so

JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/opengrok_jk.log
JkLogLevel debug
JkMount /* my_tomcat_instance

<Location />
     # Define your security here
    PerlAthenHandler Apache2::AuthenNTLM

    # use NTLM auth
    AuthType ntlm

    require valid-user
    PerlAddVar requiregroup my_access_group

    PerlAddVar ntdomain "MYDOMAIN pdc_ipaddr"
    PerlAddVar defaultdomain MYDOMAIN
    PerlSetVar splitdomainprefix 1
    PerlSetVar ntlmdebug 1
    PerlSetVar ntlmauthoritative off
</Location>

in my workers properties file  ---------------------------------
worker.list=my_tomcat_instance
worker.my_tomcat_instance.host=127.0.0.1
worker.my_tomcat_instance.port=8180
worker.my_tomcat_instance.type=ajp13

in my tomcat server.xml ---------------------------------
<Connector port="8180" protocol="AJP/1.3" tomcatAuthentication="false"/>



So, as P said, tomcat doesn't authneticate and Apache uses ajp to
communicate with tomcat.  Thus, there is not http proxying going on and the
Perl NTLM auth module continues to work (seeing as it doesn't support
proxy).

Thanks again.
On 10/25/07, Pid <p@pidster.com> wrote:
>
> Peter Kahn wrote:
> > Can someone let me know how to setup NTLM authentication such that all
> > access to tomcat is restricted to users in a specific group?
> >
> > I have an instance of tomcat and it is serving several opengrok web
> apps.
> > Each opengrop app is pointing at a different source tree.  I want to
> > restrict access to all of these webapps to a specific group of users.
> >
> > When I offer php based webapps and restrict them to a group of users, I
> use
> > apache2 authentication with a perl based NTLM extension.  Since tomcat
> is
> > running on a different port,   I tried binding tomcat to localhost or
> > loopback only and then used the proxy directive from apache2 to the
> offer
> > the applications to users on my lan.  This worked, but the NTLM auth
> failed
> > when I added it in.  I see my options as:
> >   a) get apache auth to work via the proxy
> >   b) forget apache auth and have tomcat handle the authentication.
>
> If you use the AJP connector with mod_jk (or in Apache 2.2,
> mod_proxy_ajp) you can continue to front your application with HTTPD
> NTLM authentication.
>
> Set the tomcatAuthentication connector attribute to false, as per:
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
>
> p
>
>
> > I looked around the docs, googling here and there but most
> authentication
> > appeared to be at the individual web application level and not for the
> > entire instance.
> >   - Is authentication at the entire tomcat instance level a practice
> that
> > people do?
> >   - Is there a standard way to tie it into NTLM?
> >
> > So, can you send me links or advice if you happen to know of a good
> resource
> > for issue or see that I'm approaching in a needlessly difficult
> way?  Thanks
> >
> >
>
>
>
-- 
Peter Kahn
citizenkahn@gmail.com
citizenkahn@jabber80.com, pkahnpie1@AIM
http://kahnstipation.blogspot.com | http://analogoustendencies.blogspot.com/
Awareness - Intention - Action

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message