tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Disable password checking for Manager app
Date Fri, 18 Jul 2008 23:31:02 GMT
dracus wrote:
> Greetings, all....
> I have a web app server that has Apache in front of Tomcat.  Apache is
> handling user authentication and security checking (through an experimental
> X.509 <-> Kerberos gateway service being developed by others in my group,
> but that is neither here nor there), and passes the username (as either
> REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat.  To get that to work, we
> had to include the 'request.tomcatAuthentication="false"' directive in the
> AJP block of server.xml.  Unfortunately, this kills the Tomcat manager, as
> it will no longer allow us to log into it.  We use it extensively to deploy
> new versions of our web apps, etc.  I have tried putting my authenticated
> username into tomcat-users.xml as a user with the manager role, and it still
> does not allow me to use the manger, with error "403: Access to the
> requested resource has been denied".  I check the tomcat-users.xml file, and
> it has added a password entry (password="null") to my user define.  So what
> I want to know is, can I get tomcat to accept the username passed in from
> Apache without a password (the only connection allowed into Tomcat is AJP)
> so that I can put the users allowed to access the manager app into
> tomcat-users.xml, and let Apache do all of the authentication?  Any pointers
> would be greatly appreciated, thanks in advance.  
> JDK 1.6.0  
> Tomcat 5.5.23  
> mod-jk 1.2.21  
> http 2.2.4 RHEL 5  
> shibboleth sp 1.3.1

Just to add that I am also interested in the question above, or more 
generally to learn if there exists a way to pass, from Apache through 
mod_jk to Tomcat, some form of "Tomcat role" for a user already 
authenticated by Apache.

On the other hand, might it not be possible to modify the 
<auth-constraint> section of the web.xml of the manager application, so 
that instead of requiring a "role = manager", it would instead require a 
specific authenticated user (which could then be the one passed from 
Apache) ?


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message