tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Disable password checking for Manager app
Date Sat, 19 Jul 2008 09:36:36 GMT
Rainer Jung wrote:
> dracus schrieb:
>> Greetings, all....
>> I have a web app server that has Apache in front of Tomcat.  Apache is
>> handling user authentication and security checking (through an 
>> experimental
>> X.509 <-> Kerberos gateway service being developed by others in my group,
>> but that is neither here nor there), and passes the username (as either
>> REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat.  To get that to 
>> work, we
>> had to include the 'request.tomcatAuthentication="false"' directive in 
>> the
>> AJP block of server.xml.  Unfortunately, this kills the Tomcat 
>> manager, as
>> it will no longer allow us to log into it.  We use it extensively to 
>> deploy
>> new versions of our web apps, etc.  I have tried putting my authenticated
>> username into tomcat-users.xml as a user with the manager role, and it 
>> still
>> does not allow me to use the manger, with error "403: Access to the
>> requested resource has been denied".  I check the tomcat-users.xml 
>> file, and
>> it has added a password entry (password="null") to my user define.  So 
>> what
>> I want to know is, can I get tomcat to accept the username passed in from
>> Apache without a password (the only connection allowed into Tomcat is 
>> AJP)
>> so that I can put the users allowed to access the manager app into
>> tomcat-users.xml, and let Apache do all of the authentication?  Any 
>> pointers
>> would be greatly appreciated, thanks in advance. 
>> JDK 1.6.0  Tomcat 5.5.23  mod-jk 1.2.21  http 2.2.4 RHEL 5  shibboleth 
>> sp 1.3.1
> What about using a different connector to use the manager webapp? It 
> wouldn't be to uncommon to let customer traffic in via the AJP 
> connector, and local admin traffic via the/an http connector. Since that 
> one wouldn't have the tomcatAuthentication="false", it should rely on 
> the defined Realm.
> Doesn't that work?
I suppose you could also have a second AJP connector using a different 
port (e.g. 8010 instead of 8009), with 
request.tomcatAuthentication="true" and with "JkMount /manager 
ajp13manager" in Apache (and the corresponding worker etc..).

But still, what about changing the manager application's security 
constraints, to make it depend on a user-id rather than a role ?
Is that possible ?


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message