Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <488127B6.1060500@ice-sa.com>
Date: Sat, 19 Jul 2008 01:31:02 +0200
From: =?ISO-8859-1?Q?Andr=E9_Warnier?= <aw@ice-sa.com>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Disable password checking for Manager app
References: <18537331.post@talk.nabble.com>
In-Reply-To: <18537331.post@talk.nabble.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

dracus wrote:
> Greetings, all....
> 
> 
> I have a web app server that has Apache in front of Tomcat.  Apache is
> handling user authentication and security checking (through an experimental
> X.509 <-> Kerberos gateway service being developed by others in my group,
> but that is neither here nor there), and passes the username (as either
> REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat.  To get that to work, we
> had to include the 'request.tomcatAuthentication="false"' directive in the
> AJP block of server.xml.  Unfortunately, this kills the Tomcat manager, as
> it will no longer allow us to log into it.  We use it extensively to deploy
> new versions of our web apps, etc.  I have tried putting my authenticated
> username into tomcat-users.xml as a user with the manager role, and it still
> does not allow me to use the manger, with error "403: Access to the
> requested resource has been denied".  I check the tomcat-users.xml file, and
> it has added a password entry (password="null") to my user define.  So what
> I want to know is, can I get tomcat to accept the username passed in from
> Apache without a password (the only connection allowed into Tomcat is AJP)
> so that I can put the users allowed to access the manager app into
> tomcat-users.xml, and let Apache do all of the authentication?  Any pointers
> would be greatly appreciated, thanks in advance.  
> 
> JDK 1.6.0  
> Tomcat 5.5.23  
> mod-jk 1.2.21  
> http 2.2.4 RHEL 5  
> shibboleth sp 1.3.1

Just to add that I am also interested in the question above, or more 
generally to learn if there exists a way to pass, from Apache through 
mod_jk to Tomcat, some form of "Tomcat role" for a user already 
authenticated by Apache.

On the other hand, might it not be possible to modify the 
<auth-constraint> section of the web.xml of the manager application, so 
that instead of requiring a "role = manager", it would instead require a 
specific authenticated user (which could then be the one passed from 
Apache) ?


Andr�

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org