tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Some advice on apache tomcat
Date Mon, 16 Nov 2009 22:07:05 GMT
Anthony Jay wrote:
> My main issue now is about how the authentication works between Tomcat
> and Apache.
That's the only one I can readily answer.
It is extremely simple with mod_jk.
If the user is authenticated at the Apache level, mod_jk will pass this 
on to the Tomcat server via AJP.
The only thing to do, is set the 'tomcatAuthentication="false"' 
attribute in Tomcat's AJP Connector, and Tomcat will just "believe" the 
user-id sent by Apache and mod_jk.
I don't know if, or how, mod_proxy_ajp handles the same thing.

> In terms of authentication, which should I use, mod_auth_mysql and
> mod_auth_dbm (or mod_auth_form in future or something else?) and why?
There are many many possibilities for this under Apache httpd.  Just 
pick the one that you like best, on its own merits.
They all basically in the end result in the HTTP request being 
"authenticated" at the Apache httpd level (iow to have a user-id), and 
that's what you want.

What you then do with it under Tomcat is another story, but that is also 
your choice.

> In terms of single sign on how can I make the user experience seamless
> between static content-managed pages and jsp/servlets? Will mod_jk
> handle sso? This does not seem clear to me in all the pages I read. If I
> configure form based auth in a login.jsp page will this be relayed to
> apache after a redirect?

No, but why would it be ?
Ah, if you want to do the authentication in Tomcat rather than in 
Apache, but still use it in Apache ?
There are ways, but you'll need to write your own Apache (httpd) 
authentication module. You could then define a dummy servlet in Tomcat, 
which just echoes the authenticated user-id (as gotten via 
getRemoteUser() e.g.). Then in Apache httpd, you would make a 
"side-request" (oherwise known as a sub-request) to this Tomcat webapp 
to get the user-id, and use it to authenticate the current request in 
But that is a complicated scheme, probably only worth it if you find 
some Tomcat authentication method that does not exist in Apache httpd, 
which is unlikely.

> What is best practise and what should I be doing? If there is some hard
> to find documentation out there with pointers and tips I would
> appreciate a few links. 

To read in the Apache httpd docs :

Also, personally I would recommend having a look around here :
This is the Perl library.  Even if you do not intend to do anything with 
Perl, the documentation of many of these modules is a goldmine of 
information about how things work.

Expert advice is appreciated.
You just got it.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message