tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anthony Jay" <>
Subject Re: Contexts and Path and Authentication
Date Thu, 10 Dec 2009 20:12:40 GMT
Also the issue with Multiple Authentication Mechanisms
My head is sore from banging it against a wall but I THINK that I have
come up with a rather elegant solution.
Well its a bit obvious in one way but I suppose I had to go through all
the pain first. There was alot of pain.
Just to reiterate my issue : How to get Tomcat to use Http basic and 
http form authentication in same application.

I have 
/secure/xml/** servlets that need basic auth
/xml/** servlets that need NO auth
/secure/xxxx.jsp that need FORM auth
/ssl/xxx.jsp that needs NO AUTH
/xxxx standard web content that is public etc.
All working together as ONE application

This stemmed from an app that was using http basic and the user/jsp
stuff had to be converted to Form based auth for security reasons and
obviously the b2b xml stuff could not change URLS or auth mechanisms
being hard coded on the client side in our customers apps.

SSL termination
mod_auth_mysql http basic ONLY on servlet urls using LocationMatch
mod_jk forwarding jsp and servlets to tomcat

configured for FORM based auth
ignored unprotected content.
Application deployed as ROOT.war (no messing around with contexts or

So the apache acts as a http filter on servlets that require http basic
and ignores everything else.
Tomcat uses form based authn to protected all jsp pages that require it
and ignores those that dont.

Rather happy with this solution as I can offload images/etc to apache, I
get loadbalancing from mod_jk and high availability.

Im sure there are a few speedbumps along the way but 90% sure this will
work. (Note the 10% reserved for experience)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message