tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: exclude specific IP address from HTTP auth
Date Tue, 16 Feb 2010 21:21:59 GMT
Marcus Better wrote:
> Hash: SHA1
> Caldarale, Charles R wrote:
>>> I'm looking for the Tomcat 6 security configuration that would
>>> correspond to Apache httpd's "Satisfy Any".
>> Take a look at SecurityFilter to see if it will do what you want.
> Thanks, but it says it only supports form authentication, not HTTP Basic or 
> Digest...
You still may want to dig a bit deeper, because in this case I believe 
it is the doc which is outdated. I think I remember someone saying that 
it does support Basic authentication (though not Digest).

Another idea : you could also have a look here :

It may be possible, depending on the caller IP, to redirect the request 
to another copy of your webapp which would/would not force 
authentication in the way you want.
Click on "manual", and search in that page for "remote-addr".

And still otherwise, this may be one of these cases where using an 
Apache httpd front-end to Tomcat is justified.
I am doing just that on several websites I run : Apache httpd does the 
user authentication (using a variety of schemes, including the one you 
are mentioning(*)), and passes the authenticated user-id to Tomcat via 
the Apache-Tomcat connector.
See the "tomcatAuthentication" attribute of the <Connector> element in 

(*) Typically, an application is available on a server on the Internet. 
  You want to allow in, without authentication, a group of users 
whenever they connect from within their corporate network, which has one 
or several well-defined IP addresses. But when these people connect from 
outside their corporate network, you want them to login.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message