tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Setting JK_REMOTE_USER help
Date Wed, 16 Jun 2010 14:36:15 GMT
Marc Boorshtein wrote:
>> You should not need to do that, it should be automatic.
>> Just make sure that in the Tomcat <Connector> for AJP (in server.xml), you
>> set the attribute
>> tomcatAuthentication="false"
>> If the request is authenticated by Apache, mod_jk will (always) pass it
>> internally to Tomcat, along with the request.  If the above attribute is
>> set, then Tomcat will also "believe" this user-id, and not try itself to
>> authenticate the user.
> OK, so the good news is that setting tomcatAuthentication="false" did
> get tomcat to not prompt me for authentication.  The bad news is that
> it looks like that this doesn't actually set the user's context

it does, but maybe not with everything you were expecting

> because I am receiving unauthorized messages from the application
> which relies on container security.

When Apache authenticates a user, it gets a user-id, like "marcb".
That is what mod_jk passes to Tomcat, nothing else.  That is one "A" of "AAA", which 
stands for Authentication, Authorization and Access-control.
Authorization is another step, which can only be done by Tomcat in this case, because the

concepts do not really match between Apache httpd and Tomcat (Apache has users and groups,

Tomcat uses "roles").

   I have an LDAP realm setup, is
> there a configuration to bridge this gap?  If not I THINK I can write
> a "wrapper" realm that will take the user id attribute and "fake" it.
> Any thoughts?

Since you have Apache in front already, you could do the whole AAA under Apache, and 
remove anything you do not really need from Tomcat.
What do you really need to know about a user at the Tomcat application level, apart from 
his user-id ?
(Or you could do the total opposite : do the whole AAA in Tomcat)
The whole thing is rather flexible, and what you choose to do where is very much depending

on your circumstances.
(Like : do all accesses to Tomcat go through Apache first ? is the link between Apache and

Tomcat secure ? are there resources served by Apache directly, and do some of them need 
AAA ? etc..)

> As for the versions, thanks for the reminder:
> Tomcat 6.0.26
> Apache 2.2.15
> mod_jk 1.2   <== you are missing a number here, and for some things it really matters
> CentOS 5.5

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message