tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Fri, 02 Dec 2011 09:53:21 GMT wrote:
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"
That is correct. The "false" means that Tomcat will not do it's own authentication, and 
will instead rely on the authenticated user-id passed by the front-end server.

Now could you also show us the section of your Apache front-end configuration, containing

the directives which forward the requests to Tomcat ?
(proxy or rewrite stanzas)

Note: the fact that the Apache/Tomcat connector (the one at the Apache level) passes the 
authenticated user-id to Tomcat along with the proxied request, depends on the fact that 
within Apache (more precisely within the internal Apache "request record"), the request is

really authenticated (*).
I am saying this because in an earlier post, you mentioned that you were using a 
third-party authentication package at the Apache httpd level.
It is unlikely, but possible, that this authentication package would use its own logic, 
and never "populate" the internal Apache request record with this user-id (**).
In such a case, the automatic forwarding of the user-id by the Apache-level connector 
module (mod_proxy_ajp or mod_jk) would of course not work, because they check the internal

Apache request record, and have no knowledge of another user-id source.

(*) in Tomcat terms, the equivalent of populating the userPrincipal object
(**) for example, it may act as a filter, and rely on each request always containing a 
cookie which "authenticates" the request, and do its own access control independently of 
Apache httpd itself

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message