tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Followup old thread(s) about Apache, AJP, and tomcatAuthentication, and roles
Date Mon, 04 Jun 2012 02:30:17 GMT

Awhile ago, I had this thread, where I originally trying to see if I could get Tomcat, using
the AJP connector and "tomcatAuthentication" to work, when I had an OAM webgate installed
on the Apache proxy fronting the Tomcat:

The bottom line at the time was that it didn't seem to work, probably because the user name
wasn't being populated in the AJP packet.

I'm picking this subject up again, from scratch, because I happened to find out that mod_ssl
has a directive, SSLUserName that is suppose to populate the user name after 2-way SSL authentication.

So, I set up a new Apache and Tomcat, and I added that SSLUserName directive to the Apache
httpd-ssl.conf, but not with the OAM agent yet, and did some tests, and it looks like it ALMOST
worked, i.e., it looks like *A* user name is being passed to Tomcat (in Tomcat logs, I see
"already authenticated" and the username from the SSL client cert.

However, I get a 403/access denied on my test web app.  

This is even though I have a role in the realm (the original/default flatfile realm), so it
looks like even though the tomcatAuthentication="false" is kind of working, the user is not
picking up the Tomcat roles.

So, I've been googling, and found this:

which seems to describes the problem I'm encountering, but that thread didn't seem to conclude.

So, does anyway know, when a user is asserted into Tomcat via tomcatAuthentication='false',
does that authenticated user pickup the Tomcat roles from the realm?

There's one msg in the thread from "Pid" saying that a custom realm is needed, and then Andre
Warnier seemed to think that wasn't the case, but then nothing after that.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message