Jorge Medina wrote:
Hi, I have Apache 2.2 in front of Tomcat 6 using the mod_jk module. I disabled the HTTP connector in Tomcat, therefore, all my requestsgo through Apache. My Apache web server is configured to authenticate users using an LDAP server. I would like to keep access to the Tomcat Manager application, but right now I am getting asked for two set of credentials when accessing the manager application: the first set is asked by Apache (the LDAP credentials) and the second time is Tomcat (using the credentials intomcat-users.xml). I would like to only be asked once for credentials, the LDAPcredentials.
> a) Is there a way to disable in Tomcat 6 the security built-in
around the manager application and let Apache manage the access to it?
[...] You may be able to use this : http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.htmland look at the end of the page for the "tomcatAuthentication" attribute of the <Connector> element (which is in Tomcat's server.xml). If I understand this correctly, by explicitly setting the attribute
tomcatAuthentication="false", it should be so that the user-id, as already authenticated by Apache, should be carried over to Tomcat via the mod_jk connector. Thus Tomcat should no longer ask for user authentication, but "believe" what the front-end Apache tells it.
Now, Tomcat will receive the user-id from Apache (the "authentication" part). But you should still handle the "role" part in Tomcat (the "authorisation" part).
This is what I infer from the documentation, but I have not tried it yet, so could maybe a Tomcat/mod_jk/AJP expert confirm this ?
André --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|