Re: proxy_ajp webdav http 1.1 authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As you suggested, The file (I have omitted it before) is ok (tomcat baseed basic auth)

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="manager"/>
  <role rolename="status"/>
  <role rolename="admin"/>
  <user username="tomcat" password="blablabla" roles="admin,manager,status"/>
</tomcat-users>

The question/matter/problem was:
The app1 and the webdav app works only if:
httpd.conf 
...
ok  
ProxyPass /app1/ ajp://www.example.com:8009/app1/
ProxyPass / http://www.example.com:8080/
ProxyPassReverse / http://www.example.com:8080/
...
or
ok (tested only few minutes ago)
ProxyPass / ajp://www.example.com:8009/

None of the following works (why??)
ko
ProxyPass /app1/ ajp://www.example.com:8009/app1/
ProxyPass /webdav/ ajp://www.example.com:8009/webdav/

ko
ProxyPass /app1/ http://www.example.com:8080/app1/
ProxyPassReverse /app1/ http://www.example.com:8080/app1/
ProxyPass /webdav/ http://www.example.com:8080/webdav/
ProxyPassReverse /webdav/ http://www.example.com:8080/webdav/

ko
ProxyPass / http://www.example.com:8080/
ProxyPassReverse / http://www.example.com:8080/

My solution was: "using the simplest case"
ProxyPass / ajp://www.example.com:8009/

And both /app1 and /webdav work!

Michele

On Mon, Oct 27, 2008 at 1:47 PM, André Warnier <aw@xxxxxxxxxx> wrote:
Hi.

Ah ! your Dav is at the Tomcat level, not the Apache level.
And that's also where the Dav authentication is being done.

In other words, no authentication and no Dav is being handled at the Apache level, so it has nothing to do with the Apache proxying, which probably works fine.

I believe this question should be reposted to the Tomcat mailing list, at "users@xxxxxxxxxxxxxxxxx".

In the meantime, my guess is that you have not created the appropriate user and role for the authentication under Tomcat.
Just as a tip :
In your Tomcat/conf directory, there should be a file "tomcat-users.xml".  That's where users and roles are defined.
According to your <security-constraint> in the Dav webapp setup below,
you should have something like this in tomcat-users.xml :

<role rolename="admin"/>
<user username="davuser" password="xxxxx" roles="admin"/>
(add it if it's not there)

and then use the user "davuser" and the password you chose for logging in when you DAV pops up its authentication dialog.

If that does not work, then ask further on the Tomcat list.





Michele Mase' wrote:
here is the conf:

Frontend server:
<VirtualHost *:80>
       ServerName www.example.com
       ProxyPass /favicon.ico !
       ProxyPass /robots.txt !
       ProxyPass /images/ !
       ProxyPass /balancer !
       ProxyPass /status !
       ProxyPass /manager !
       ProxyPass /host-manager !
       ProxyPass /docs !
       ProxyPass /examples !
       ProxyPass /app1/ ajp://www.example.com:8009/app1/
       ProxyPass / http://www.example.com:8080/
       ProxyPassReverse / http://www.example.com:8080/
</VirtualHost>

Tomcat:
server.xml (default config):
...
 <Connector port="8080" protocol="HTTP/1.1"
              connectionTimeout="20000"
              redirectPort="8443"/>
...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

$CATALINA_HOME/conf/Catalina/localhost/app1.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/app1" docBase="/app1">
       <Resources className="org.apache.naming.resources.FileDirContext"
allowLinking="true" caseSensitive="false" />
</Context>

WEB-INF/web.xml of app1 (where the webdav authentication is)

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
   version="2.4">
 <display-name>Webdav Content Management</display-name>
 <description>
    Webdav Content Management
 </description>
 <servlet>
   <servlet-name>webdav</servlet-name>

<servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
   <init-param>
     <param-name>debug</param-name>
     <param-value>0</param-value>
   </init-param>
   <init-param>
     <param-name>listings</param-name>
     <param-value>true</param-value>
   </init-param>
   <init-param>
     <param-name>readonly</param-name>
     <param-value>false</param-value>
   </init-param>
 </servlet>
 <servlet-mapping>
   <servlet-name>webdav</servlet-name>
   <url-pattern>/*</url-pattern>
 </servlet-mapping>
 <security-constraint>
   <web-resource-collection>
     <web-resource-name>The Entire Web Application</web-resource-name>
     <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>admin</role-name>
   </auth-constraint>
 </security-constraint>
 <login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>Tomcat Supported Realm</realm-name>
 </login-config>
 <security-role>
   <description>
     An example role defined in "conf/tomcat-users.xml"
   </description>
   <role-name>admin</role-name>
 </security-role>
 <welcome-file-list>
   <welcome-file/>
 </welcome-file-list>
</web-app>


On Mon, Oct 27, 2008 at 12:16 PM, André Warnier <aw@xxxxxxxxxx> wrote:

Michele Mase' wrote:

I've the following problem:

A ftontend server with apache2.2.x (http1.1)
mod_proxy
mod_proxy_ajp

A backend server:
tomcat 6.x with 2 webapps:
/app1
/app2 (webdav, basic authentication via http)

Problem:

/app1 works well under proxy_ajp:
ProxyPass /some_path ajp://server:8009/app1

webdav authentication cannot work under proxy_ajp
It works only under proxy_http:
ProxyPass /path http://server/app2
ProxyPassReverse /path http://server/app2

Are there some limitations in proxy_ajp module?
Could webdav authentication work with proxy_ajp?
Michele

 What do you call "webdav authentiation" ?
DAV itself does not handle authentication.
It is whatever you put "around it" in your configuration that will do the
authentication.
Can you post the configuration of the section which you configure with "Dav
on" ?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux