>
> You're talking about having to change your app, but you've only
> described having to make modifications to a Tomcat internal support class.
>
> You seem to be saying that Tomcat has a compliancy issue - IMO the
> problem with leaving that unchallenged is that it breeds
> misunderstanding that
On 17/06/2010 15:08, Marc Boorshtein wrote:
>>> Hi.
>>> I must say that, with my limited knowledge of the Tomcat internals taken
>>> into consideration, I tend to agree with Marc in this case, if he is
>>> right in claiming that the Tomcat Realm mixes authentication with
>>> authorization and does
>> Hi.
>> I must say that, with my limited knowledge of the Tomcat internals taken
>> into consideration, I tend to agree with Marc in this case, if he is
>> right in claiming that the Tomcat Realm mixes authentication with
>> authorization and does not allow to separate the two.
>
> Well, he said
On Thu, Jun 17, 2010 at 9:11 AM, Mark Thomas wrote:
> On 17/06/2010 13:26, André Warnier wrote:
>> I must say that, with my limited knowledge of the Tomcat internals taken
>> into consideration, I tend to agree with Marc in this case, if he is
>> right in claiming that the Tomcat Realm mixes authe
On 17/06/2010 13:26, André Warnier wrote:
> Pid wrote:
>> On 17/06/2010 12:34, Marc Boorshtein wrote:
> I'm not looking to start a holy war here, but is there anything
> incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement a
On 17/06/2010 13:26, André Warnier wrote:
> I must say that, with my limited knowledge of the Tomcat internals taken
> into consideration, I tend to agree with Marc in this case, if he is
> right in claiming that the Tomcat Realm mixes authentication with
> authorization and does not allow to separ
Pid wrote:
On 17/06/2010 12:34, Marc Boorshtein wrote:
I'm not looking to start a holy war here, but is there anything
incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement about container managed security which
implied that things should just
On 17/06/2010 12:34, Marc Boorshtein wrote:
>>>
>>> I'm not looking to start a holy war here, but is there anything
>>> incorrect in what I said? Tomcat is a servlet container, the servlet
>>
>> Yes.
>>
>> You made a sweeping statement about container managed security which
>> implied that things
>>
>> I'm not looking to start a holy war here, but is there anything
>> incorrect in what I said? Tomcat is a servlet container, the servlet
>
> Yes.
>
> You made a sweeping statement about container managed security which
> implied that things should just work. Someone has to make them work.
>
On 17/06/2010 02:41, Marc Boorshtein wrote:
>>>
>>> The problem with the Realm system is its designed with the assumption
>>> that tomcat is doing the authentication which is not a valid
>>> assumption in an environment where the authentication is seperated
>>> from authorization. The entire point
>>
>> The problem with the Realm system is its designed with the assumption
>> that tomcat is doing the authentication which is not a valid
>> assumption in an environment where the authentication is seperated
>> from authorization. The entire point of container security is that as
>> a coder I do
On 16/06/2010 18:27, Marc Boorshtein wrote:
>>
>> To look at this from a very strict point of view, the whole area is already
>> a bit stretched. Tomcat has this notion of "roles" (because the Servlet
>> Spec has this same notion). But if you look at common authentication
>> schemes, like NTLM or
>
> To look at this from a very strict point of view, the whole area is already
> a bit stretched. Tomcat has this notion of "roles" (because the Servlet
> Spec has this same notion). But if you look at common authentication
> schemes, like NTLM or LDAP, they do not have this notion. It is possi
Marc Boorshtein wrote:
OK, come context first:
What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM). In a typical WAM deployment there are AAA is broken up
into multiple layers:
Web Server - Authentic
Sent from my iPhone
On Jun 16, 2010, at 11:12 AM, David kerber wrote:
On 6/16/2010 10:58 AM, Marc Boorshtein wrote:
...
That being said, the sequence of events should be:
1. Web server authenticates the user (works)
2. Pass the context to Tomcat (works)
3. Tomcat calls the realm to ret
On 6/16/2010 10:58 AM, Marc Boorshtein wrote:
...
That being said, the sequence of events should be:
1. Web server authenticates the user (works)
2. Pass the context to Tomcat (works)
3. Tomcat calls the realm to retrieve the user information and set
the context (doesn't presently occur)
#3
OK, come context first:
What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM). In a typical WAM deployment there are AAA is broken up
into multiple layers:
Web Server - Authentication (via the WAM) and c
Marc Boorshtein wrote:
You should not need to do that, it should be automatic.
Just make sure that in the Tomcat for AJP (in server.xml), you
set the attribute
tomcatAuthentication="false"
If the request is authenticated by Apache, mod_jk will (always) pass it
internally to Tomcat, along with t
>
> You should not need to do that, it should be automatic.
> Just make sure that in the Tomcat for AJP (in server.xml), you
> set the attribute
> tomcatAuthentication="false"
>
> If the request is authenticated by Apache, mod_jk will (always) pass it
> internally to Tomcat, along with the request
Also, it is *really really really* helpful, when you post a question, that you would
specify the precise versions of software you are talking about.
Like :
Apache httpd version : 2.2.3
Tomcat version : 5.5.21
mod_jk version : 1.2.18
.. the documentation .. : the documentation page at :
http://to
Marc Boorshtein wrote:
All,
I'm trying to setup apache in front of tomcat and have apache do the
authentication for access and pass the user's context back to tomcat.
I've seen documentation that says that I should set the JK_REMOTE_USER
environment variable but it doesn't seem to be working.
All,
I'm trying to setup apache in front of tomcat and have apache do the
authentication for access and pass the user's context back to tomcat.
I've seen documentation that says that I should set the JK_REMOTE_USER
environment variable but it doesn't seem to be working. Here is my
httpd configura
22 matches
Mail list logo
