Okay, searching around for 'tomcatAuthentication="false"' is bearing some fruit. It appears that my situation is similar to this one: http://tomcat.10.x6.nabble.com/tomcat-apache-with-mod-jk-and-mod-auth-kerb-tt2097887.html#a2097891
Just like that person, I enabled debug logging for mod_jk and I see a null user being passed over AJP: [Fri Jun 07 00:07:45 2013] [21431:1579538176] [debug] init_ws_service::mod_jk.c (977): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=x.y.z.28 name=HOSTNAME port=443 auth=(null) user=(null) laddr=x.y.z.210 raddr=x.y.z.28 uri=/nftest/ Double-checking the logs (thanks for the tip, Rainer-of-2008) I see that the requests being forwarded to Tomcat are bypassing authentication x.y.z.28 - - [07/Jun/2013:00:07:45 +0000] "GET /nftest/?user=nobody HTTP/1.1" 200 25424 "-" "Mozilla/5.0 ..." versus one served directly by Apache: x.y.z.28 - xsdg [07/Jun/2013:00:18:18 +0000] "GET /?user=nobody HTTP/1.1" 200 14288 "-" "Mozilla/5.0 ..." By comparison, when I hit both addresses from a browser instance with no credentials: x.y.z.28 - - [07/Jun/2013:00:24:41 +0000] "GET /?user=nobody HTTP/1.1" 302 3811 "-" "Mozilla/5.0 ..." x.y.z.28 - - [07/Jun/2013:00:26:24 +0000] "GET /nftest/?user=nobody HTTP/1.1" 200 22888 "-" "Mozilla/5.0 ..." The 302 is when the unauthenticated browser instance gets redirected to a login page, so this confirms that the Jk stuff is bypassing authentication right now, even though I'm hitting it over port 443. So that's what I'm working on figuring out right now. If anyone has any suggestions, let me know. I feel like I'm close, though. --xsdg On Thu, Jun 6, 2013 at 4:13 PM, Caldarale, Charles R <chuck.caldar...@unisys.com> wrote: >> From: Omari Stephens [mailto:x...@google.com] >> Subject: Re: How to get SSL connection information from Apache HTTPD over >> AJP? > >> [re-adding mailing list] > >> Martin: > > There's a reason everyone ignores Martin Gainty's postings: they are nearly > always irrelevant, or worse. Consequently, he's taken to responding to > postings off-list, which is counterproductive and against the rules of the > mailing list. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
