*phew* Got it figured out, and now everything is working (including the JkEnvVar thing that I had set up)
For anyone who runs across this thread in the future, the problem was that I was using a <Directory /> stanza to require authentication. Because Jakarta queries don't actually hit the filesystem, though, they don't match that stanza. I ended up using the advice here: http://web.archiveorange.com/archive/v/JBjmW7BaH8HOOefUz8eK When I created a <Location "/nftest" > stanza that required authentication, the Jakarta queries started requiring authentication, and then all of the authentication stuff in Tomcat started working (with tomcatAuthentication="false", as described in my previous email). Now all is well. Thanks again, Rainer, --xsdg On Thu, Jun 6, 2013 at 5:31 PM, Omari Stephens <x...@google.com> wrote: > Okay, searching around for 'tomcatAuthentication="false"' is bearing > some fruit. It appears that my situation is similar to this one: > http://tomcat.10.x6.nabble.com/tomcat-apache-with-mod-jk-and-mod-auth-kerb-tt2097887.html#a2097891 > > Just like that person, I enabled debug logging for mod_jk and I see a > null user being passed over AJP: > [Fri Jun 07 00:07:45 2013] [21431:1579538176] [debug] > init_ws_service::mod_jk.c (977): Service protocol=HTTP/1.1 method=GET > ssl=true host=(null) addr=x.y.z.28 name=HOSTNAME port=443 auth=(null) > user=(null) laddr=x.y.z.210 raddr=x.y.z.28 uri=/nftest/ > > Double-checking the logs (thanks for the tip, Rainer-of-2008) I see > that the requests being forwarded to Tomcat are bypassing > authentication > x.y.z.28 - - [07/Jun/2013:00:07:45 +0000] "GET /nftest/?user=nobody > HTTP/1.1" 200 25424 "-" "Mozilla/5.0 ..." > versus one served directly by Apache: > x.y.z.28 - xsdg [07/Jun/2013:00:18:18 +0000] "GET /?user=nobody > HTTP/1.1" 200 14288 "-" "Mozilla/5.0 ..." > > By comparison, when I hit both addresses from a browser instance with > no credentials: > x.y.z.28 - - [07/Jun/2013:00:24:41 +0000] "GET /?user=nobody HTTP/1.1" > 302 3811 "-" "Mozilla/5.0 ..." > x.y.z.28 - - [07/Jun/2013:00:26:24 +0000] "GET /nftest/?user=nobody > HTTP/1.1" 200 22888 "-" "Mozilla/5.0 ..." > > The 302 is when the unauthenticated browser instance gets redirected > to a login page, so this confirms that the Jk stuff is bypassing > authentication right now, even though I'm hitting it over port 443. > > So that's what I'm working on figuring out right now. If anyone has > any suggestions, let me know. I feel like I'm close, though. > > --xsdg > > On Thu, Jun 6, 2013 at 4:13 PM, Caldarale, Charles R > <chuck.caldar...@unisys.com> wrote: >>> From: Omari Stephens [mailto:x...@google.com] >>> Subject: Re: How to get SSL connection information from Apache HTTPD over >>> AJP? >> >>> [re-adding mailing list] >> >>> Martin: >> >> There's a reason everyone ignores Martin Gainty's postings: they are nearly >> always irrelevant, or worse. Consequently, he's taken to responding to >> postings off-list, which is counterproductive and against the rules of the >> mailing list. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you received >> this in error, please contact the sender and delete the e-mail and its >> attachments from all computers. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
