Since switching from Apache 2.2 authorization gets bypassed for many JkMounts
(except jk-status). If I cancel the browser password popup, I get a 401-page.
It is not, as I expect, the one from Apache, but instead from JBoss, which it
shouldn't have been allowed to talk to. (I found this because unauthorized
users are talking to JBoss.)
On the receiving end we have both JBoss 4 and Wildfly 7. This is both with
"Apache/2.4.3 (Unix) mod_jk/1.2.37" and "Apache/2.4.10 (Unix) mod_jk/1.2.40".
Configuration is always like
<Location /XYZ/*>
JkMount XYZ
AuthType basic
AuthUserFile conf/passwd/XYZ
AuthName "XYZ security"
Require valid-user
</Location>
I even have a case where the identical setup (worker definition, <Location>,
file permission and content) works on 2.4.3 but not on 2.4.10. For other
JkMounts both versions behave wrongly. If I raise the debug level, I don't see
anything about how it parses this. When I call the URL, it says there is no
directive protecting it.
It doesn't make a difference whether AuthName is the same as the Realm in
JBoss or not.
안녕히 계세요 / coralament / best Grötens / liebe Grüße / best regards /
elkorajn salutojn
Daniel Pfeiffer
--
배운다 / lerne / learn / apprends Esperanto:
http://lernu.net / http://ikurso.net
Reliability, Perl programming and much more in Makefiles:
http://makepp.sourceforge.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
