Hello Konstantin, On Sat, Dec 5, 2015 at 2:31 PM, Konstantin Kolinko <knst.koli...@gmail.com> wrote:
> 2015-12-05 12:18 GMT+03:00 Marco Pizzoli <marco.pizz...@gmail.com>: > > Hi list, > > I am fighting against a 3rd party application composed by 2 webapps. > > > > The first is supposed to present a login form and once authenticated you > > are presented with the application frontend. > > Behind the lines it is connecting (through localhost) to a second one > that > > is presenting the same security configuration. > > In short, the same username/role are authorized for the second aplication > > as well. > > What do you mean by "connecting"? > It is connecting to https://<same_hostname>/context2/<balbla> In /etc/hosts I put "same_hostname" to point to 127.0.0.1 > A cross-context Servlet API call (getContext(String name)), and the > first application has crossContext="true" on its Context element [1]? > No, it wasn't. I tried setting it up, but without success... > > A network connection to 127.0.0.1 ? > > [1] http://tomcat.apache.org/tomcat-8.0-doc/config/context.html I did look at that link, but still can't understand how this attribute should help me... > > > > In the original setup everything works fine with the memoryRealm, so just > > populating the tomcat-users.xml file. > > Problems arose when I switched to leverage JNDIRealm (LDAP): it is not > > working anymore. > > I easily managed to get the first app to authenticate against LDAP, > > validating a specific LDAP group, but eventually the app gets 403 in > > accessing the second one. > > > > Of course I already tried the same security-role / security-contraint in > > both the web.xml. > > > > Do you know if it is a known problem in "sharing" a security mechanism > > between webapps running on the same Tomcat? > > I am running Tomcat 7.0.64. > > > > I did not found a way to debug the security-contraint/security-role > stuff. > > If you could just advice what to enable to have a deeper insight... that > > would be invaluable! > > Constraints and roles check is performed by an Authenticator valve > [2]. There are several kinds of them - one is selected based on your > login configuration. The base operations are common between them, > implemented in base class > (org.apache.catalina.authenticator.BasicAuthenticator). > > A Realm is called to perform password checks etc., > but see also its common class (RealmBase) with methods such as > RealmBase.findSecurityConstraints(..), hasResourcePermission(), ... > > I understand, but what I am asking if is there a way to enable "debug" logging on the "security engine" that on the second webapp is producing "403" as response... > [2] > http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Authentication > > Best regards, > Konstantin Kolinko > Thank you very much for your help. Marco > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
