Hi Folks,
I'm having trouble getting a context.xml file to be obeyed.
I'm using:
Tomcat 5.5.20, the stock install from tomcat.apache.org.
JDK 1.6, direct from Sun.
RedHat Enterprise Linux AS3
The application I'm installing is the Shibboleth Identity Provider
(IdP). The installation process generates a shibboleth-idp.war file
which deploys fine when I start tomcat.
Out of the box, the IdP relies on Apache to handle authentication, but
form based auth is more desirable. I edited the WEB-INF/web.xml file to
add a security-contraint, login-config, and security-role, then added a
realm block to the engine block in $CATALINA_HOME/conf/server.xml like this:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.carleton.edu:636"
userPattern="netid={0}, dc=carleton, dc=edu"
userRoleName="objectclass"
/>
With this Shibboleth works fine, and there was much rejoicing.
This, though, breaks authentication to the Tomcat admin/manager apps
which usually use the UserDatabase resource (specified in a realm block
I had to comment out when adding the one above). Placing the Realm in
Engine makes it the default for the whole container, so I started
looking at how to make it specific to the shibboleth-idp.
Everything I've read says you should place a Context block in either:
$CATALINA_HOME/webapps/shibboleth-idp/META-INF/context.xml
or in
$CATALINA_HOME/conf/Catalina/localhost/shibboleth.xml
I've tried both (not at the same time, and having removed the JNDI realm
from server.xml and restored the UserDatabase based realm), with the
following config:
<Context>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.carleton.edu:636"
userPattern="netid={0}, dc=carleton, dc=edu"
userRoleName="objectclass"
/>
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="shibboleth_access_log." suffix=".txt"
directory="/tmp/"
pattern="common"/>
</Context>
In both cases the /tmp/shibboleth_access_log.DATE.txt file was not
created and the login form only accepted credentials from
tomcat-users.xml, not LDAP. I restarted tomcat with each change. It
seems like the context.xml file is being completely ignored.
When I place a context block in server.xml's host block like so:
<Host ... >
<Context path="/shibboleth-idp"
docBase="/usr/local/tomcat/webapps/shibboleth-idp" debug="0"
reloadable="true" crossContext="true">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://ldap.carleton.edu:636"
userPattern="netid={0}, dc=carleton, dc=edu"
userRoleName="objectclass"
/>
</Context>
</Host>
and remove the other context.xml / shibboleth-idp.xml files then the
tomcat-users.xml credentials work for the manager apps and the LDAP
credentials work for Shibboleth. This is what I want, but upon typing
that I exepect the Tomcat gods to smite me for placing the Context in
server.xml since it's explicitly frowned upon.
Is there a flag somewhere that I'm missing to enable
META-INF/context.xml files? I tried using <Context override="true"> in
context.xml but that didn't do what I hoped it would.
Any help would be much appreciated.
Thanks,
Matt Bockol
Web Technical Administrator
Carleton College / 507-646-4432
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
