Ah... I think I understand, but I have never setup Kerberos before so I have
to guess.
I think you are protecting the Directory locations with Kerberos.
BUT then just connecting the web to Tomcat.
I think that kerberos stuff has to also be in the Location of the Tomcat
URI.... see the second link
If you want to put Tomcat on Kerberos
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberos
I think the problem is you protecting a Directory
I think it has to be a <Location>
See this link
http://synewgrid.blogspot.com/2006_05_01_synewgrid_archive.html
Hope this helps....
----- Original Message -----
From: "sunil chandran" <[EMAIL PROTECTED]>
To: "Johnny Kewl" <[EMAIL PROTECTED]>
Cc: <users@tomcat.apache.org>
Sent: Thursday, April 05, 2007 9:13 AM
Subject: Re: problem in handlins request for JK2
hello Johnny,
I am sorry to confuse you...
see my problem is that i used mod_auth_kerb for implementing single
sing-on
in a Japan server.i finsihed the project..then we found the problem ...
that module works only in Apache and not in tomcat.so we needed something
to
connect Apache and tomcat to request the servlet inside webapps of Tomcat.
first i wrote a Perl script which will redirect the request to the
servlet.
that gave temporary relief. it was working fine.
so a client request for a servlet (http://ipaddress/cert) will run
perfectly
from a Japan machine.
but running it from my system will say " authentication required"
thats how it should run...
*i should not be able to run that servlet in JP server from my machine..
thats where authentication prompt comes.. instead if i remote login to a
JP
machine and run the url ..it works perfectly..*
thats how my project should work.
i hope till here you are clear !
now i went for JK2 connector.
now after configuring the appropriate files ..
i checked the URL from JP machine. it works perfectly ( now no need of the
perl script !)
but when i run from my machine ....also i am able to get the result...(
which is not what i should get ) that means now i am not getting that
authentication message ..but am able to run the url and get the result
from
my machine also.
thats what i mentioned about a security issue...no security for the URL..
so i should change some thing inside httpd.conf file...
thats what my doubt is.....
hope you understood the scenario...
this is the data i have given for Kerberos authentication inside my
httpd.conf..
<Directory />
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms JP.SONY.COM
KrbServiceName HTTP/[EMAIL PROTECTED]
Krb5Keytab /usr/local/apache/conf/jptkysip99.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
Require valid-user
</Directory>
On 4/5/07, Johnny Kewl <[EMAIL PROTECTED]> wrote:
Hello Sunil,
I'm not sure if I understand what you trying to do...
If you want Apache to authenticate there should be something like this in
httpd.conf
<Location /secure>
AuthType basic
AuthName "japan area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile /www/etc/dbmpasswd
Require valid-user
</Location>
If you want Tomcat to do the authentication then
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>HARBOR Security</realm-name>
</login-config>
<security-constraint>
<!--this section dictates which URLS will invoke security-->
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/service/admin</url-pattern>
</web-resource-collection>
<!--only users in these roles will get access to the above uri-->
<!--users are set in the conf/tomcat-users.xml file-->
<auth-constraint>
<role-name>japan_admin</role-name>
</auth-constraint>
</security-constraint>
I tried to find a good example for you, but I couldnt find anything for
mod_jk2.... maybe someone else can comment on this but I think mod_jk2
has
been deprecated (its old)... yes the numbering doesnt make sense. Anyway
I
think if you use mod_jk in future, you will find many more people can
help.
If you want SSL as well then have a look at the apache help file ie
http://apacheserver/manual
I dont know mod_jk2 but I think that any Cert or Ssl stuff in worker
files
must be for SSL between Apache and Tomcat... and its not often needed or
wanted.
Anyway... if you want little login box's to prompt the user.... must do
something like the above. If you do it in Apache then local users can
still
get into Tomcat through a connector, if you do it in Tomcat then all
users
via Apache or direct to tomcat will have to login. It depends on what
your
system looks like... I think it will probably be easier to do it on
Tomcat
and then deliver the WAR package to Japan. That way Apache admin person
just
needs a simple connector setup.
Here is some sample stuff for mod_jk that will help you get going
http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html
and some more for SSL
https://spaces.internet2.edu/display/SHIB/JKIdPInstall
Main point is if you start using MOD_JK then just googling for Tomcat
Mod_jk will give you losts of info....
Your english is much better than my japanese, but for prompting user
login
the word to search for is AUTHENTICATION... searching for "security" will
probably give you SSL.
Hope that helps
----- Original Message -----
*From:* sunil chandran <[EMAIL PROTECTED]>
*To:* Tomcat Users List <users@tomcat.apache.org>
*Cc:* JOHN <[EMAIL PROTECTED]>
*Sent:* Wednesday, April 04, 2007 10:58 AM
*Subject:* Re: problem in handlins request for JK2
Hi ,
this is the modifictaion i made in workers2.properties file:
------------------------------------------------------------------------------------------------------------------------
[channel.socket:localhost:8009]
info=Ajp13 forwarding over socket
debug=0
tomcatId=localhost:8009
# define the worker
[ajp13:localhost:8009]
channel=channel.socket:localhost:8009
group=lb
[uri:/cert]
info=Colavo Authentication.
debug=0
[uri:/]
info=Colavo Authentication.
debug=0
[uri:/event]
info=Colavo Authentication.
debug=0
[uri:/status]
[uri:/status02]
info=Colavo Authentication.
debug=0
-------------------------------------------------------------------
then i added
LoadModule jk2_module modules/mod_jk2.so
inside httpd.conf file in apache.
now i can succesfully run
http://serverIP/status <http://serverip/status>
http://serverIP/cert?username=....&password<http://serverip/cert?username=....&password>
=...
this is working fine. but i need to restrict from opening this URL from
my
systtem
that url should ask for authorization required (401 error)
but the problem is i am able to run this url of server located in Japan
from my system also. which i should restrict.
i need to do some changes in httpd.conf file itself..
please help me forward
On 4/4/07, JOHN <[EMAIL PROTECTED]> wrote:
>
> Please show us the setup files...
>
>
>
> ----- Original Message -----
> From: "sunil chandran" < [EMAIL PROTECTED]>
> To: <users@tomcat.apache.org>
> Sent: Wednesday, April 04, 2007 9:02 AM
> Subject: problem in handlins request for JK2
>
>
> > Hello all,
> >
> > I am Sunil C.
> > i have used JK2 connector to connect Apache and
> Tomcat
> > I am having a servlet (Certserv) folder in webapps folder in Tomcat.
> > i gave uri to that cert program in my workers2.properties file.
> >
> > everything is working fine.
> >
> > but i face a secuirty issue. this machine is in other domain. i mean
> > Japan.
> > i did a remote login and checked the uri . its working fine.
> >
> > the real problem lies ...when i type the uri from my machine. it
> should
> > show
> > "authentication required"
> > because that folder is authentication restricted.
> > but now ..i am able to run the uri from machine also.
> >
> > please tell me how can i restrict it.
> >
> > i tried giving :
> >
> > <Location "/cert">
> > JkUriSet worker ajp13:localhost:8009
> > </Location>
> >
> > but it doesnt seem to work.
> >
> > is there something i have to include in my httpd.conf file of Apache?
> >
> > please help me forward
> >
> > thanks in advance.
> >
> >
> >
> >
> > --
> > Sunil
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Sunil
--
Sunil
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]