Hi Omar.
1. Removing the comments from server.xml is more for your sanity than
mine. I started doing it to my server.xml's and it's made life so much
easier.
2. The current production mod_jk is 1.2.14 in my system. I have to
upgrade my server soon and will probably upgrade that when I do. I'm
using it with both tomcat 5.0.28 and tomcat 5.5.23 without issue. For
those out there scratching your heads on this one, the tomcat 5.5
instance is a dev/test environment while the 5.0 is production. Apache
Httpd is version 2.0.48
3. The auth module is Cornell's mod_cuwebauth.so which off-loads the
authentication to the universities authentication service. There's no
Tomcat realm version if it.
4. I never tested with BASIC first. I needed to get the mod_cuwebauth
REMOTE_USER header and found a brief reference to it in the archives.
Set it, restarted, and it started working instantly. When you access
pages in /submitServer, are you challenged for a username and password?
--David
Omar Nafees wrote:
Thank you for the tips David. The JkEnvVar was just a shot at passing
the REMOTE_USER explicitly. I read about it in one of the mod_jk
documents. I was unable to get this to work without it either.
Oh and my apologies for a cluttered server.xml on the list.
I have restarted tomcat and apache several times. I was actually
trying to get it to work with tomcat 6.0 and switched to 5.5 to see if
that would make a difference.
I've also tried to get this to work with apache 1.3 to no avail. I now
suspect mod_jk itself...
May I ask what versions of each software you are using? What form of
Apache authentication are you using (some in house authorization
software)? Did you first test your setup with Apache's Basic
authentication?
Sorry for the many questions - but I'd like to know what you've done
differently as I'd like to be where you are with this right now =)
Thanks,
Omar
David Smith wrote:
Hi.
I'm in the same boat as you in using an apache httpd module to
authenticate users and have had it working for a few years now. Your
configuration looked good as far as I could tell. Here are a couple
of suggestions though.
1. I'm not sure what 'JkEnvVar REMOTE_USER' is doing in your apache
config. I've never used it and have what you are working on working
flawlessly.
2. Drop all those documenting comments and example configuration from
your server.xml. You could make a copy of it named
server.xml.original if you want. The commented parts are excellent
documentation, but hamper readability of the active parts.
3. Restart Tomcat. I'm not sure if you restarted after you added
tomcatAuthentication="false" to the connector, but it needs to happen.
--David
Omar Nafees wrote:
Hi Robert,
Thanks for the response.
So I've come to believe that its possible to avoid using Tomcat
authentication altogether, i.e., without specifying realms and using
tomcat user/roles in an application's web.xml. Given my context (a
University environment with over several hundreds of students
hitting an apache web server and a small subset needing tomcat), I
need to completely separate authentication from the Tomcat server. I
guess this approach of using JNDI or even JAAS is a last resort...
but I would really like to see what everyone else seems to have
already accomplished - the REMOTE_USER variable being read from the
first AJP header that is sent to tomcat.
Thanks,
Omar
Robert Segal wrote:
Omar I actually had this exact same problem early today although I'm
sure my environment is slightly different from your perhaps I can
offer
some help. In my case I have LDAP authentication configured for my
servlet. I
believe this step should be the same regardless of the authentication
scheme you are using....
First I edit CATALINA_HOME/webapps/myServelet/WEB-INF/web.xml to
define
roles and constraints for what pages can be accessed...
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>GRP-myGroup </role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>my Authentication</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>GRP-myGroup</role-name>
</auth-constraint>
</security-constraint>
The other file I change sets up all the LDAP machine details. I've
placed it in Context.xml because there are several servlets that make
use of this authentication...
$CATALINA_HOME/conf/Context.xml
<Context>
<Realm className ="org.apache.catalina.realm.JNDIRealm"
debug ="99"
connectionURL ="ldap://ldapMachine:3268";
connectionName ="CRYPTOLOGIC\myUser"
connectionPassword="myPassword"
userBase ="dc=myDomain,dc=com"
userSearch ="(sAMAccountName={0})"
userSubtree ="true"
userRoleName ="memberOf"
roleBase ="OU=Groups,DC=myDomain,DC=com"
roleSubtree="false"
roleName ="cn"
roleSearch ="(member={0})"/>
</Context>
This has worked for me. Hope it is of some use to you. We also have
Apache over top of Tomcat in our environment and found it necessary to
configure authentication both in Apache and in Tomcat to get things to
work properly.
Robert Segal
Tools Developer
CryptoLogic Inc.
55 St. Clair Ave W., 3rd Floor
Toronto, Ontario
Canada M4V 2Y7
tel. + 1.416.545.1455 x5896
fax. + 1.416.545.1454
This message, including any attachments, is confidential and/or
privileged and contains information intended only for the person(s)
named above. Any other distribution, copying or disclosure is strictly
prohibited. If you are not the intended recipient or have received
this
message in error, please notify us immediately by reply email and
permanently delete the original transmission from all of your systems
and hard drives, including any attachments, without making a copy.
-----Original Message-----
From: Omar Nafees [mailto:[EMAIL PROTECTED] Sent: Friday,
August 24, 2007 2:30 PM
To: Tomcat Users List
Subject: Re: Apache authentication information (remoteuser) not
visible
in Tomcat
Thanks for the response Christopher... although I had very early
on, already tried what is suggested in the link you have referred
to, i.e., setting tomcatAuthentication="false" in the appropriate
server.xml line (see the config listing I produced earlier in the
thread).
Oh I hope its not some obscure bug in mod_jk!! :)
Thanks,
Omar
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
