Marcus Better wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Caldarale, Charles R wrote:
I'm looking for the Tomcat 6 security configuration that would
correspond to Apache httpd's "Satisfy Any".
Take a look at SecurityFilter to see if it will do what you want.
Thanks, but it says it only supports form authentication, not HTTP Basic or
Digest...
You still may want to dig a bit deeper, because in this case I believe
it is the doc which is outdated. I think I remember someone saying that
it does support Basic authentication (though not Digest).
Another idea : you could also have a look here :
http://www.tuckey.org/urlrewrite/
It may be possible, depending on the caller IP, to redirect the request
to another copy of your webapp which would/would not force
authentication in the way you want.
Click on "manual", and search in that page for "remote-addr".
And still otherwise, this may be one of these cases where using an
Apache httpd front-end to Tomcat is justified.
I am doing just that on several websites I run : Apache httpd does the
user authentication (using a variety of schemes, including the one you
are mentioning(*)), and passes the authenticated user-id to Tomcat via
the Apache-Tomcat connector.
See the "tomcatAuthentication" attribute of the <Connector> element in
Tomcat.
(*) Typically, an application is available on a server on the Internet.
You want to allow in, without authentication, a group of users
whenever they connect from within their corporate network, which has one
or several well-defined IP addresses. But when these people connect from
outside their corporate network, you want them to login.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
