I can authenticate the user in Apchae httpd, but Tomcat doesn't use the
Remote_User for authorization checks. I've been
Google-ing since days, but without success.
Verification I have done
----------
If I run the JSP example 'Snoop'
(examples/jsp/snp/snoop.jsp), I do get the remote user ('testuser')
authenticated by the httpd server. Hence, I assume
that the configuration of AJP and JK is correct.
The Problem
----------
If I want to access the manager application
(manager/html) I receive '403 Access Denied' from the Tomcat server.
What am I doing wrong? Is the scenario I'd like to
implement not foreseen?
Implementation scenario
----------
Using Apache httpd 2.2.3-45 on RedHat EL5 to authenticate
web users.
The Tomcat 6.0.30 runs the webapps and does the authorization of the logged-in
users
To verify the set up,
I'm using Tomcat's application 'manager' The users with their roles are listed
in "conf/tomcat-users.xml"
Configuration Set up
----------
Apache 2.2.3 configuration:
-> AJP13 configuration
LoadModule proxy_ajp_module
modules/mod_proxy_ajp.so
ProxyPass /manager ajp://localhost:8009/manager
ProxyPassReverse /manager ajp://localhost:
8009/manager
-> mod-jk configuration
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /etc/httpd/conf/workers.
properties
JkShmFile /var/log/httpd/mod_jk.shm
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /manager/* worker1
-> workers.properties configuration
worker.
list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
-> http.conf
configuration for authentication
<Location /manager>
AuthType CAS # central authentication service (from
http://www.jasig.org/cas
Order deny,allow
Allow from
all
Require valid-user
</Location>
Tomcat 6.0.30 configuration:
-> server.xml configuration (only relevant parts,
everything else is standard)
[...]
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and
saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-
users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
[...]
<Connector port="8009"
protocol="AJP/1.3"
enableLookups="false"
tomcatAuthentication="false"
URIEncoding="UTF-8"
/>
[...]
-> Authorization file tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-
users>
<role rolename="manager-gui" />
<role rolename="manager-script" />
<role rolename="manager-jmx" />
<role
rolename="manager-status" />
<user username="testuser" roles="manager-gui" />
</tomcat-users>
-> web.xml of
'manager' application
No changes to the standard delivery
Thank you for your help
Adi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
