|
»
»
»
Disable password checking for Manager app
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
Disable password checking for Manager app
by dracus
::
Rate this Message:
Greetings, all....
I have a web app server that has Apache in front of Tomcat. Apache is handling user authentication and security checking (through an experimental X.509 <-> Kerberos gateway service being developed by others in my group, but that is neither here nor there), and passes the username (as either REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to work, we had to include the 'request.tomcatAuthentication="false"' directive in the AJP block of server.xml. Unfortunately, this kills the Tomcat manager, as it will no longer allow us to log into it. We use it extensively to deploy new versions of our web apps, etc. I have tried putting my authenticated username into tomcat-users.xml as a user with the manager role, and it still does not allow me to use the manger, with error "403: Access to the requested resource has been denied". I check the tomcat-users.xml file, and it has added a password entry (password="null") to my user define. So what I want to know is, can I get tomcat to accept the username passed in from Apache without a password (the only connection allowed into Tomcat is AJP) so that I can put the users allowed to access the manager app into tomcat-users.xml, and let Apache do all of the authentication? Any pointers would be greatly appreciated, thanks in advance. JDK 1.6.0 Tomcat 5.5.23 mod-jk 1.2.21 http 2.2.4 RHEL 5 shibboleth sp 1.3.1 |
|
|
Re: Disable password checking for Manager app
by awarnier
::
Rate this Message:
dracus wrote:
> Greetings, all.... > > > I have a web app server that has Apache in front of Tomcat. Apache is > handling user authentication and security checking (through an experimental > X.509 <-> Kerberos gateway service being developed by others in my group, > but that is neither here nor there), and passes the username (as either > REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to work, we > had to include the 'request.tomcatAuthentication="false"' directive in the > AJP block of server.xml. Unfortunately, this kills the Tomcat manager, as > it will no longer allow us to log into it. We use it extensively to deploy > new versions of our web apps, etc. I have tried putting my authenticated > username into tomcat-users.xml as a user with the manager role, and it still > does not allow me to use the manger, with error "403: Access to the > requested resource has been denied". I check the tomcat-users.xml file, and > it has added a password entry (password="null") to my user define. So what > I want to know is, can I get tomcat to accept the username passed in from > Apache without a password (the only connection allowed into Tomcat is AJP) > so that I can put the users allowed to access the manager app into > tomcat-users.xml, and let Apache do all of the authentication? Any pointers > would be greatly appreciated, thanks in advance. > > JDK 1.6.0 > Tomcat 5.5.23 > mod-jk 1.2.21 > http 2.2.4 RHEL 5 > shibboleth sp 1.3.1 Just to add that I am also interested in the question above, or more generally to learn if there exists a way to pass, from Apache through mod_jk to Tomcat, some form of "Tomcat role" for a user already authenticated by Apache. On the other hand, might it not be possible to modify the <auth-constraint> section of the web.xml of the manager application, so that instead of requiring a "role = manager", it would instead require a specific authenticated user (which could then be the one passed from Apache) ? André --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Disable password checking for Manager app
by Rainer Jung-3
::
Rate this Message:
dracus schrieb:
> Greetings, all.... > > > I have a web app server that has Apache in front of Tomcat. Apache is > handling user authentication and security checking (through an experimental > X.509 <-> Kerberos gateway service being developed by others in my group, > but that is neither here nor there), and passes the username (as either > REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to work, we > had to include the 'request.tomcatAuthentication="false"' directive in the > AJP block of server.xml. Unfortunately, this kills the Tomcat manager, as > it will no longer allow us to log into it. We use it extensively to deploy > new versions of our web apps, etc. I have tried putting my authenticated > username into tomcat-users.xml as a user with the manager role, and it still > does not allow me to use the manger, with error "403: Access to the > requested resource has been denied". I check the tomcat-users.xml file, and > it has added a password entry (password="null") to my user define. So what > I want to know is, can I get tomcat to accept the username passed in from > Apache without a password (the only connection allowed into Tomcat is AJP) > so that I can put the users allowed to access the manager app into > tomcat-users.xml, and let Apache do all of the authentication? Any pointers > would be greatly appreciated, thanks in advance. > > JDK 1.6.0 > Tomcat 5.5.23 > mod-jk 1.2.21 > http 2.2.4 RHEL 5 > shibboleth sp 1.3.1 What about using a different connector to use the manager webapp? It wouldn't be to uncommon to let customer traffic in via the AJP connector, and local admin traffic via the/an http connector. Since that one wouldn't have the tomcatAuthentication="false", it should rely on the defined Realm. Doesn't that work? Regards, Rainer --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Disable password checking for Manager app
by awarnier
::
Rate this Message:
Rainer Jung wrote:
> dracus schrieb: >> Greetings, all.... >> >> >> I have a web app server that has Apache in front of Tomcat. Apache is >> handling user authentication and security checking (through an >> experimental >> X.509 <-> Kerberos gateway service being developed by others in my group, >> but that is neither here nor there), and passes the username (as either >> REMOTE_USER or Shib-InetOrgPerson-mail) to Tomcat. To get that to >> work, we >> had to include the 'request.tomcatAuthentication="false"' directive in >> the >> AJP block of server.xml. Unfortunately, this kills the Tomcat >> manager, as >> it will no longer allow us to log into it. We use it extensively to >> deploy >> new versions of our web apps, etc. I have tried putting my authenticated >> username into tomcat-users.xml as a user with the manager role, and it >> still >> does not allow me to use the manger, with error "403: Access to the >> requested resource has been denied". I check the tomcat-users.xml >> file, and >> it has added a password entry (password="null") to my user define. So >> what >> I want to know is, can I get tomcat to accept the username passed in from >> Apache without a password (the only connection allowed into Tomcat is >> AJP) >> so that I can put the users allowed to access the manager app into >> tomcat-users.xml, and let Apache do all of the authentication? Any >> pointers >> would be greatly appreciated, thanks in advance. >> JDK 1.6.0 Tomcat 5.5.23 mod-jk 1.2.21 http 2.2.4 RHEL 5 shibboleth >> sp 1.3.1 > > What about using a different connector to use the manager webapp? It > wouldn't be to uncommon to let customer traffic in via the AJP > connector, and local admin traffic via the/an http connector. Since that > one wouldn't have the tomcatAuthentication="false", it should rely on > the defined Realm. > > Doesn't that work? > port (e.g. 8010 instead of 8009), with request.tomcatAuthentication="true" and with "JkMount /manager ajp13manager" in Apache (and the corresponding worker etc..). But still, what about changing the manager application's security constraints, to make it depend on a user-id rather than a role ? Is that possible ? André --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Disable password checking for Manager app
by dracus
::
Rate this Message:
This opens up other problems that we do not wish to deal with. The Apache instance in question is on the local machine, so we would have to use a non-standard port, which will require getting that approved by the security team. Also, with the number of servers we plan of deploying with this architecture, this would become an administrative problem. Having the authentication infrastructure we are building pass the username from Apache to Tomcat makes this worlds easier, so we will not have to have a separate infrastructure for updating the Tomcat manager passwords. When you are talking about a dozen plus servers with a half dozen to a dozen Tomcat containers each, with both operational staff and separate development staff for each container needing access to the manager, managing passwords becomes challenging. Dracus |
| Free Forum Powered by Nabble | Forum Help |