|
»
»
»
Tomcat & Apache webserver authentication
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
Tomcat & Apache webserver authentication
by bartd-2
::
Rate this Message:
Hi,
I connected Tomcat 5.5 and Apache Webserver together with mod_jk. My servlet calls are correctly transferred to Tomcat by Apache and if i address a servlet in a "secured" zone i'm prompted for a password (Form authentication in a Jdbcrealm in Tomcat). So far, so good. But i wonder if it is possible to configure Tomcat or Apache or both to share there realm, so the Tomcat authentication covers both Tomcat and Apache secured areas with 1 user/password database. Everything i found on the web covers the one case where the secured area is completely in a Tomcat webcontext. Thanks in advance for any input! Bart. --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Tomcat & Apache webserver authentication
by Rainer Jung-3
::
Rate this Message:
bartd schrieb:
> Hi, > > I connected Tomcat 5.5 and Apache Webserver together with mod_jk. My > servlet calls are correctly transferred to Tomcat by Apache and if i > address a servlet in a "secured" zone i'm prompted for a password > (Form authentication in a Jdbcrealm in Tomcat). So far, so good. But i > wonder if it is possible to configure Tomcat or Apache or both to > share there realm, so the Tomcat authentication covers both Tomcat and > Apache secured areas with 1 user/password database. Everything i found > on the web covers the one case where the secured area is completely in > a Tomcat webcontext. You should be able share the user database with JDBCRealm (Tomcat) and mod_auth_dbd (Apache httpd 2.2) resp. with JNDIRealm and mod_authnz_ldap. > Thanks in advance for any input! > > Bart. Regards, Rainer --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
|
|
|
Re: Tomcat & Apache webserver authentication
by Rainer Jung-3
::
Rate this Message:
bartd schrieb:
> Thanks Rainer for your quick answer. Does "sharing the same database" means > that if you are authenticated for 1 application, you're automatically > authenticated for the other application? No. It means you only need one user administration. What you are now asking for, is sharing some kind of security context between httpd and Tomcat. Actually you are aksing about sharing between applications, but I will focus here on the httpd/Tomcat interaction. I've got no complete solution to that, but there are some bbuilding blocks: Basic auth uses http headers. Once the browser authenticated a user via basic auth, it will always send the Authorization header with the requests for the same server - unless a URL is protected by a different realm (more precisely a different realm-name in login-config in web.xml). The same should hold true for digest authentication. These ways of httpd authentication are used by httpd and Tomcat. So you can play around by using the same realm-name (by which I don't mean the class name implementing a special realm type in Tomcat). mod_jk and mod_proxy_ajp will also automatically transport some authentication information from httpd to Tomcat, e.g. remote_user and auth_type. If you set tomcatAuthentication="false" in your AJP connector config (in server.xml), you can retrieve the remote user via request.getRemoteUser(). Additional information could be made available in httpd as so-called environment variables (not the same as a shell environment variable) and then forwarded to Tomcat via JkEnvVar. Regards, Rainer > ---------- Initial header ----------- > > From : "Rainer Jung" rainer.jung@... > To : "Tomcat Users List" users@... > CC : > Date : Wed, 14 May 2008 13:29:48 +0200 > Subject : Re: Tomcat & Apache webserver authentication > >> bartd schrieb: >>> Hi, >>> >>> I connected Tomcat 5.5 and Apache Webserver together with mod_jk. My >>> servlet calls are correctly transferred to Tomcat by Apache and if i >>> address a servlet in a "secured" zone i'm prompted for a password >>> (Form authentication in a Jdbcrealm in Tomcat). So far, so good. But i >>> wonder if it is possible to configure Tomcat or Apache or both to >>> share there realm, so the Tomcat authentication covers both Tomcat and >>> Apache secured areas with 1 user/password database. Everything i found >>> on the web covers the one case where the secured area is completely in >>> a Tomcat webcontext. >> You should be able share the user database with JDBCRealm (Tomcat) and >> mod_auth_dbd (Apache httpd 2.2) resp. with JNDIRealm and mod_authnz_ldap. >> >>> Thanks in advance for any input! >>> >>> Bart. >> Regards, >> >> Rainer --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
RE: Tomcat & Apache webserver authentication
by bartd-2
::
Rate this Message:
Ok Rainer, due to your information i think i see a way out. Thank you very
much! Bart. -----Oorspronkelijk bericht----- Van: Rainer Jung [mailto:rainer.jung@...] Verzonden: woensdag 14 mei 2008 16:35 Aan: Tomcat Users List Onderwerp: Re: Tomcat & Apache webserver authentication bartd schrieb: > Thanks Rainer for your quick answer. Does "sharing the same database" means > that if you are authenticated for 1 application, you're automatically > authenticated for the other application? No. It means you only need one user administration. What you are now asking for, is sharing some kind of security context between httpd and Tomcat. Actually you are aksing about sharing between applications, but I will focus here on the httpd/Tomcat interaction. I've got no complete solution to that, but there are some bbuilding blocks: Basic auth uses http headers. Once the browser authenticated a user via basic auth, it will always send the Authorization header with the requests for the same server - unless a URL is protected by a different realm (more precisely a different realm-name in login-config in web.xml). The same should hold true for digest authentication. These ways of httpd authentication are used by httpd and Tomcat. So you can play around by using the same realm-name (by which I don't mean the class name implementing a special realm type in Tomcat). mod_jk and mod_proxy_ajp will also automatically transport some authentication information from httpd to Tomcat, e.g. remote_user and auth_type. If you set tomcatAuthentication="false" in your AJP connector config (in server.xml), you can retrieve the remote user via request.getRemoteUser(). Additional information could be made available in httpd as so-called environment variables (not the same as a shell environment variable) and then forwarded to Tomcat via JkEnvVar. Regards, Rainer > ---------- Initial header ----------- > > From : "Rainer Jung" rainer.jung@... > To : "Tomcat Users List" users@... > CC : > Date : Wed, 14 May 2008 13:29:48 +0200 > Subject : Re: Tomcat & Apache webserver authentication > >> bartd schrieb: >>> Hi, >>> >>> I connected Tomcat 5.5 and Apache Webserver together with mod_jk. My >>> servlet calls are correctly transferred to Tomcat by Apache and if i >>> address a servlet in a "secured" zone i'm prompted for a password >>> (Form authentication in a Jdbcrealm in Tomcat). So far, so good. But i >>> wonder if it is possible to configure Tomcat or Apache or both to >>> share there realm, so the Tomcat authentication covers both Tomcat and >>> Apache secured areas with 1 user/password database. Everything i found >>> on the web covers the one case where the secured area is completely in >>> a Tomcat webcontext. >> You should be able share the user database with JDBCRealm (Tomcat) and >> mod_auth_dbd (Apache httpd 2.2) resp. with JNDIRealm and mod_authnz_ldap. >> >>> Thanks in advance for any input! >>> >>> Bart. >> Regards, >> >> Rainer --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... -- No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.16/1430 - Release Date: 13/05/2008 7:31 --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Tomcat 6.0.14 Problem
by HALUK YUZUCU
::
Rate this Message:
Hello everyone,
Is there any idea of how to fix, "Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability" in tomcat6. Thanks, Haluk. Bu elektronik posta mesajı ve ekleri, isimleri yazılı alıcılar dışındaki kişilere açıklanmaması, dağıtılmaması ve iletilmemesi gereken kişiye özel ve gizli bilgiler içerebilir. Mesajın muhatabı değilseniz lütfen gönderici ile irtibat kurunuz, mesaj ve eklerini siliniz. Elektronik posta sistemlerinin taşıdığı güvenlik risklerinden dolayı, mesajların gizlilikleri ve bütünlükleri bozulabilir, mesaj virüs içerebilir. Bilinen virüslere karşı kontrolleri yapılmış olarak yollanan mesajın sisteminizde yaratabileceği olası zararlardan Pegasus Hava Taşımacılığı A.Ş. sorumlu tutulamaz. This e-mail and its attachments may contain private and confidential information intended for the use of the addresses only, which should not be announced, copied or forwarded. If you are not the intended recipient, please contact the sender, delete the message and its attachments. Due to security risks of e-mail systems, the confidentiality and integrity of the message may be damaged, the message may contain viruses. This message is scanned for known viruses and Pegasus Airlines will not be liable for possible system damages caused by the message. --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Tomcat 6.0.14 Problem
by Mark Thomas-18
::
Rate this Message:
HALUK YUZUCU wrote:
> Hello everyone, > > Is there any idea of how to fix, > > "Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability" in tomcat6. > > Thanks, > > Haluk. When starting a new thread (ie sending a message to the list about a new topic) please do not reply to an existing message and change the subject line. This is known as thread hijacking and to many of the list archiving services and mail clients used by list subscribers this makes your new message appear as part of the old thread. This makes it harder for other users to find relevant information when searching the lists. It should also be noted that many list subscribers automatically ignore any messages that hijack another thread. The correct procedure is to create a new message with a new subject. This will start a new thread. Thanks, Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free Forum Powered by Nabble | Forum Help |