Howto Apache LDAP ACL pass to Tomcat ?? 2006-11-20 - By Jack Yu
Back
Try to pass apache ACL authenticated user credential to Tomcat, but failed.
System: FreeBSD 6.1, Apache 2.2.3, SUN jdk 1.4.2, Tomcat 5.5
Apache is setup to authenticate against LDAP server
<Directory />
AuthLDAPURL ldap://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=bind,ou=SystemAccounts,dc=jackyu,dc=org
AuthLDAPBindPassword ******
AuthType basic
AuthName "AAA"
AuthBasicProvider ldap
require ldap-group cn=test,ou=Groups,dc=jackyu,dc=org
AllowOverride None
Order deny,allow
Deny from all
AuthzLDAPAuthoritative on
</Directory>
Users with LDAP group membership of test can authenticated themselves while
accessing the home page in apache, http://jackyu.org/index.html.
When apache ACL authenticated users go to http://jackyu.org/xyz/index.jsp,
the page will go through mod_jk and parse to tomcat server (on the same
host)
here is the mod_jk in httpd.conf.
# mod_jk.so settings
JkWorkersFile "/usr/local/etc/apache22/workers.properties"
JkLogFile "/var/log/mod_jk.log"
JkLogLevel debug
JkMount /xyz abc
JkMount /zyx/* abc
# end of mod_jk.so settings
here is the workers.propertises
worker.list=abc
worker.abc.port=8009
worker.abc.host=localhost
worker.abc.type=ajp13
worker.abc.lbfactor=1
worker.abc.cachesize=10
worker.abc.cache_timeout=600
worker.abc.socket_keepalive=1
worker.abc.recycle_timeout=300
I have also added tomcatAuthentication="false" to the server.xml in tomcat.
<Connector port="8009"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" tomcatAuthentication="false" />
in the tomcat webapp /xyz, added the following the the web.xml
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name> AAA </web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HTTP</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>AAA</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the AAA
</description>
<role-name>test</role-name>
</security-role>
The apache authenticated user credential (with ldap group test) didn't pass
to tomcat properly. The log file displayed null for user.
Also, if users copy paste the url, http://jackyu.org/xyz/index.jsp, to a new
browser, no apache ACL login popup.
Anyone knows how to make this work?
Thanks
Jack Yu
jack@(protected)
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
