Hi Folks,

I'm having trouble getting a context.xml file to be obeyed.

I'm using:

Tomcat 5.5.20, the stock install from tomcat.apache.org.
JDK 1.6, direct from Sun.
RedHat Enterprise Linux AS3

The application I'm installing is the Shibboleth Identity Provider
(IdP). The installation process generates a shibboleth-idp.war file
which deploys fine when I start tomcat.

Out of the box, the IdP relies on Apache to handle authentication, but
form based auth is more desirable. I edited the WEB-INF/web.xml file to
add a security-contraint, login-config, and security-role, then added a
realm block to the engine block in $CATALINA_HOME/conf/server.xml like this:

       <Realm className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldaps://ldap.carleton.edu:636"
        userPattern="netid={0}, dc=carleton, dc=edu"
        userRoleName="objectclass"
       />

With this Shibboleth works fine, and there was much rejoicing.

This, though, breaks authentication to the Tomcat admin/manager apps
which usually use the UserDatabase resource (specified in a realm block
I had to comment out when adding the one above). Placing the Realm in
Engine makes it the default for the whole container, so I started
looking at how to make it specific to the shibboleth-idp.

Everything I've read says you should place a Context block in either:

 $CATALINA_HOME/webapps/shibboleth-idp/META-INF/context.xml
 or in
 $CATALINA_HOME/conf/Catalina/localhost/shibboleth.xml

I've tried both (not at the same time, and having removed the JNDI realm
from server.xml and restored the UserDatabase based realm), with the
following config:

<Context>

  <Realm className="org.apache.catalina.realm.JNDIRealm"
   connectionURL="ldaps://ldap.carleton.edu:636"
   userPattern="netid={0}, dc=carleton, dc=edu"
   userRoleName="objectclass"
   />

  <Valve className="org.apache.catalina.valves.AccessLogValve"
    prefix="shibboleth_access_log." suffix=".txt"
    directory="/tmp/"
    pattern="common"/>

</Context>

In both cases the /tmp/shibboleth_access_log.DATE.txt file was not
created and the login form only accepted credentials from
tomcat-users.xml, not LDAP. I restarted tomcat with each change. It
seems like the context.xml file is being completely ignored.

When I place a context block in server.xml's host block like so:

<Host ... >
  <Context path="/shibboleth-idp"
docBase="/usr/local/tomcat/webapps/shibboleth-idp" debug="0"
reloadable="true" crossContext="true">

    <Realm className="org.apache.catalina.realm.JNDIRealm"
      connectionURL="ldaps://ldap.carleton.edu:636"
      userPattern="netid={0}, dc=carleton, dc=edu"
      userRoleName="objectclass"
    />

  </Context>
</Host>

and remove the other context.xml / shibboleth-idp.xml files then the
tomcat-users.xml credentials work for the manager apps and the LDAP
credentials work for Shibboleth. This is what I want, but upon typing
that I exepect the Tomcat gods to smite me for placing the Context in
server.xml since it's explicitly frowned upon.

Is there a flag somewhere that I'm missing to enable
META-INF/context.xml files? I tried using <Context override="true"> in
context.xml but that didn't do what I hoped it would.

Any help would be much appreciated.

Thanks,
Matt Bockol
Web Technical Administrator
Carleton College / 507-646-4432


---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)