I have a setup where httpd is doing my (basic) authentication but I need tomcat (6, if it matters) to manage the roles and do the authorization. The link between httpd and tomcat is through the ajp connector and on this connector's config I've added:
tomcatAuthentication="false" This passes the authenticated user name as expected, but even if I have this user listed in my tomcat-users.xml file, I get a 403 (access denied). I'm using the standard UserDatabaseRealm and I'm happy to continue using it with the tomcat-users.xml file. What I've learned, however, is that when tomcatAuthentication is off then instead of the UserDatabaseRealm producing the principal (GenericPrincipal) it is produced by the connector (I think) and is then a CoyotePrincipal. So, because it is unrecognized, the UserDatabaseRealm rejects this principal in the hasRole() method and it always returns false. The Realm API seems straight forward enough, but before I create my own and parse the users file and package my realm to place in the container and probably a few other steps I'm wondering if there's something simpler I could do that's already out there? This seems like a reasonably common thing but I couldn't find anything relevant. Thanks for the time!