Re: problem in handlins request for JK2
Hello Sunil, I'm not sure if I understand what you trying to do... If you want Apache to authenticate there should be something like this in httpd.conf Location /secure AuthType basic AuthName japan area AuthBasicProvider dbm AuthDBMType SDBM AuthDBMUserFile /www/etc/dbmpasswd Require valid-user /Location If you want Tomcat to do the authentication then login-config auth-methodBASIC/auth-method realm-nameHARBOR Security/realm-name /login-config security-constraint !--this section dictates which URLS will invoke security-- web-resource-collection web-resource-nameTest/web-resource-name url-pattern/service/admin/url-pattern /web-resource-collection !--only users in these roles will get access to the above uri-- !--users are set in the conf/tomcat-users.xml file-- auth-constraint role-namejapan_admin/role-name /auth-constraint /security-constraint I tried to find a good example for you, but I couldnt find anything for mod_jk2 maybe someone else can comment on this but I think mod_jk2 has been deprecated (its old)... yes the numbering doesnt make sense. Anyway I think if you use mod_jk in future, you will find many more people can help. If you want SSL as well then have a look at the apache help file ie http://apacheserver/manual I dont know mod_jk2 but I think that any Cert or Ssl stuff in worker files must be for SSL between Apache and Tomcat... and its not often needed or wanted. Anyway... if you want little login box's to prompt the user must do something like the above. If you do it in Apache then local users can still get into Tomcat through a connector, if you do it in Tomcat then all users via Apache or direct to tomcat will have to login. It depends on what your system looks like... I think it will probably be easier to do it on Tomcat and then deliver the WAR package to Japan. That way Apache admin person just needs a simple connector setup. Here is some sample stuff for mod_jk that will help you get going http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html and some more for SSL https://spaces.internet2.edu/display/SHIB/JKIdPInstall Main point is if you start using MOD_JK then just googling for Tomcat Mod_jk will give you losts of info Your english is much better than my japanese, but for prompting user login the word to search for is AUTHENTICATION... searching for security will probably give you SSL. Hope that helps - Original Message - From: sunil chandran To: Tomcat Users List Cc: JOHN Sent: Wednesday, April 04, 2007 10:58 AM Subject: Re: problem in handlins request for JK2 Hi , this is the modifictaion i made in workers2.properties file: [channel.socket:localhost:8009] info=Ajp13 forwarding over socket debug=0 tomcatId=localhost:8009 # define the worker [ajp13:localhost:8009] channel=channel.socket:localhost:8009 group=lb [uri:/cert] info=Colavo Authentication. debug=0 [uri:/] info=Colavo Authentication. debug=0 [uri:/event] info=Colavo Authentication. debug=0 [uri:/status] [uri:/status02] info=Colavo Authentication. debug=0 --- then i added LoadModule jk2_module modules/mod_jk2.so inside httpd.conf file in apache. now i can succesfully run http://serverIP/status http://serverIP/cert?username=password=... this is working fine. but i need to restrict from opening this URL from my systtem that url should ask for authorization required (401 error) but the problem is i am able to run this url of server located in Japan from my system also. which i should restrict. i need to do some changes in httpd.conf file itself.. please help me forward On 4/4/07, JOHN [EMAIL PROTECTED] wrote: Please show us the setup files... - Original Message - From: sunil chandran [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Wednesday, April 04, 2007 9:02 AM Subject: problem in handlins request for JK2 Hello all, I am Sunil C. i have used JK2 connector to connect Apache and Tomcat I am having a servlet (Certserv) folder in webapps folder in Tomcat. i gave uri to that cert program in my workers2.properties file. everything is working fine. but i face a secuirty issue. this machine is in other domain. i mean Japan. i did a remote login and checked the uri . its working fine. the real problem lies ...when i type the uri from my machine. it should show authentication required because that folder is authentication restricted. but now
Re: problem in handlins request for JK2
hello Johnny, I am sorry to confuse you... see my problem is that i used mod_auth_kerb for implementing single sing-on in a Japan server.i finsihed the project..then we found the problem ... that module works only in Apache and not in tomcat.so we needed something to connect Apache and tomcat to request the servlet inside webapps of Tomcat. first i wrote a Perl script which will redirect the request to the servlet. that gave temporary relief. it was working fine. so a client request for a servlet (http://ipaddress/cert) will run perfectly from a Japan machine. but running it from my system will say authentication required thats how it should run... *i should not be able to run that servlet in JP server from my machine.. thats where authentication prompt comes.. instead if i remote login to a JP machine and run the url ..it works perfectly..* thats how my project should work. i hope till here you are clear ! now i went for JK2 connector. now after configuring the appropriate files .. i checked the URL from JP machine. it works perfectly ( now no need of the perl script !) but when i run from my machine also i am able to get the result...( which is not what i should get ) that means now i am not getting that authentication message ..but am able to run the url and get the result from my machine also. thats what i mentioned about a security issue...no security for the URL.. so i should change some thing inside httpd.conf file... thats what my doubt is. hope you understood the scenario... this is the data i have given for Kerberos authentication inside my httpd.conf.. Directory / AuthType Kerberos AuthName Kerberos Login KrbAuthRealms JP.SONY.COM KrbServiceName HTTP/[EMAIL PROTECTED] Krb5Keytab /usr/local/apache/conf/jptkysip99.keytab KrbMethodNegotiate on KrbMethodK5Passwd off Require valid-user /Directory On 4/5/07, Johnny Kewl [EMAIL PROTECTED] wrote: Hello Sunil, I'm not sure if I understand what you trying to do... If you want Apache to authenticate there should be something like this in httpd.conf Location /secure AuthType basic AuthName japan area AuthBasicProvider dbm AuthDBMType SDBM AuthDBMUserFile /www/etc/dbmpasswd Require valid-user /Location If you want Tomcat to do the authentication then login-config auth-methodBASIC/auth-method realm-nameHARBOR Security/realm-name /login-config security-constraint !--this section dictates which URLS will invoke security-- web-resource-collection web-resource-nameTest/web-resource-name url-pattern/service/admin/url-pattern /web-resource-collection !--only users in these roles will get access to the above uri-- !--users are set in the conf/tomcat-users.xml file-- auth-constraint role-namejapan_admin/role-name /auth-constraint /security-constraint I tried to find a good example for you, but I couldnt find anything for mod_jk2 maybe someone else can comment on this but I think mod_jk2 has been deprecated (its old)... yes the numbering doesnt make sense. Anyway I think if you use mod_jk in future, you will find many more people can help. If you want SSL as well then have a look at the apache help file ie http://apacheserver/manual I dont know mod_jk2 but I think that any Cert or Ssl stuff in worker files must be for SSL between Apache and Tomcat... and its not often needed or wanted. Anyway... if you want little login box's to prompt the user must do something like the above. If you do it in Apache then local users can still get into Tomcat through a connector, if you do it in Tomcat then all users via Apache or direct to tomcat will have to login. It depends on what your system looks like... I think it will probably be easier to do it on Tomcat and then deliver the WAR package to Japan. That way Apache admin person just needs a simple connector setup. Here is some sample stuff for mod_jk that will help you get going http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html and some more for SSL https://spaces.internet2.edu/display/SHIB/JKIdPInstall Main point is if you start using MOD_JK then just googling for Tomcat Mod_jk will give you losts of info Your english is much better than my japanese, but for prompting user login the word to search for is AUTHENTICATION... searching for security will probably give you SSL. Hope that helps - Original Message - *From:* sunil chandran [EMAIL PROTECTED] *To:* Tomcat Users List users@tomcat.apache.org *Cc:* JOHN [EMAIL PROTECTED] *Sent:* Wednesday, April 04, 2007 10:58 AM *Subject:* Re: problem in handlins request for JK2 Hi , this is the modifictaion i made in workers2.properties file: [channel.socket:localhost:8009] info=Ajp13 forwarding over socket debug=0 tomcatId=localhost:8009
Re: problem in handlins request for JK2
Ah... I think I understand, but I have never setup Kerberos before so I have to guess. I think you are protecting the Directory locations with Kerberos. BUT then just connecting the web to Tomcat. I think that kerberos stuff has to also be in the Location of the Tomcat URI see the second link If you want to put Tomcat on Kerberos http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberos I think the problem is you protecting a Directory I think it has to be a Location See this link http://synewgrid.blogspot.com/2006_05_01_synewgrid_archive.html Hope this helps - Original Message - From: sunil chandran [EMAIL PROTECTED] To: Johnny Kewl [EMAIL PROTECTED] Cc: users@tomcat.apache.org Sent: Thursday, April 05, 2007 9:13 AM Subject: Re: problem in handlins request for JK2 hello Johnny, I am sorry to confuse you... see my problem is that i used mod_auth_kerb for implementing single sing-on in a Japan server.i finsihed the project..then we found the problem ... that module works only in Apache and not in tomcat.so we needed something to connect Apache and tomcat to request the servlet inside webapps of Tomcat. first i wrote a Perl script which will redirect the request to the servlet. that gave temporary relief. it was working fine. so a client request for a servlet (http://ipaddress/cert) will run perfectly from a Japan machine. but running it from my system will say authentication required thats how it should run... *i should not be able to run that servlet in JP server from my machine.. thats where authentication prompt comes.. instead if i remote login to a JP machine and run the url ..it works perfectly..* thats how my project should work. i hope till here you are clear ! now i went for JK2 connector. now after configuring the appropriate files .. i checked the URL from JP machine. it works perfectly ( now no need of the perl script !) but when i run from my machine also i am able to get the result...( which is not what i should get ) that means now i am not getting that authentication message ..but am able to run the url and get the result from my machine also. thats what i mentioned about a security issue...no security for the URL.. so i should change some thing inside httpd.conf file... thats what my doubt is. hope you understood the scenario... this is the data i have given for Kerberos authentication inside my httpd.conf.. Directory / AuthType Kerberos AuthName Kerberos Login KrbAuthRealms JP.SONY.COM KrbServiceName HTTP/[EMAIL PROTECTED] Krb5Keytab /usr/local/apache/conf/jptkysip99.keytab KrbMethodNegotiate on KrbMethodK5Passwd off Require valid-user /Directory On 4/5/07, Johnny Kewl [EMAIL PROTECTED] wrote: Hello Sunil, I'm not sure if I understand what you trying to do... If you want Apache to authenticate there should be something like this in httpd.conf Location /secure AuthType basic AuthName japan area AuthBasicProvider dbm AuthDBMType SDBM AuthDBMUserFile /www/etc/dbmpasswd Require valid-user /Location If you want Tomcat to do the authentication then login-config auth-methodBASIC/auth-method realm-nameHARBOR Security/realm-name /login-config security-constraint !--this section dictates which URLS will invoke security-- web-resource-collection web-resource-nameTest/web-resource-name url-pattern/service/admin/url-pattern /web-resource-collection !--only users in these roles will get access to the above uri-- !--users are set in the conf/tomcat-users.xml file-- auth-constraint role-namejapan_admin/role-name /auth-constraint /security-constraint I tried to find a good example for you, but I couldnt find anything for mod_jk2 maybe someone else can comment on this but I think mod_jk2 has been deprecated (its old)... yes the numbering doesnt make sense. Anyway I think if you use mod_jk in future, you will find many more people can help. If you want SSL as well then have a look at the apache help file ie http://apacheserver/manual I dont know mod_jk2 but I think that any Cert or Ssl stuff in worker files must be for SSL between Apache and Tomcat... and its not often needed or wanted. Anyway... if you want little login box's to prompt the user must do something like the above. If you do it in Apache then local users can still get into Tomcat through a connector, if you do it in Tomcat then all users via Apache or direct to tomcat will have to login. It depends on what your system looks like... I think it will probably be easier to do it on Tomcat and then deliver the WAR package to Japan. That way Apache admin person just needs a simple connector setup. Here is some sample stuff for mod_jk that will help you get going http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html and some more for SSL https://spaces.internet2.edu/display/SHIB/JKIdPInstall Main point
problem in handlins request for JK2
Hello all, I am Sunil C. i have used JK2 connector to connect Apache and Tomcat I am having a servlet (Certserv) folder in webapps folder in Tomcat. i gave uri to that cert program in my workers2.properties file. everything is working fine. but i face a secuirty issue. this machine is in other domain. i mean Japan. i did a remote login and checked the uri . its working fine. the real problem lies ...when i type the uri from my machine. it should show authentication required because that folder is authentication restricted. but now ..i am able to run the uri from machine also. please tell me how can i restrict it. i tried giving : Location /cert JkUriSet worker ajp13:localhost:8009 /Location but it doesnt seem to work. is there something i have to include in my httpd.conf file of Apache? please help me forward thanks in advance. -- Sunil
Re: problem in handlins request for JK2
Please show us the setup files... - Original Message - From: sunil chandran [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Wednesday, April 04, 2007 9:02 AM Subject: problem in handlins request for JK2 Hello all, I am Sunil C. i have used JK2 connector to connect Apache and Tomcat I am having a servlet (Certserv) folder in webapps folder in Tomcat. i gave uri to that cert program in my workers2.properties file. everything is working fine. but i face a secuirty issue. this machine is in other domain. i mean Japan. i did a remote login and checked the uri . its working fine. the real problem lies ...when i type the uri from my machine. it should show authentication required because that folder is authentication restricted. but now ..i am able to run the uri from machine also. please tell me how can i restrict it. i tried giving : Location /cert JkUriSet worker ajp13:localhost:8009 /Location but it doesnt seem to work. is there something i have to include in my httpd.conf file of Apache? please help me forward thanks in advance. -- Sunil - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem in handlins request for JK2
Hi , this is the modifictaion i made in workers2.properties file: [channel.socket:localhost:8009] info=Ajp13 forwarding over socket debug=0 tomcatId=localhost:8009 # define the worker [ajp13:localhost:8009] channel=channel.socket:localhost:8009 group=lb [uri:/cert] info=Colavo Authentication. debug=0 [uri:/] info=Colavo Authentication. debug=0 [uri:/event] info=Colavo Authentication. debug=0 [uri:/status] [uri:/status02] info=Colavo Authentication. debug=0 --- then i added LoadModule jk2_module modules/mod_jk2.so inside httpd.conf file in apache. now i can succesfully run http://serverIP/status http://serverIP/cert?username=password=... this is working fine. but i need to restrict from opening this URL from my systtem that url should ask for authorization required (401 error) but the problem is i am able to run this url of server located in Japan from my system also. which i should restrict. i need to do some changes in httpd.conf file itself.. please help me forward On 4/4/07, JOHN [EMAIL PROTECTED] wrote: Please show us the setup files... - Original Message - From: sunil chandran [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Wednesday, April 04, 2007 9:02 AM Subject: problem in handlins request for JK2 Hello all, I am Sunil C. i have used JK2 connector to connect Apache and Tomcat I am having a servlet (Certserv) folder in webapps folder in Tomcat. i gave uri to that cert program in my workers2.properties file. everything is working fine. but i face a secuirty issue. this machine is in other domain. i mean Japan. i did a remote login and checked the uri . its working fine. the real problem lies ...when i type the uri from my machine. it should show authentication required because that folder is authentication restricted. but now ..i am able to run the uri from machine also. please tell me how can i restrict it. i tried giving : Location /cert JkUriSet worker ajp13:localhost:8009 /Location but it doesnt seem to work. is there something i have to include in my httpd.conf file of Apache? please help me forward thanks in advance. -- Sunil - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Sunil
