Getting 403 (Access Denied) when running Tomcat under Eclipse

2010-01-18 Thread ohaya
Hi, I have a web application that works when run directly under Tomcat. This web app has the following in web.xml: security-constraint web-resource-collection web-resource-nametestweb/web-resource-name description accessible by authenticated

Re: Getting 403 (Access Denied) when running Tomcat under Eclipse

2010-01-18 Thread ohaya
Hi, AHH!! I was only looking through the Eclipse GUI settings, and hadn't noticed that under Servers--Tomcat v5.5 in the Eclipse Project Explorer, there were catalina.policy, etc. files, including tomcat-users.xml :(... So, I added my role and user definitions to that tomcat-users.xml, and it

Do any of the Tomcat LDAP-type realms support no password authentication?

2011-11-30 Thread ohaya
Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other words, where just a userID/username is presented, and if that userID/username is

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-01 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode where no password or credentials are required? In other

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-01 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an authentication mode

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-01 Thread ohaya
Mark Thomas ma...@apache.org wrote: On 01/12/2011 18:17, oh...@cox.net wrote: Having said all of that, I guess that my question has changed somewhat. Specifically, now I'm wondering: With what I described above, and with my valve as described above, does the asserted user NOT

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-01 Thread ohaya
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of the LDAP-type realms (e.g., JNDIRealm,

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-01 Thread ohaya
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Hi, I'm new here, and hope that someone can help. I was wondering if any of

RE: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-01 Thread ohaya
Caldarale wrote: From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In my sniffer, I can see the REMOTE_USER set to the hard-coded string, but in my test JSP on Tomcat, there getUserPrincipal()

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication, and will instead rely on the

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means that Tomcat will not do it's own authentication,

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / That is correct. The false means

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 12/2/11 11:26 AM, oh...@cox.net wrote: Sure. Here's the section from httpd.conf. This is testing where I purposely insert a REMOTE_USER HTTP header into the request

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
oh...@cox.net wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 12/2/11 11:26 AM, oh...@cox.net wrote: Sure. Here's the section from httpd.conf. This is testing where I purposely insert a

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least proxying through to the Tomcat using mod_jk!! BUT, it's still

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the VirtualHost, and now, it's at least

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: .. re-synchronising.. I've made some progress. I have a VirtualHost, so I had to add a JkMountCopy 'on' inside the

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with your suggested Location, in the

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-02 Thread ohaya
oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using ProxyPass ajp://, and, comparing that sniff vs. a sniff that I have from when I tested with

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
André Warnier a...@ice-sa.com wrote: André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff from earlier, where I was using

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: P.S. I forgot to mention: As you know, I'd been using a sniffer, to see the data on the Apache-to-Tomcat connection. I have a sniff

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module directly for Tomcat, to authenticate users there. Why are you not using

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the OAM documentation I scanned, there must exist an OAM module

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache level, and pass this user-id to Tomcat ? Obviously, from the

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to authenticate the user at the Apache

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask another question : Why do you need to

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: Now let me ask

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
Hi, I didn't say anything about it before, but I've been, in parallel with our discussion, mucking around both the OAM innards and the Apache source code, as best I can, trying to find out why that internal remote_user string (it is, I believe, only internal to Apache),

RE: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-03 Thread ohaya
Caldarale wrote: From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In other words, even though my valve code can assert a user into Tomcat, and even if that same user already exists in the

RE: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-04 Thread ohaya
oh...@cox.net wrote: Caldarale wrote: From: oh...@cox.net [mailto:oh...@cox.net] Subject: Re: Do any of the Tomcat LDAP-type realms support no password authentication? In other words, even though my valve code can assert a user into Tomcat, and even if that

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-05 Thread ohaya
Rainer Jung rainer.j...@kippdata.de wrote: On 02.12.2011 17:49, André Warnier wrote: oh...@cox.net wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Connector port=8009 protocol=AJP/1.3 redirectPort=8443

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-05 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: ... Rainer Jung rainer.j...@kippdata.de wrote: Although this thread has moved forward towards the role topic, I want to give some infos about the user forwarding by mod_jk. Some of it was already present in previous

Re: Do any of the Tomcat LDAP-type realms support no password authentication?

2011-12-05 Thread ohaya
Rainer Jung rainer.j...@kippdata.de wrote: On 05.12.2011 10:42, oh...@cox.net wrote: André Warniera...@ice-sa.com wrote: oh...@cox.net wrote: ... Rainer Jungrainer.j...@kippdata.de wrote: Although this thread has moved forward towards the role topic, I want to

Custom realm.authenticate() that would work with any realm - possible?

2011-12-08 Thread ohaya
Hi, This is a followup to an earlier thread, Do any of the Tomcat LDAP-type realms support no password authentication?. As I mentioned in that earlier thread, I'm still new to Tomcat, and still trying to find my way around, and understand (somewhat) its security design, so apologies in

RE: Custom realm.authenticate() that would work with any realm - possible?

2011-12-09 Thread ohaya
Hi Chuck, Thanks for the pointer to the CombinedRealm, but, as I've been working with the test implementation that I mentioned for extending the JNDIRealm, I *think* that I'm coming to the realization that I was asking for is probably not possible, or at least not practical, unless I'm totally

Re: Custom realm.authenticate() that would work with any realm - possible?

2011-12-09 Thread ohaya
André Warnier a...@ice-sa.com wrote: Hi Jim. As I recall, your original issue was that there is no OAM plugin for Tomcat, and therefore, you are doing the OAM authentication within the front-end Apache, and then passing the user-id to Tomcat. And then, you find yourself in

Re: Custom realm.authenticate() that would work with any realm - possible?

2011-12-09 Thread ohaya
André Warnier a...@ice-sa.com wrote: oh...@cox.net wrote: André Warnier a...@ice-sa.com wrote: Hi Jim. As I recall, your original issue was that there is no OAM plugin for Tomcat, and therefore, you are doing the OAM authentication within the front-end Apache, and

How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
Hi, I'm trying to debug some problems while enabling JNDIRealm in Tomcat 6.0.33. I've gotten Tomcat itself to output debug logging, but looking at the JNDIRealm.java code, e.g.: http://www.docjar.com/html/api/org/apache/catalina/realm/JNDIRealm.java.html It looks like there's a bunch of debug

Re: How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/5/17 oh...@cox.net: Hi, I'm trying to debug some problems while enabling JNDIRealm in Tomcat 6.0.33. I've gotten Tomcat itself to output debug logging, but looking at the JNDIRealm.java code, e.g.:

Re: How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
oh...@cox.net wrote: Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/5/17 oh...@cox.net: Hi, I'm trying to debug some problems while enabling JNDIRealm in Tomcat 6.0.33. I've gotten Tomcat itself to output debug logging, but looking at the

Re: How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
oh...@cox.net wrote: oh...@cox.net wrote: Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/5/17 oh...@cox.net: Hi, I'm trying to debug some problems while enabling JNDIRealm in Tomcat 6.0.33. I've gotten Tomcat itself to output debug

Re: How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/5/17 oh...@cox.net: See http://tomcat.apache.org/tomcat-6.0-doc/logging.html#Servlets_logging_API Here's a partial stripped down version of my server.xml, to show the JNDIRealm part in context.  I guess that it's in

Re: How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
oh...@cox.net wrote: Konstantin Kolinko knst.koli...@gmail.com wrote: 2012/5/17 oh...@cox.net: See http://tomcat.apache.org/tomcat-6.0-doc/logging.html#Servlets_logging_API Here's a partial stripped down version of my server.xml, to show the JNDIRealm

Re: How to get debug output from JNDIRealm.java?

2012-05-17 Thread ohaya
Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim, On 5/17/12 1:56 PM, oh...@cox.net wrote: I think that the code snippet I sent earlier was the wrong one, but it seems like I still should have gotten some output logging

Followup old thread(s) about Apache, AJP, and tomcatAuthentication, and roles

2012-06-03 Thread ohaya
Hi, Awhile ago, I had this thread, where I originally trying to see if I could get Tomcat, using the AJP connector and tomcatAuthentication to work, when I had an OAM webgate installed on the Apache proxy fronting the Tomcat:

NullPointerException/java.util.logging.ErrorManager: 5 when have load-on-startup

2012-07-07 Thread ohaya
Hi, I have a simple servlet deployed to Tomcat 6.0.35, and when I enable load-on-startup in the web.xml, so that the servlet's init() method gets run when Tomcat starts up, I get: . . In LoginServlet.init: Returned from calling CreateDefaultInstance... In LoginServlet.init: FINISHED

Re: NullPointerException/java.util.logging.ErrorManager: 5 when have load-on-startup

2012-07-07 Thread ohaya
Mark Thomas ma...@apache.org wrote: On 07/07/2012 13:40, oh...@cox.net wrote: Can anyone tell me what might be causing the error, and how I can eliminate the problem? Since you have removed the part of the stack trace that might tell use what the cause is, no. Mark Hi Mark,

Re: NullPointerException/java.util.logging.ErrorManager: 5 when have load-on-startup

2012-07-07 Thread ohaya
Mark Thomas ma...@apache.org wrote: On 07/07/2012 17:33, oh...@cox.net wrote: Trace A: java.util.logging.ErrorManager: 5 java.lang.NullPointerException at java.util.ListResourceBundle.handleGetObject(ListResourceBundle.java:109) at

Re: NullPointerException/java.util.logging.ErrorManager: 5 when have load-on-startup

2012-07-09 Thread ohaya
oh...@cox.net wrote: Mark Thomas ma...@apache.org wrote: On 07/07/2012 17:33, oh...@cox.net wrote: Trace A: java.util.logging.ErrorManager: 5 java.lang.NullPointerException at java.util.ListResourceBundle.handleGetObject(ListResourceBundle.java:109)

Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-15 Thread ohaya
httpd side, which authenticates the user before the request gets passed to tomcat (via AJP) ? On 15.05.2020 14:08, ohaya wrote: >  Hi Olaf, > > Thanks. I do appreciate that! I will do more digging. > > Jim > > >      On Friday, May 15, 2020, 07:41:50 AM EDT, Olaf

Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-15 Thread ohaya
ttpd.conf: ProxyPass unknown Worker parameter I am currently using Apache 2.4.39. Is there another way to specify the "secret"? Thanks, Jim On Friday, May 15, 2020, 07:04:44 AM EDT, ohaya wrote: Hi, The Tomcat version I am using is 9.0.20. I will take a look at the chang

Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-15 Thread ohaya
Hi Olaf, Thanks. I do appreciate that! I will do more digging. Jim On Friday, May 15, 2020, 07:41:50 AM EDT, Olaf Kock wrote: On 15.05.20 13:23, ohaya wrote: >  Hi, > > I just tried adding the secret to the Apache side: > > ProxyPass ajp://192.168.218.XXX:8

Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-16 Thread ohaya
just a Tomcat-related issue. Jim On Friday, May 15, 2020, 09:38:19 AM EDT, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jim, On 5/15/20 08:42, ohaya wrote: > Yes, I am using Oracle Access Manager (OAM) so we have what they > call an "OA

Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-16 Thread ohaya
thenticated. But indeed this is no longer an Apache or a tomcat or tomcat Connector issue, it is a webapp logic or configuration issue. On 16.05.2020 08:40, ohaya wrote: >  Hi, > > When I configure the OAM protection, they have the ability to configure > values that go into HTTP headers (

Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-15 Thread ohaya
Hi, I am using an Apache proxy in front of Tomcat 9, and I am using AJP connection to connect from the Apache to Tomcat, and I have the Apache sending a username to the Tomcat in a REMOTE_USER header. In the Tomcat server.xml I have: In the Apache httpd.conf, to test, this I have:

Re: Does Tomcat 9 still support AJP connections, REMOTE_USER, and tomcatAuthentication="false"?

2020-05-15 Thread ohaya
Hi, The Tomcat version I am using is 9.0.20. I will take a look at the changelog. This is the first time I have tried this, and I couldn't find much info, so I appreciate the feedback. I will look for info about "secret". I wasn't sure about the format on the Apache side for the