We use Tomcat with a fronting Web server (Apache) which provides Basic authentication, so we need to run with 'tomcatAuthentication="false"' in the Ajp13Connector. But we also want to make use of the servlet "roles" concept to protect applications (including the Manager app) from arbitrary access.
Is there any simple way to do this? We've tried mapping user names to roles in the usual way in tomcat-users.xml, in the hope that Tomcat (with tomcatAuthentication set to false) would take the user name from the Apache-supplied basic-auth credentials, but use the roles from tomcat-users.xml. But the behavior suggests that tomcat-users.xml is not consulted at all in this situation. This is with Tomcat 4.1.30. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
