Daniel Pfeiffer wrote:
Since switching from Apache 2.2 authorization gets bypassed for many
JkMounts (except jk-status). If I cancel the browser password popup, I
get a 401-page. It is not, as I expect, the one from Apache, but instead
from JBoss, which it shouldn't have been allowed to talk to. (I found
this because unauthorized users are talking to JBoss.)
On the receiving end we have both JBoss 4 and Wildfly 7. This is both
with "Apache/2.4.3 (Unix) mod_jk/1.2.37" and "Apache/2.4.10 (Unix)
mod_jk/1.2.40". Configuration is always like
<Location /XYZ/*>
JkMount XYZ
AuthType basic
AuthUserFile conf/passwd/XYZ
AuthName "XYZ security"
Require valid-user
</Location>
I even have a case where the identical setup (worker definition,
<Location>, file permission and content) works on 2.4.3 but not on
2.4.10. For other JkMounts both versions behave wrongly. If I raise the
debug level, I don't see anything about how it parses this. When I call
the URL, it says there is no directive protecting it.
It doesn't make a difference whether AuthName is the same as the Realm
in JBoss or not.
Hi.
I think that the problem may be the scope of the "JkMount" that you have above.
I do not think that it is limited to your <Location> section. It may be "global", even
when it is in that section.
Can you try instead :
<Location /XYZ/*>
SetHandler jakarta-servlet
AuthType basic
AuthUserFile conf/passwd/XYZ
AuthName "XYZ security"
Require valid-user
</Location>
See here for more details :
https://tomcat.apache.org/connectors-doc/reference/apache.html
section : Using SetHandler and Environment Variables
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org