Mike Oliver wrote:
...
Unless I misunderstand,
- the first part of your problem is to be able to login once, and then
have this login be valid for all separate Tomcat instances.
- the second part of the problem is then, for each Tomcat instance, to
be able to use manager-like functionalities to start/stop/load new
applications and whatnot.
I'll tackle the first part, which amounts to an "enterprise-wide SSO issue".
Assuming that the same authenticated user-id can be used on all your
Tomcat instances, as one possible solution I would use the following setup :
- an Apache httpd front-end, which does the authentication, using any
Apache-compatible way for ditto
- the Apache httpd front-end connects to Tomcat back-ends via the mod_jk
connector module (on the Apache side), and an AJP Connector (on the
Tomcat side)
- in the AJP <Connector> element on the Tomcat side, set the attribute :
tomcatAuthentication="false"
This will cause Tomcat to accept the user-id as authenticated by the
httpd server (and passed on by mod_jk), and not redo the authentication
at the Tomcat level (while still verifying that this user-id effectively
belongs to a "Tomcat role" allowed to use the relevant functionality).
Now that the SSO issue is solved, my personal stab at the next issue
would involve writing a mod_perl add_on module for Apache httpd, which
would accept your "Tomcat management" commands, and distribute them to
your back-end Tomcats, using the /manager interface that other more
qualified people seem to suggest. Quite which front-end protocol this
httpd add-on module accepts from the client side is up to you.
But that is of course because I am a mod_perl fan, and because for this
kind of problem, it seems to me like the most flexible tool. Other
people may have other suggestions.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
