SOLVED Also the issue with Multiple Authentication Mechanisms My head is sore from banging it against a wall but I THINK that I have come up with a rather elegant solution. Well its a bit obvious in one way but I suppose I had to go through all the pain first. There was alot of pain. Just to reiterate my issue : How to get Tomcat to use Http basic and http form authentication in same application.
I have /secure/xml/** servlets that need basic auth /xml/** servlets that need NO auth /secure/xxxx.jsp that need FORM auth /ssl/xxx.jsp that needs NO AUTH /xxxx standard web content that is public etc. All working together as ONE application This stemmed from an app that was using http basic and the user/jsp stuff had to be converted to Form based auth for security reasons and obviously the b2b xml stuff could not change URLS or auth mechanisms being hard coded on the client side in our customers apps. SOLUTION apache SSL termination mod_auth_mysql http basic ONLY on servlet urls using LocationMatch directives mod_jk forwarding jsp and servlets to tomcat tomcat configured for FORM based auth ignored unprotected content. Application deployed as ROOT.war (no messing around with contexts or path) So the apache acts as a http filter on servlets that require http basic and ignores everything else. Tomcat uses form based authn to protected all jsp pages that require it and ignores those that dont. Rather happy with this solution as I can offload images/etc to apache, I get loadbalancing from mod_jk and high availability. Im sure there are a few speedbumps along the way but 90% sure this will work. (Note the 10% reserved for experience) Tony --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org