Thanks for the info. Is there anyway to configure tomcat to just check the httpd flag? If its not set challenge the user if it is set allow access to the resource?
n828cl wrote: > >> From: cgswtsu78 [mailto:cg...@proofpoint.com] >> Subject: Best Basic Auth Approach >> >> I've seen some of the tomcat basic auth examples on the web >> and all of them hardcode a user id/password for a role in the >> tomcat-users.xml file. > > Stop there, and read the Tomcat doc on the subject: > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html > > Note especially the following: > > "MemoryRealm is a simple demonstration implementation of the Tomcat 6 > Realm interface. It is not designed for production use." > > Choose a more appropriate <Realm> for your environment, and configure > that. > >> My setup is that any request to my java based tomcat app goes through >> apache and then mod_jk routes it over to tomcat. > > httpd should be setting a flag indicating the user has been authenticated. > > - Chuck > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Best-Basic-Auth-Approach-tp27151922p27152140.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
