[jboss-jira] [JBoss JIRA] (WFLY-2850) AJP connector with external authentication

Fri Mar 14 07:30:10 EDT 2014

    [ https://issues.jboss.org/browse/WFLY-2850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12952920#comment-12952920 ] 

Sylvain Brouillat edited comment on WFLY-2850 at 3/14/14 7:28 AM:
------------------------------------------------------------------

I wasn't using AS7/EAP6 but an old configuration AS4, and tomcatAuthentication was set to false by adding ajp connector configuration in server/default/deploy/jbossweb-tomcat55.sar/server.xml :
<Connector port="8009" address="bind.address" emptySessionPath="true" enableLookup="true" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" />

It exists a different way to disable tomcatAuthentication in JBoss7.1 from system-properties (https://issues.jboss.org/browse/WFLY-254).

You've said : "I have implemented an authenticator based on this in Undertow", are you talking about io.undertow.security.impl.ExternalAuthenticationMechanism class ? Is there a way to enable it from wildfly standalone.xml configuration ? Like using <system-properties> or something else ?

      was (Author: sylvain.b):
    Tomcat define tomcatAuthentication attribute for ajp connector, that when set to false, disable tomcatAuthentication and allows apache to handle authentication and pass remote_user throught AJP channel to tomcat (http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html). 

I wasn't using AS7/EAP6 but an old configuration AS4, and tomcatAuthentication was set to false by adding ajp connector configuration in server/default/deploy/jbossweb-tomcat55.sar/server.xml :
<Connector port="8009" address="${bind.address}" emptySessionPath="true" enableLookup="true" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" />

It seems to exist a different way to disable tomcatAuthentication in JBoss7.0 (https://issues.jboss.org/browse/WFLY-254).

> AJP connector with external authentication
> ------------------------------------------
>
>                 Key: WFLY-2850
>                 URL: https://issues.jboss.org/browse/WFLY-2850
>             Project: WildFly
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>    Affects Versions: 8.0.0.CR1
>            Reporter: Geert Coelmont
>            Assignee: Stuart Douglas
>            Priority: Critical
>
> Tomcat allows to set the tomcatAuthentication attribute of the AJP connector to false to allow external web servers (e.g. apache httpd) to handle the authentication and pass that along.
> A similar option was added recently to JBossWeb as well (see WFLY-254), but JBossWeb has been replaced by Undertow. With Undertow this option isn't available as far as I can see.
> For me this is a critical problem as there is currently no way I can do negotiated (SPNEGO) authentication from within WildFly+Undertow. (See also WFLY-2404).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira