How to configure tomcatAuthentication in JBoss EAP 6?

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x

Issue

  • How can I configure tomcatAuthentication attribute on Connector in JBoss EAP 6?
  • I have an application on JBoss that sits behind Apache httpd which performs the authentication. I would like to forward the authenticated requests onto EAP 6 using the AJP connector so that JBoss performs only the authorization. This is similar to the issue described by Content from issues.jboss.org is not included.AS7-1581.
  • I have set up IIS with integrated windows authentication and isapi to connect with JBoss EAP 6. I want to use request.getRemoteUser to return the user authenticated in IIS.
  • How to configure to allow JBoss to bypass its authentication and correctly populate getRemoteUser and getUserPrincipal from authentication information on the front-end Apache?
  • We want to have the authentication at Apache and the authorization at JBoss should happen within a login module / mapping module.Is that possible?

Resolution

  • To configure tomcatAuthentication parameter in EAP 6.0.0, please apply This content is not included.one-off patch or upgrade to EAP 6.0.1 onwards to use the following system property to configure tomcatAuthentication:

  • EAP 6.0.1 - org.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION. For example:

    • Setting in standalone.xml/domain.xml:

        <system-properties>
      <property name="org.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION" value="false"/>
  </system-properties>

    • Configure via CLI:

        /system-property=org.apache.coyote.ajp.AprProcessor.TOMCATAUTHENTICATION/:add(value=false)

  • EAP 6.1.0 onwards - org.apache.coyote.ajp.DEFAULT_TOMCAT_AUTHENTICATION. For example:

    • Setting in standalone.xml/domain.xml:

        <system-properties>
      <property name="org.apache.coyote.ajp.DEFAULT_TOMCAT_AUTHENTICATION" value="false"/>
  </system-properties>

    • Configure via CLI:

        /system-property=org.apache.coyote.ajp.DEFAULT_TOMCAT_AUTHENTICATION/:add(value=false)

  • The above configuration will allow JBoss to bypass its authentication and correctly populate getRemoteUser and getUserPrincipal from authentication information on the front-end Apache httpd/IIS.

  • Or a solution described in the article, How to pass REMOTE_USER from Apache to JBoss as an environment variable when using mod_proxy_ajp, may also be considered as a workaround.

  • To populate roles into a subject, a user need to be authenticated. Therefore, you need login-module in your security-domain.To invoke the security-domain, you need <login-config/> in web.xml.Performing only authorization in EAP without authentication is not possible.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.