I recently deployed a Java webapp on a Tomcat7 fronted by an Apache2 on a Ubuntu 14.04 VPS.
I am connecting the Apache2 and the Tomcat7 with mod_jk.
All the static resources are server by Tomcat, but I wanted to front it with an Apache for best practice, future scalability and to possibly use a few mods in the future.
Everything is working perfectly until I want to implement a basic authentication pop-up that will be used during the testing period - I want only a few friends to get access to the site and am willing to create an account per person.
I plan to remove the basic authentication once the testing phase is over. It is only the auth popup that is problematic - if I remove the auth directives the site is working perfectly.
The .war file is named bbn (and gets exploded by Tomcat), so for the moment I'm happy with simply accessing the app with http://server/bbn - perfect.
Here is the relevant config :
@Tomcat's server.xml :
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
@workers.properties :
worker.list=worker
worker.worker.type=ajp13
worker.worker.host=localhost
worker.worker.port=8009
@apache2/mods-available/jk.conf :
JkWorkersFile /etc/apache2/workers.properties
@apache2/conf-enabled/security.conf :
<Directory />
Options -ExecCGI -Includes -Indexes
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
(this locks the Apache down as I just want to use it for "proxying")
@apache2/sites-enabled/000-default.conf :
JKMount /bbn* worker
(so that every requests that starts with /bbn goes to the Tomcat)
With the above config, everything is fine. But I want the simple authentication popup so I added to 000-default.conf :
<Location /bbn>
AuthType Basic
AuthName "bbn"
AuthUserFile /var/bbn/bbnusers.config
Require valid-user
Order allow,deny
Allow from all
</Location>
I created a few users with the htpasswd command, which creates a well-formed file and adds the users to it perfectly.
Now here comes trouble : when I want to access http://server/bbn, I get the auth popup (which is fine), I enter the username/password, then :
I see that I hit the .jsp of the webapp (I get the correct html back), great !
However for every resource that should be downloaded, such as images, js and css, I get a new auth popup (note : if I put correct credentials there, I get nothing).
I spent hours with a friend trying alternate configs and paths but this is it - either everybody gets access, or nobody.. Which I can't accept at the moment.
How can I solve this issue ?
I don't want to use tomcat-users.xml and such mechanisms as this should be handled @ Apache and not require any java-related modification (web.xml at least..)
Thanks !!!
=========== Edit : additional infos :
- In the apache acces logs :
When I GET
/server/bbnI see"GET /bbn HTTP/1.1" 401(the 401 is normal I suppose as I get the auth popup) in the apache logs.
If I then enter the right credentials again in the immediately-following popup, I see the same request in the logs (GET /bbn) also with 401, but I also see the provided username before the timestamp... Then if I press escape or click cancel on the popup, the Tomcat error jsp page is served, and a auth popup comes up for every resource (js, css, images). Whether I put the right credentials or not I won't get the resources (I can see the html of the page, I'm sure the credentials are correct..)
- In the apache error logs : As long as I type the right credentials there is nothing, otherwise there are credential-related errors.
A last thing : if I try to get for example http://server/bbn/img/flags/EARTH.gif instead of http://server/bbn/ (the homepage) I get the exact same treatment
I suppose that the apache auth should not interfere with the classic Spring Security Authentication that is handled in Tomcat in Java.. Especially since the default connector value is "tomcatAuthentication='true'" - I expect Apache2 to work as a "one-time access wall" before people can test the site, maybe I'm twisting the logic here..
