Tomcat – Basic auth Apache with Tomcat

apache-2.4configurationhttp-basic-authenticationreverse-proxytomcat

I have the following server setup:

  • Apache Tomcat 7 running Atlassian's Jira (http:// <server-ip>:8081/tickets)
  • Apache 2.4 web server as reverse proxy serving only the jira application at the moment, but there are more to come (http://<server-ip>/tickets)

Now, I want to restrict accesss to the whole system (i.e. http://<server-ip>/*) by setting up a basic authentication.

This is how the only enabled apache site config looks like:

<VirtualHost *:80>
        <Proxy *>
            Require all granted
        </Proxy>

        ProxyRequests           Off
        ProxyPreserveHost       On

        ProxyPass                /tickets       http://localhost:8081/tickets
        ProxyPassReverse         /tickets       http://localhost:8081/tickets

        <Location />
                AllowOverride AuthConfig
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/apache2/.htpasswd
                Require user myuser
        </Location>
</VirtualHost>

But with this config I encounter a problem while trying to log in. After entering the login data, the login window pops up asking again for the login. After three attempts a 401 error is returned by the tomcat! application and not apache.

There is no entry in neither apache's access.log nor error.log for this request. Though apache will log requests with wrong credentials.

How can I configure Apache to proxy all /tickets/* requests to Tomcat while forcing the client to authenticate when accessing /*?

Best Answer

It made me suspicious that I got a 401 error from the tomcat application. it seems, that apache fowarded the authorization request, though it shouldn't. I had to remove the "Authorization" parameter from the request header.

To do this. I enabled mod_headers and added RequestHeader unset "Authorization" just before the ProxyPass directives.

So my config looks like the following now:

<VirtualHost *:80>

        ProxyRequests           Off
        ProxyPreserveHost       On

        RequestHeader unset "Authorization"       

        <Location "/tickets/rest/">
                  Satisfy Any
                  Order allow,deny
                  Allow from all
        </Location>

        <Location />
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/apache2/.htpasswd
                Require user myuser
        </Location>

        ProxyPass                /tickets       http://localhost:8081/tickets
        ProxyPassReverse         /tickets       http://localhost:8081/tickets

</VirtualHost>

EDIT:

Jira uses its own REST-API for the gadgets, so I had to define a Location-Tag for /tickets/rest path.

  • removed proxy-tag
  • added Location-Tag for the jira-rest API

Got ideas to solve the problem from:

Related Topic