No longer able to access Tomcat Manager after OpenAM J2EE Policy Agent installation
https://stackoverflow.com/questions/7204762
-
13-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have installed a tomcat 6 server with a j2ee openam policy agent. After the installation I am unable to access it, I always get redirected to manager/amlogin.html.
This did not previously happen so I can only assume it is because of the agent installation. Is there a configuration setting I have missed?
Solution
As part of our continuous integration we wanted the ability to automatically deploy our application into our openam agent protected tomcat server.
The hudson deploy plugin uses the tomcat manager application to deploy, however as detailed in the question, after agent installation the manager application is no longer accessible by the normal mechanism (HTTP basic auth).
During installation the agent updates the manager app web.xml to change the default BASIC authentication to a FORM based authentication, that can subsequently be configured to work with openam (to provide a single sign on to the manager app as well) - for more info see http://docs.oracle.com/cd/E19681-01/820-7251/gicpx/index.html.
To use the hudson deploy plugin, we reverted the changes to the manager app web.xml (the agent backs up the original web.xml during its installation)
In order to enable the default UserDatabase realm for the manager, we placed the Realm definition into the Context element specific to the manager app ${TOMCAT_HOME}/conf/Catalina/manager.xml:
<Context antiResourceLocking="false" privileged="true" useHttpOnly="true">
<!-- user default tomcat-users to manage roles for the manager app -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Context>
This re-enabled basic auth login to the manager app, without affecting the custom realm installed by the agent that the other web application need for openam integration.
OTHER TIPS
Yep, that's normal behaviour if you're trying to access protected content.
The policy agent detects that you don't have an authenticated session and as a consequence redirects you to the Identity Provider that will be in charge to authenticate you.
For more info on how OpenAM works, you should take a look at the SAML 2.0 wikipedia page: http://en.wikipedia.org/wiki/SAML_2.0
In your case, the OpenAM agent is a Service Provider.
The policy agent normally affects the global web.xml and Tomcat's server.xml files. If you were accessing unprotected content, you should edit the URL pattern that OpenAM should protect in those 2 files.
