Subsonic Forum

[sashimi]

Hi

Have a little obscure and long winded question regarding some authentican prompts I am seeing with Subsonic running on Tomcat behind Apache.

I have two Apache virtual hosts setup - one for LAN access and other for internet access.

The internet vhost setup uses ssl and uses basic HTTP authentication using .htaccess file

The LAN vhost does not use ssl or http auth

I have mapped subsonic using mod_jk mapping directive (JkMount /subsonic/* worker1) in both the virtual hosts

so I can go to

http://192.168.1.100
and
http://192.168.1.100/subsonic/

in my home LAN and not be prompted for any http level auth as expected.


From internet I can do

https://mypublichostname.home.com

where I am prompted for http auth by .htaccess and I am able to log into my internet home page fine.

But then when I go to

https://mypublichostname.home.com/subsonic/

I get promped by another auth dialog popup, which does not like the .htaccess user/password. So if I cancel it I get the following message

****************
HTTP Status 401 - LDAP authentication disabled.

--------------------------------------------------------------------------------

type Status report

message LDAP authentication disabled.

description This request requires HTTP authentication (LDAP authentication disabled.).

--------------------------------------------------------------------------------

Apache Tomcat/6.0.16
*******************


This seems to be coming from Tomcat and I noticed on the dialog the auth is being requested for Subsonic realm.

Now if I go back and try again I don't get the prompt second time and I can get to the Subsonic homepage login form fine.

It happens only the first time after I have logged into my website. After that it seems to not prompt me anymore, probably until the HTTP session expires.



My Tomcat security setup does not define any role or user for Subsonic webapp in tomcat-users.xml. It does define them for the tomcat manager webapp.


When I looking around the WEB-INF for Subsonic I noticed Subsonic realm is defined in applicationContext-security.xml


I am wondering if somebody can tell me what is causing Tomcat to throw that dialog prompt when I try to access Subsonic app?

This does not happen with another webapp (JSPWiki) that I have setup under Tomcat and does not have any explicit security requriements defined.


Is .htaccess auth at the Apache level is somehow triggering something in Subsonic's security profile ?

After the retry succeeds I can log into Subsonic itself and listen to streams fine. But would like to know what is causing this behavior.

Many thanks

[nullchar]

I have the same problem.

I have apache running publicly with mod_ssl for https. My document root is password protected with http-auth. Under the root, the JkMount to /subsonic/* running under tomcat is setup properly.

If I disable http-auth, everything works fine. Apache serves up content from the document root and any sub directories, while /subsonic/ is proxied to tomcat.

If I enable http-auth for any sub directories, but leave it OFF for the document root, everything also works fine. A simple index.html file or even disabling indexes for the document root is the only known workaround.

However, if you DO NOT enter the user/pass for http-auth, and simply navigate directly to /subsonic/, then everything works! (Which is why the android client isn't bothered with any authentication problems in this setup.) But if you have authenticated with apache first, then somehow an "auth required" flag is passed over the mod_jk proxy and tomcat tries to authenticate you over http-auth. This of course won't work with any user/pass since as you mentioned, there is no tomcat-users setup.

Anyway, hope this helps you and others with this problem.

As you mentioned, other apps without java security profiles appear to work fine; so we should investigate subsonic's configuration. That said, I read through all the mod_jk documentation and there are no flags to adjust for security, so we may not be able to fully fix this issue.