You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Maciej Matecki <mm...@gmail.com> on 2009/06/27 00:03:12 UTC
mod_auth_kerb / mod_spnego on Windows
Hello,
I have to run Kerberos with Apache + Tomcat on Windows. I tested
everything in Linux and there everything works just great. I thought
that there won't be any problems in Windows... I was wrong... :(
Do You have any compiled module for Apache which provide Kerberos
authorization under Windows and Apache 2.x? I've downloaded sources of
mod_spnego but unfortunetly I've got the big problem to compile it.
Thank you in advance.
Best regards,
--
Maciej Matecki
skype: m.matecki || www: http://matecki.info/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: mod_auth_kerb / mod_spnego on Windows
Posted by Jonathan wong <jn...@hotmail.com>.
> Date: Sun, 28 Jun 2009 16:12:50 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: mod_auth_kerb / mod_spnego on Windows
>
> Maciej Matecki wrote:
>> On Sat, Jun 27, 2009 at 10:04 AM, André Warnier<aw...@ice-sa.com> wrote:
>>> Maciej Matecki wrote:
>>> ...
>>>> Do You have any compiled module for Apache which provide Kerberos
>>>> authorization under Windows and Apache 2.x?
>>> Hi.
>>> Just a question : is there any mechanism that allows you to do that from
>>> Tomcat ?
>>> Because if there is, then I can provide you with a "trick" to use this for
>>> Apache also. I such a trick myself, unfortunately not with Kerberos but
>>> with NTLM.
>>
>> Hi,
>> Yes. I just need to find in headers the name of user authorized with
>> Kerberos (I use the preauth filter in Spring Security). So if you've
>> got any good method to achieve that I'll be very thankful.
>> Regards,
>>
> Allright, here is the trick. Depending on your circumstances, this may
> or may not be difficult.
> I developed this method for a practical reason, probably the same as you
> have found out : there are some forms of authentication that are easier
> to do under Apache on some platforms, others that are easier to do under
> Tomcat on some platforms. This allows me to choose.
>
> But a warning, first of all : in my case, what I am about to describe
> works. But, technically, it is equivalent to being a
> "man-in-the-middle" between the browser and the real authentication in
> Tomcat. I have no idea if that will work with Kerberos..
>
> The general idea is :
>
> 1) create a small servlet to insert in your Tomcat application.
> Since this servlet is "in" your webapp, it is submitted to the same
> Tomcat authentication rules as the rest of your webapp.
> In other words, I am supposing that it will only get executed, if the
> request has already been authenticated by Tomcat, using whatever method
> is configured in Tomcat for ditto.
> This servlet does one thing : it picks up the authenticated Tomcat
> user-id for this request (String userId = request.getRemoteUser();), and
> creates a simple text/plain response containing that user-id.
> It can also add a special HTTP header to this response, to make the work
> of the other part (below) easier.
>
> 2) In Apache now, you have to create your own authentication module.
> When this module checks the browser request, and finds that it is not
> authenticated, it creates its own internal HTTP request to the back-end
> Tomcat and to your servlet. In this request, it copies all the HTTP
> headers as received in the original request from the browser, (but it
> changes the URL, to address your servlet).
>
> When it gets the response back from Tomcat, 2 cases are possible :
>
> a) it is the user-id response (from your servlet). In that case, you
> now have your user-id, you set it for Apache, and you continue in Apache
> with the original request, now authenticated.
>
> b) it is not the user-id response, but something else. In that case, you
> return the entire Tomcat response back to the browser.
>
> Case a) is easy to detect, because it contains the special header which
> your Tomcat servlet added.
>
> Case b) is for the case where Tomcat "catches" the call to your servlet
> as not yet authenticated. Tomcat will then send back some 401 response,
> asking the browser to authenticate.
> You forward this response to the browser, transparently. The browser
> then sends back some new request, presumably this time with the correct
> authentication headers. Your authentication module under Apache catches
> that call again, sees that it is not authenticated yet, and forwards it
> again to your Tomcat servlet, with all the original headers.
> This time, Tomcat accepts the authentication, and lets the call go
> through to your servlet. The servlet returns the user-id, the
> authentication module in Apache gets it, authenticates the Apache
> session, et voilà.
>
> Now the question is how to create this Apache authentication module.
> I use mod_perl, which for me is the easiest.
> Your mileage may vary.
> But you could look for the source code of any Apache authentication
> module in the language of your choice, and modify it to do what I
> outline above.
>
> Another subtlety consists of, at the Apache level, determining the
> difference between a request that is authenticated, and one that is not.
> Usually, once you have "provoked" the browser into authenticating once,
> it will then in subsequent request to the same server/area, re-send the
> same authentication headers without being prompted.
> Your Apache-level authentication module could check requests for these
> headers, and pick out the user-id itself. That avoids going back to
> Tomcat each time.
> If that is not the case (the browser does not resend the headers), then
> you may have to put some additional code in your Apache authentication
> module, to add a "Set-cookie" to the response. This cookie is then what
> the Apache authentication module checks for, in the subsequent requests.
> If it is not found, the request is forwarded to your Tomcat servlet.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
Re: mod_auth_kerb / mod_spnego on Windows
Posted by Maciej Matecki <mm...@gmail.com>.
On Sun, Jun 28, 2009 at 4:12 PM, André Warnier<aw...@ice-sa.com> wrote:
> Maciej Matecki wrote:
>>
>> On Sat, Jun 27, 2009 at 10:04 AM, André Warnier<aw...@ice-sa.com> wrote:
>>>
>>> Maciej Matecki wrote:
>>> ...
>>>>
>>>> Do You have any compiled module for Apache which provide Kerberos
>>>> authorization under Windows and Apache 2.x?
>>>
>>> Hi.
>>> Just a question : is there any mechanism that allows you to do that from
>>> Tomcat ?
>>> Because if there is, then I can provide you with a "trick" to use this
>>> for
>>> Apache also. I such a trick myself, unfortunately not with Kerberos but
>>> with NTLM.
>>
>> Hi,
>> Yes. I just need to find in headers the name of user authorized with
>> Kerberos (I use the preauth filter in Spring Security). So if you've
>> got any good method to achieve that I'll be very thankful.
>> Regards,
>>
> Allright, here is the trick. Depending on your circumstances, this may or
> may not be difficult.
> I developed this method for a practical reason, probably the same as you
> have found out : there are some forms of authentication that are easier to
> do under Apache on some platforms, others that are easier to do under Tomcat
> on some platforms. This allows me to choose.
> [cut]
Hmmm it looks quite interesting but in my case I don't see the chance
to write module for Kerberos on my own. There are already such modules
(mod_auth_kerb - http://modauthkerb.sourceforge.net/ and mod_spnego -
https://sourceforge.net/project/showfiles.php?group_id=82781&package_id=93313).
Unfortunately there's no compiled version and I have the big problem
to compile it. So I ask again maybe somebody have that modules
compiled for Windows?
Thank you for your trick, I hope it'll be helpful for somebody else.
Regards,
--
Maciej Matecki
skype: m.matecki || www: http://matecki.info/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_auth_kerb / mod_spnego on Windows
Posted by André Warnier <aw...@ice-sa.com>.
Maciej Matecki wrote:
> On Sat, Jun 27, 2009 at 10:04 AM, André Warnier<aw...@ice-sa.com> wrote:
>> Maciej Matecki wrote:
>> ...
>>> Do You have any compiled module for Apache which provide Kerberos
>>> authorization under Windows and Apache 2.x?
>> Hi.
>> Just a question : is there any mechanism that allows you to do that from
>> Tomcat ?
>> Because if there is, then I can provide you with a "trick" to use this for
>> Apache also. I such a trick myself, unfortunately not with Kerberos but
>> with NTLM.
>
> Hi,
> Yes. I just need to find in headers the name of user authorized with
> Kerberos (I use the preauth filter in Spring Security). So if you've
> got any good method to achieve that I'll be very thankful.
> Regards,
>
Allright, here is the trick. Depending on your circumstances, this may
or may not be difficult.
I developed this method for a practical reason, probably the same as you
have found out : there are some forms of authentication that are easier
to do under Apache on some platforms, others that are easier to do under
Tomcat on some platforms. This allows me to choose.
But a warning, first of all : in my case, what I am about to describe
works. But, technically, it is equivalent to being a
"man-in-the-middle" between the browser and the real authentication in
Tomcat. I have no idea if that will work with Kerberos..
The general idea is :
1) create a small servlet to insert in your Tomcat application.
Since this servlet is "in" your webapp, it is submitted to the same
Tomcat authentication rules as the rest of your webapp.
In other words, I am supposing that it will only get executed, if the
request has already been authenticated by Tomcat, using whatever method
is configured in Tomcat for ditto.
This servlet does one thing : it picks up the authenticated Tomcat
user-id for this request (String userId = request.getRemoteUser();), and
creates a simple text/plain response containing that user-id.
It can also add a special HTTP header to this response, to make the work
of the other part (below) easier.
2) In Apache now, you have to create your own authentication module.
When this module checks the browser request, and finds that it is not
authenticated, it creates its own internal HTTP request to the back-end
Tomcat and to your servlet. In this request, it copies all the HTTP
headers as received in the original request from the browser, (but it
changes the URL, to address your servlet).
When it gets the response back from Tomcat, 2 cases are possible :
a) it is the user-id response (from your servlet). In that case, you
now have your user-id, you set it for Apache, and you continue in Apache
with the original request, now authenticated.
b) it is not the user-id response, but something else. In that case, you
return the entire Tomcat response back to the browser.
Case a) is easy to detect, because it contains the special header which
your Tomcat servlet added.
Case b) is for the case where Tomcat "catches" the call to your servlet
as not yet authenticated. Tomcat will then send back some 401 response,
asking the browser to authenticate.
You forward this response to the browser, transparently. The browser
then sends back some new request, presumably this time with the correct
authentication headers. Your authentication module under Apache catches
that call again, sees that it is not authenticated yet, and forwards it
again to your Tomcat servlet, with all the original headers.
This time, Tomcat accepts the authentication, and lets the call go
through to your servlet. The servlet returns the user-id, the
authentication module in Apache gets it, authenticates the Apache
session, et voilà.
Now the question is how to create this Apache authentication module.
I use mod_perl, which for me is the easiest.
Your mileage may vary.
But you could look for the source code of any Apache authentication
module in the language of your choice, and modify it to do what I
outline above.
Another subtlety consists of, at the Apache level, determining the
difference between a request that is authenticated, and one that is not.
Usually, once you have "provoked" the browser into authenticating once,
it will then in subsequent request to the same server/area, re-send the
same authentication headers without being prompted.
Your Apache-level authentication module could check requests for these
headers, and pick out the user-id itself. That avoids going back to
Tomcat each time.
If that is not the case (the browser does not resend the headers), then
you may have to put some additional code in your Apache authentication
module, to add a "Set-cookie" to the response. This cookie is then what
the Apache authentication module checks for, in the subsequent requests.
If it is not found, the request is forwarded to your Tomcat servlet.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_auth_kerb / mod_spnego on Windows
Posted by Maciej Matecki <mm...@gmail.com>.
On Sat, Jun 27, 2009 at 10:04 AM, André Warnier<aw...@ice-sa.com> wrote:
> Maciej Matecki wrote:
> ...
>>
>> Do You have any compiled module for Apache which provide Kerberos
>> authorization under Windows and Apache 2.x?
>
> Hi.
> Just a question : is there any mechanism that allows you to do that from
> Tomcat ?
> Because if there is, then I can provide you with a "trick" to use this for
> Apache also. I such a trick myself, unfortunately not with Kerberos but
> with NTLM.
Hi,
Yes. I just need to find in headers the name of user authorized with
Kerberos (I use the preauth filter in Spring Security). So if you've
got any good method to achieve that I'll be very thankful.
Regards,
--
Maciej Matecki
skype: m.matecki || www: http://matecki.info/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_auth_kerb / mod_spnego on Windows
Posted by André Warnier <aw...@ice-sa.com>.
Maciej Matecki wrote:
...
>
> Do You have any compiled module for Apache which provide Kerberos
> authorization under Windows and Apache 2.x?
Hi.
Just a question : is there any mechanism that allows you to do that from
Tomcat ?
Because if there is, then I can provide you with a "trick" to use this
for Apache also. I such a trick myself, unfortunately not with Kerberos
but with NTLM.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org