You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Silva <ms...@authenex.com> on 2003/04/29 22:49:10 UTC
RE: Tomcat Apache Authentication Problem
not sure i want to mess with the ajp protol implemetations.
assuming that we switch the web server to Apache, would this be easier to accomplish? Is it easier to write a plug-in for Apache that interfaces in both directions to Tomcat? or are we in the same boat as with IIS. I assume yes due to the language barrier.
thanks,
mark
-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com]
Sent: Monday, April 28, 2003 11:50 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Tomcat IIS Authentication Problem
It most certainly *can* be done (and patches are always welcome). The main
problem is that it is currently out-of-band for the Ajp13 protocol. This
means that we either need the yet-to-be-implemented version-detection, or
clean fail-over (the later is harder than the former, since at the moment
the Java side will drop the connection -- expensive -- if it gets a request
that it doesn't understand). At the moment, you can use the native
connector for 3.3.x (aka mod_jk 1.1) with Tomcat 5 Java with no problems.
Alternatively, you can use the latest mod_jk2 native connector with Tomcat
3.3.x. This breaks the symmetry (not that that is necessarily a bad thing,
it just needs to be considered).
A final word of warning: From my reading of tomcat-dev, this is on the
wish-list, but isn't any of the Jk developers top priority at the moment.
The most certain way to make this happen is to learn the Ajp13 protocol, and
start flooding tomcat-dev with so many patches that they can't ignore you
anymore.
"Mark Silva" <ms...@authenex.com> wrote in message
news:E1520B57ECED144EAA94E893ED0A93E629ECB2@mail01.authenex.com...
could this be done by reworking some of the jk code?
i mean, could i go into the extension part, and add some kind of hook, so
that looks at the response form tomcat, BEFORE it is served to the client?
or is this not possible? i could not tell from a cursory look at the code.
then could i add some code to the filter section that would look to see if
the user has been authenticated previously (by state info set in the
extension)
sounds straightforward, but from looking at the code, i could not figure it
out.
also i am not sure if your response is saying this is exactly what i cannot
do ;-)
thanks,
mark
-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com]
Sent: Saturday, April 26, 2003 1:20 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: Tomcat IIS Authentication Problem
There is currently no support for two-way authentication Tomcat <->
Apache/IIS/iPlanet. It is a wish-list item for a future version of Jk2
however. At the moment, you can choose who authenticates if Tomcat ends up
serving the page. What you can't do is to have Tomcat authenticate a user
for a page (e.g. default.asp) that the WebServer will end up serving.
"Mark Silva" <ms...@authenex.com> wrote in message
news:E1520B57ECED144EAA94E893ED0A93E629ECAC@mail01.authenex.com...
The authentication mechanism I am using is a custom one, meaning, it is not
the standard HTTP authentication.
It involves a few screens that are severed to the user, and also and applet
that communicates with some hardware on the client...
soo i need a way to do custom authentication, and communication between
tomcat and iis. is this possible? by custom authentication, all i need to
do is store some state information in IIIS, sent by Tomcat when the
authentication has happened, then the user can be redirected to the initial
page they requested (before they were made ot authenticate), and the IIS
filter should pass him through, due to the new state variable that is set.
hmmm... a tough one, no?
thanks,
-mark
...written by reynir
Hi,
You should use isapi_redirector2.dll, and then you can flag where to do the
authentication by having the following line in your jk2.properties :
request.tomcatAuthentication=true
This means tomcat will take care of authentication, but if it's set to
false, IIS will do the authenticating.
Instructions on how to setup jk2 are available on the jakarta website, but I
also posted a quick manual on how to do it the most simple way, on my
website, you can check that out too.
http://www.reynir.net/tomcat/tomcat_IIS_service_jk2.html
Hope it helps
-reynir
-----Original Message-----
From: Mark Silva
Sent: Friday, April 25, 2003 10:33 AM
To: tomcat-user@jakarta.apache.org
Subject: Tomcat IIS Authentication Problem
Greetings,
I have an intersting problem. I need to use the IIS Web Server, but
authenticate through a Tomcat Application. The Tomcat Application
does some interesting things, and would take too much time to port to
a Microsoft language (since it is in Servlets, JSPs).
So I am wondering if anybody has done this before? I know how to
redirect to Tomcat using ISAPI filter extension (isapi_redirect.dll)
but I am not sure how to communicate between the two layers, so that
the ISAPI filter knows if the user has authenticated before (using
some session info passed from tomcat). Is there a way for Tom cat to pass
some sort of parameters to the Extension layers, when authentication has
occured?
any ideas?
thanks,
mark
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat Apache Authentication Problem
Posted by Bill Barker <wb...@wilshire.com>.
Yes, it's the same boat. This would be mostly handled in the Web-Server
neutral abstraction layer of mod_jk(2).
"Mark Silva" <ms...@authenex.com> wrote in message
news:E1520B57ECED144EAA94E893ED0A93E629ECBA@mail01.authenex.com...
not sure i want to mess with the ajp protol implemetations.
assuming that we switch the web server to Apache, would this be easier to
accomplish? Is it easier to write a plug-in for Apache that interfaces in
both directions to Tomcat? or are we in the same boat as with IIS. I
assume yes due to the language barrier.
thanks,
mark
-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com]
Sent: Monday, April 28, 2003 11:50 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Tomcat IIS Authentication Problem
It most certainly *can* be done (and patches are always welcome). The main
problem is that it is currently out-of-band for the Ajp13 protocol. This
means that we either need the yet-to-be-implemented version-detection, or
clean fail-over (the later is harder than the former, since at the moment
the Java side will drop the connection -- expensive -- if it gets a request
that it doesn't understand). At the moment, you can use the native
connector for 3.3.x (aka mod_jk 1.1) with Tomcat 5 Java with no problems.
Alternatively, you can use the latest mod_jk2 native connector with Tomcat
3.3.x. This breaks the symmetry (not that that is necessarily a bad thing,
it just needs to be considered).
A final word of warning: From my reading of tomcat-dev, this is on the
wish-list, but isn't any of the Jk developers top priority at the moment.
The most certain way to make this happen is to learn the Ajp13 protocol, and
start flooding tomcat-dev with so many patches that they can't ignore you
anymore.
"Mark Silva" <ms...@authenex.com> wrote in message
news:E1520B57ECED144EAA94E893ED0A93E629ECB2@mail01.authenex.com...
could this be done by reworking some of the jk code?
i mean, could i go into the extension part, and add some kind of hook, so
that looks at the response form tomcat, BEFORE it is served to the client?
or is this not possible? i could not tell from a cursory look at the code.
then could i add some code to the filter section that would look to see if
the user has been authenticated previously (by state info set in the
extension)
sounds straightforward, but from looking at the code, i could not figure it
out.
also i am not sure if your response is saying this is exactly what i cannot
do ;-)
thanks,
mark
-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com]
Sent: Saturday, April 26, 2003 1:20 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: Tomcat IIS Authentication Problem
There is currently no support for two-way authentication Tomcat <->
Apache/IIS/iPlanet. It is a wish-list item for a future version of Jk2
however. At the moment, you can choose who authenticates if Tomcat ends up
serving the page. What you can't do is to have Tomcat authenticate a user
for a page (e.g. default.asp) that the WebServer will end up serving.
"Mark Silva" <ms...@authenex.com> wrote in message
news:E1520B57ECED144EAA94E893ED0A93E629ECAC@mail01.authenex.com...
The authentication mechanism I am using is a custom one, meaning, it is not
the standard HTTP authentication.
It involves a few screens that are severed to the user, and also and applet
that communicates with some hardware on the client...
soo i need a way to do custom authentication, and communication between
tomcat and iis. is this possible? by custom authentication, all i need to
do is store some state information in IIIS, sent by Tomcat when the
authentication has happened, then the user can be redirected to the initial
page they requested (before they were made ot authenticate), and the IIS
filter should pass him through, due to the new state variable that is set.
hmmm... a tough one, no?
thanks,
-mark
...written by reynir
Hi,
You should use isapi_redirector2.dll, and then you can flag where to do the
authentication by having the following line in your jk2.properties :
request.tomcatAuthentication=true
This means tomcat will take care of authentication, but if it's set to
false, IIS will do the authenticating.
Instructions on how to setup jk2 are available on the jakarta website, but I
also posted a quick manual on how to do it the most simple way, on my
website, you can check that out too.
http://www.reynir.net/tomcat/tomcat_IIS_service_jk2.html
Hope it helps
-reynir
-----Original Message-----
From: Mark Silva
Sent: Friday, April 25, 2003 10:33 AM
To: tomcat-user@jakarta.apache.org
Subject: Tomcat IIS Authentication Problem
Greetings,
I have an intersting problem. I need to use the IIS Web Server, but
authenticate through a Tomcat Application. The Tomcat Application
does some interesting things, and would take too much time to port to
a Microsoft language (since it is in Servlets, JSPs).
So I am wondering if anybody has done this before? I know how to
redirect to Tomcat using ISAPI filter extension (isapi_redirect.dll)
but I am not sure how to communicate between the two layers, so that
the ISAPI filter knows if the user has authenticated before (using
some session info passed from tomcat). Is there a way for Tom cat to pass
some sort of parameters to the Extension layers, when authentication has
occured?
any ideas?
thanks,
mark
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org