You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Peter Stavrinides <p....@albourne.com> on 2007/01/24 13:15:03 UTC
Configuring a common authentication realm
I don't know if this is possible, but this is the scenario:
I have an Apache web server with Basic authentication configured to use
a Postgres database. Web application A (written in Perl) uses it.
Web application B (written in Java) runs on Tomcat 5.5.20 on a different
physical server, it uses a JDBC realm with basic authentication once
again to connect to the same database and authenticate users.
The user cannot distinguish between the two applications, they have a
common appearance.
What I need to do is authenticate users once (on either server /
application), and allow the users to navigate from one application to
the other (I don't want to ask for passwords again). Can the servers
share a realm or is there a connector component or something I can use.
Thanks for your help,
Peter
--
Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652
If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Pid <p...@pidster.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Peter,
>
> Peter Stavrinides wrote:
>> I do mention however that two separate physical servers exist and the
>> webapps are on two separate web servers as well... they appear under the
>> same host to users because the URL's are dynamically rewritten on the
>> front end. The DNS is entirely separate, so to share a login across the
>> two would require that I pass authentication information between the two
>> web servers somehow, do you understand?
>
> If you really are using "Basic Auth", then your browser sends the
> authentication information with every request in a header. Therefore, it
> doesn't matter that they are on separate servers. Your load balancer and
> URL-rewriter should pass this header through unscathed and allow each
> app to read that information.
>
>> Also, sharing a session is not possible in this case because the Perl
>> application is stateless, for this reason also it uses Apache basic
>> authentication, so I cant use forms authentication or the problem would
>> be easily solved with a common sign-in as you suggested, but
>> unfortunately thats not an option.
>
> I think that sessions are unrelated to what you're asking about. You
> just wanted to use a single login for two apps, right? The presence of a
> session is irrelevant.
>
> I'm not suggesting that you use form authentication: I'm suggesting that
> you use BASIC in both webapps.
Tomcat can be configured to look for the user set by Apache in the
REMOTE_USER field, it's a single attribute in either the Connector
element I think.
(can't find it in the docs, or i'd post a URL)
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFt5Yr9CaO5/Lv0PARAtzZAJ4lDd6WREmzX1q07yNy5QvtYmZDTQCgtkFg
> Ia7H3Azeaj6WATEnJrxfNIE=
> =MfZx
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter,
Peter Stavrinides wrote:
> I do mention however that two separate physical servers exist and the
> webapps are on two separate web servers as well... they appear under the
> same host to users because the URL's are dynamically rewritten on the
> front end. The DNS is entirely separate, so to share a login across the
> two would require that I pass authentication information between the two
> web servers somehow, do you understand?
If you really are using "Basic Auth", then your browser sends the
authentication information with every request in a header. Therefore, it
doesn't matter that they are on separate servers. Your load balancer and
URL-rewriter should pass this header through unscathed and allow each
app to read that information.
> Also, sharing a session is not possible in this case because the Perl
> application is stateless, for this reason also it uses Apache basic
> authentication, so I cant use forms authentication or the problem would
> be easily solved with a common sign-in as you suggested, but
> unfortunately thats not an option.
I think that sessions are unrelated to what you're asking about. You
just wanted to use a single login for two apps, right? The presence of a
session is irrelevant.
I'm not suggesting that you use form authentication: I'm suggesting that
you use BASIC in both webapps.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFt5Yr9CaO5/Lv0PARAtzZAJ4lDd6WREmzX1q07yNy5QvtYmZDTQCgtkFg
Ia7H3Azeaj6WATEnJrxfNIE=
=MfZx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Peter,
On 1/25/07, Peter Stavrinides <p....@albourne.com> wrote:
> Greg thanks for this, sounds like it has potential, and It wont be a
> problem with separate machines, but one problem I foresee though is the
> new IE7 browser which disables cookies on the client by default, have
> you tested it?
>
It does work for any browser, however, the browser *must* support
cookies - url-rewriting won't help here since the cookie is stored in
the MySQL-database which then is read by Apache httpd.
We solved it in this way that we tell our clients that their browser
*must* accept cookies.
Personally, I don't believe that too many ppl are surfing around
without allowing their browsers to accept cookies...
What's puzzling me a bit is, that I've tested it with IE7, and I
couldn't see that IE7 was blocking cookies by default - at least not
the one I've tested (XP SP2, IE7)
Cheers!
Greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Peter Stavrinides <p....@albourne.com>.
Greg thanks for this, sounds like it has potential, and It wont be a
problem with separate machines, but one problem I foresee though is the
new IE7 browser which disables cookies on the client by default, have
you tested it?
Christopher, I am currently using the Authorization header but the
server tries to authenticate before it serves the page so it still
prompts for the username and password, I haven't looked at the
REMOTE_USER field though, I would be curious to look at some
documentation on it.
Peter
Gregor Schneider wrote:
> Peter,
>
> I think this can be done with mod_auth_cookie_myql.
>
> You will, however, have to write your own little SSO-Servlet / JSP
> which updates the MySQL-DB with the JSSOSessionID-Cookie provided by
> Tomcat. Apache will then read the Cookie from the database, check, if
> this cookie is present on the client-side (browser) and grant access
> to the protected area within Apache.
>
> Works absolutely smooth for us (however: Apache / Tomcat reside on the
> same machine, although we have 2 machines behind a
> hardware-loadbalancer).
>
> Check out http://www.freshports.org/www/mod_auth_cookie_mysql2
>
> I've posted this on the apache-userlist already, you also might want
> to check out http://comments.gmane.org/gmane.comp.apache.user/65363
>
> In the above solution authorization is handled by Tomcat (Form based
> Authorization).
>
> Hope I got your problem right & HTH
>
> Greg
--
Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652
If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Gregor Schneider <rc...@googlemail.com>.
Peter,
I think this can be done with mod_auth_cookie_myql.
You will, however, have to write your own little SSO-Servlet / JSP
which updates the MySQL-DB with the JSSOSessionID-Cookie provided by
Tomcat. Apache will then read the Cookie from the database, check, if
this cookie is present on the client-side (browser) and grant access
to the protected area within Apache.
Works absolutely smooth for us (however: Apache / Tomcat reside on the
same machine, although we have 2 machines behind a
hardware-loadbalancer).
Check out http://www.freshports.org/www/mod_auth_cookie_mysql2
I've posted this on the apache-userlist already, you also might want
to check out http://comments.gmane.org/gmane.comp.apache.user/65363
In the above solution authorization is handled by Tomcat (Form based
Authorization).
Hope I got your problem right & HTH
Greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Peter Stavrinides <p....@albourne.com>.
Christopher, thanks for your reply.
I do mention however that two separate physical servers exist and the
webapps are on two separate web servers as well... they appear under the
same host to users because the URL's are dynamically rewritten on the
front end. The DNS is entirely separate, so to share a login across the
two would require that I pass authentication information between the two
web servers somehow, do you understand?
Also, sharing a session is not possible in this case because the Perl
application is stateless, for this reason also it uses Apache basic
authentication, so I cant use forms authentication or the problem would
be easily solved with a common sign-in as you suggested, but
unfortunately thats not an option.
Peter
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Peter,
>
> Peter Stavrinides wrote:
>
>> I have an Apache web server with Basic authentication configured to use
>> a Postgres database. Web application A (written in Perl) uses it.
>>
>> Web application B (written in Java) runs on Tomcat 5.5.20 on a different
>> physical server, it uses a JDBC realm with basic authentication once
>> again to connect to the same database and authenticate users.
>>
>> What I need to do is authenticate users once (on either server /
>> application), and allow the users to navigate from one application to
>> the other (I don't want to ask for passwords again). Can the servers
>> share a realm or is there a connector component or something I can use.
>>
>
> What you are talking about is not realm-sharing since the concept of a
> "realm" really only exists on the Tomcat side. You really want some sort
> of cooperative login or something like that.
>
> First, you have to decide which type of authentication you prefer. For
> instance, if the user really cannot tell the difference between the
> webapps, does that mean that the URL spaces are the same? (i.e. the perl
> webapp lives in "/cool-product/whatever/*.pl" and the Java stuff lives
> in "/cool-product/whatever/*.jsp")?
>
> If that's the case, then you can probably configure Tomcat to use Basic
> authentication which is already being used by Apache httpd to do the
> authentication for your other application. The same path
> ("/cool-product") will result in the WWW-Auth information being sent to
> both applications. Since you have the same database for authentication
> in both webapps, either one can be the "first" to do authentication, and
> then the other app should respect the other's WWW-auth information.
>
> There are other ways, but this sounds like the most painless given your
> setup.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFt2nu9CaO5/Lv0PARAk8PAKCx6FT2r7wGaBX0TrhgcsdHY+Q07ACgk6uy
> +jtEpw9Nts3/zOgFTilzFCU=
> =mye9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652
If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring a common authentication realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter,
Peter Stavrinides wrote:
> I have an Apache web server with Basic authentication configured to use
> a Postgres database. Web application A (written in Perl) uses it.
>
> Web application B (written in Java) runs on Tomcat 5.5.20 on a different
> physical server, it uses a JDBC realm with basic authentication once
> again to connect to the same database and authenticate users.
>
> What I need to do is authenticate users once (on either server /
> application), and allow the users to navigate from one application to
> the other (I don't want to ask for passwords again). Can the servers
> share a realm or is there a connector component or something I can use.
What you are talking about is not realm-sharing since the concept of a
"realm" really only exists on the Tomcat side. You really want some sort
of cooperative login or something like that.
First, you have to decide which type of authentication you prefer. For
instance, if the user really cannot tell the difference between the
webapps, does that mean that the URL spaces are the same? (i.e. the perl
webapp lives in "/cool-product/whatever/*.pl" and the Java stuff lives
in "/cool-product/whatever/*.jsp")?
If that's the case, then you can probably configure Tomcat to use Basic
authentication which is already being used by Apache httpd to do the
authentication for your other application. The same path
("/cool-product") will result in the WWW-Auth information being sent to
both applications. Since you have the same database for authentication
in both webapps, either one can be the "first" to do authentication, and
then the other app should respect the other's WWW-auth information.
There are other ways, but this sounds like the most painless given your
setup.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFt2nu9CaO5/Lv0PARAk8PAKCx6FT2r7wGaBX0TrhgcsdHY+Q07ACgk6uy
+jtEpw9Nts3/zOgFTilzFCU=
=mye9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org