You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Cenk Oguz <ce...@bredband.net> on 2008/01/02 03:12:28 UTC
mod_spnego SingleSignOn over mod_jk
I am looking into configuring SingleSignOn Kerberos authentication in a Tomcat application using SPNEGO authentication on a Apache2 frontend server. The fontend apache2 currently forwards all requests to Tomcat through mod_jk.
As I see there is an apache2 module for Kerberos authentication without user intervention, mod_spnego.
However I am curious of knowing if it is possible using mod_spnego to forward the authenticated user/principal in a http header to Tomcat from Apache, in the mod_jk stream. The packaged Tomcat application requires an http header that containes the user.
Also, will autentication take place before mod_jk forwards the request? If mod_jk acts before autentication there is no point in proceding with this.
Has anyone had experience in this?
/Cenk
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_spnego SingleSignOn over mod_jk
Posted by Cenk Oguz <ce...@bredband.net>.
Hey Rainer!
On Wed, Jan 02, 2008 at 07:39:49AM +0100, Rainer Jung wrote:
> Hi Cenk,
>
> For me the mod_spnego code looks like it only set the usual
> authenticated user var, so the name of the user will be available for
> the webapp only by using request.getRemoteUser() and not via an http header.
Yes I got that impression. I was thinking that perhaps the RequestHeader directive from mod_headers could be used to set a REMOTE_USER header, using the REMOTE_USER variable that mod_spnego should have set.
But it seems to be a question of timing, needing authentication to have taken place and the REMOTE_USER variable to have been set before RequestHeader actions take place. I will simply have to test this out when I have time.
>
> > Also, will autentication take place before mod_jk forwards the
> > request? If mod_jk acts before autentication there is no point in
> > proceding with this.
>
> It looks like the two modules play nicely together. mod_spnego only uses
> the auth slots and mod_jk totally ignores those. That should be fine.
>
> You shoulkd check, if mod_spnego does work fine with <Location>
> directives and not only with <Directory>. I would expect that, but the
> docs are not clear about it.
Looking at forum messages at sf mod_spnego site it seems that Location directives worked out whereas Directory directives did not.
Thanks!
Cenk
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: mod_spnego SingleSignOn over mod_jk
Posted by Martin Gainty <mg...@hotmail.com>.
good pointcan you display for us the Directory configuration in httpd.conf
e.g. something like
#assume you do not have mod_auth_sspi http://sourceforge.net/projects/mod-auth-sspi/
<Directory "/home/bob/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
# not valid with SSPI
Krb5KeyTabFile /home/alice/krb5kt
#
Krb5ServiceName HTTP
</Directory>
Martin______________________________________________Disclaimer and confidentiality noteEverything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission.> Date: Wed, 2 Jan 2008 07:39:49 +0100> From: rainer.jung@kippdata.de> To: users@tomcat.apache.org> Subject: Re: mod_spnego SingleSignOn over mod_jk> > Hi Cenk,> > Cenk Oguz schrieb:> > I am looking into configuring SingleSignOn Kerberos authentication in> > a Tomcat application using SPNEGO authentication on a Apache2> > frontend server. The fontend apache2 currently forwards all requests> > to Tomcat through mod_jk.> > > > As I see there is an apache2 module for Kerberos authentication> > without user intervention, mod_spnego.> >> > However I am curious of knowing if it is possible using mod_spnego to> > forward the authenticated user/principal in a http header to Tomcat> > from Apache, in the mod_jk stream. The packaged Tomcat application> > requires an http header that containes the user.> > For me the mod_spnego code looks like it only set the usual> authenticated user var, so the name of the user will be available for> the webapp only by using request.getRemoteUser() and not via an http header.> > > Also, will autentication take place before mod_jk forwards the> > request? If mod_jk acts before autentication there is no point in> > proceding with this.> > It looks like the two modules play nicely together. mod_spnego only uses> the auth slots and mod_jk totally ignores those. That should be fine.> > You shoulkd check, if mod_spnego does work fine with <Location>> directives and not only with <Directory>. I would expect that, but the> docs are not clear about it.> > > Has anyone had experience in this?> > No experience from me, this is just from a quick look at the code.> > > /Cenk> > Regards,> > Rainer> > > ---------------------------------------------------------------------> To start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007
Re: mod_spnego SingleSignOn over mod_jk
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Cenk,
Cenk Oguz schrieb:
> I am looking into configuring SingleSignOn Kerberos authentication in
> a Tomcat application using SPNEGO authentication on a Apache2
> frontend server. The fontend apache2 currently forwards all requests
> to Tomcat through mod_jk.
>
> As I see there is an apache2 module for Kerberos authentication
> without user intervention, mod_spnego.
>
> However I am curious of knowing if it is possible using mod_spnego to
> forward the authenticated user/principal in a http header to Tomcat
> from Apache, in the mod_jk stream. The packaged Tomcat application
> requires an http header that containes the user.
For me the mod_spnego code looks like it only set the usual
authenticated user var, so the name of the user will be available for
the webapp only by using request.getRemoteUser() and not via an http header.
> Also, will autentication take place before mod_jk forwards the
> request? If mod_jk acts before autentication there is no point in
> proceding with this.
It looks like the two modules play nicely together. mod_spnego only uses
the auth slots and mod_jk totally ignores those. That should be fine.
You shoulkd check, if mod_spnego does work fine with <Location>
directives and not only with <Directory>. I would expect that, but the
docs are not clear about it.
> Has anyone had experience in this?
No experience from me, this is just from a quick look at the code.
> /Cenk
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org