Hi Cenk, Cenk Oguz schrieb: > I am looking into configuring SingleSignOn Kerberos authentication in > a Tomcat application using SPNEGO authentication on a Apache2 > frontend server. The fontend apache2 currently forwards all requests > to Tomcat through mod_jk. > > As I see there is an apache2 module for Kerberos authentication > without user intervention, mod_spnego. > > However I am curious of knowing if it is possible using mod_spnego to > forward the authenticated user/principal in a http header to Tomcat > from Apache, in the mod_jk stream. The packaged Tomcat application > requires an http header that containes the user.
For me the mod_spnego code looks like it only set the usual authenticated user var, so the name of the user will be available for the webapp only by using request.getRemoteUser() and not via an http header. > Also, will autentication take place before mod_jk forwards the > request? If mod_jk acts before autentication there is no point in > proceding with this. It looks like the two modules play nicely together. mod_spnego only uses the auth slots and mod_jk totally ignores those. That should be fine. You shoulkd check, if mod_spnego does work fine with <Location> directives and not only with <Directory>. I would expect that, but the docs are not clear about it. > Has anyone had experience in this? No experience from me, this is just from a quick look at the code. > /Cenk Regards, Rainer --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
