Johnny Kewl wrote:
----- Original Message ----- From: "André Warnier" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, June 05, 2008 1:06 AM
Subject: RE: Single sign on issue with Tomcat and Apache
Hi.
I saw your ongoing discussion, and maybe I can contribute something,
but I need some more info before.
Here is what you explained before :
a) You have one site "aaa.com" to which users access this way :
user -------------------------------> tomcat aaa.com
b) and another site "bbb.com" to which users access this way :
1) static content :
user ------------------------------> Apache bbb.com
2) dynamic content :
user -----> Apache ---> mod_jk ---> tomcat bbb.com
Is it really like described above ?
Yes the exact architecture would help ;)
I understand it like this
browser ------------------> Tomcat on aaa.com
browser <----------------- Tomacat delivers web pages with links to
bbb.com/image.jpg
browser -------------------> Apache on bbb.com with images and stuff
(that wont authenticate)
Reason is browser will not return auth and cookies that belong to domain
aaa.com to bbb.com
What (I think) may work is what you have indicated
user -----> Apache (bbb.com) ---> mod_jk ---> tomcat aaa.com
All links now to bbb.com and JK setup to talk to aaa.com
Images on Apache and servlet JKMounted on aaa.com
The browser will return Basic header and cookies... so I think Apache
auth modules and tomcat on SingleSignOn will work.
All assuming this can be setup and if the images are hosted remotely
that the Sp can set up JK etc.
But is webapp cannot be changed and images are hardcoded in servlet... I
think he's snookered and probably has to lose authentication on Apache.
Thats how I understand it...
Maybe?
There are too many known unknowns at the moment to propose something
precise. If there is only a single Tomcat with a single localhost Host
and two webapps, then it would simplify the domain stuff and the
SingleSignOn at that end.
The general schema I am thinking about, if .. , is
- all requests go through Apache, and from there to Tomcat or not
- Tomcat allows only calls from Apache (IP filter)
- Apache does all the authentication
- mod_jk will pass the Apache user-id to Tomcat for requests that go there
- the Apache config for Tomcat-destined links is of the kind
<Location (or LocationMatch) ..>
SetHandler Jakarta-servlet
Authentication stuff..
Require ...
</Location>
I'm not quite sure if for the "static" stuff you can combine JkUnMount's
with a Location like above, but it's worth a try.
Interesting anyway, and it kinds of fits with something I should get
busy with in a few weeks.
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]