Maciej Matecki wrote:
On Sat, Jun 27, 2009 at 10:04 AM, André Warnier<a...@ice-sa.com> wrote:
Maciej Matecki wrote:
...
Do You have any compiled module for Apache which provide Kerberos
authorization under Windows and Apache 2.x?
Hi.
Just a question : is there any mechanism that allows you to do that from
Tomcat ?
Because if there is, then I can provide you with a "trick" to use this for
Apache also. I such a trick myself, unfortunately not with Kerberos but
with NTLM.
Hi,
Yes. I just need to find in headers the name of user authorized with
Kerberos (I use the preauth filter in Spring Security). So if you've
got any good method to achieve that I'll be very thankful.
Regards,
Allright, here is the trick. Depending on your circumstances, this may
or may not be difficult.
I developed this method for a practical reason, probably the same as you
have found out : there are some forms of authentication that are easier
to do under Apache on some platforms, others that are easier to do under
Tomcat on some platforms. This allows me to choose.
But a warning, first of all : in my case, what I am about to describe
works. But, technically, it is equivalent to being a
"man-in-the-middle" between the browser and the real authentication in
Tomcat. I have no idea if that will work with Kerberos..
The general idea is :
1) create a small servlet to insert in your Tomcat application.
Since this servlet is "in" your webapp, it is submitted to the same
Tomcat authentication rules as the rest of your webapp.
In other words, I am supposing that it will only get executed, if the
request has already been authenticated by Tomcat, using whatever method
is configured in Tomcat for ditto.
This servlet does one thing : it picks up the authenticated Tomcat
user-id for this request (String userId = request.getRemoteUser();), and
creates a simple text/plain response containing that user-id.
It can also add a special HTTP header to this response, to make the work
of the other part (below) easier.
2) In Apache now, you have to create your own authentication module.
When this module checks the browser request, and finds that it is not
authenticated, it creates its own internal HTTP request to the back-end
Tomcat and to your servlet. In this request, it copies all the HTTP
headers as received in the original request from the browser, (but it
changes the URL, to address your servlet).
When it gets the response back from Tomcat, 2 cases are possible :
a) it is the user-id response (from your servlet). In that case, you
now have your user-id, you set it for Apache, and you continue in Apache
with the original request, now authenticated.
b) it is not the user-id response, but something else. In that case, you
return the entire Tomcat response back to the browser.
Case a) is easy to detect, because it contains the special header which
your Tomcat servlet added.
Case b) is for the case where Tomcat "catches" the call to your servlet
as not yet authenticated. Tomcat will then send back some 401 response,
asking the browser to authenticate.
You forward this response to the browser, transparently. The browser
then sends back some new request, presumably this time with the correct
authentication headers. Your authentication module under Apache catches
that call again, sees that it is not authenticated yet, and forwards it
again to your Tomcat servlet, with all the original headers.
This time, Tomcat accepts the authentication, and lets the call go
through to your servlet. The servlet returns the user-id, the
authentication module in Apache gets it, authenticates the Apache
session, et voilà.
Now the question is how to create this Apache authentication module.
I use mod_perl, which for me is the easiest.
Your mileage may vary.
But you could look for the source code of any Apache authentication
module in the language of your choice, and modify it to do what I
outline above.
Another subtlety consists of, at the Apache level, determining the
difference between a request that is authenticated, and one that is not.
Usually, once you have "provoked" the browser into authenticating once,
it will then in subsequent request to the same server/area, re-send the
same authentication headers without being prompted.
Your Apache-level authentication module could check requests for these
headers, and pick out the user-id itself. That avoids going back to
Tomcat each time.
If that is not the case (the browser does not resend the headers), then
you may have to put some additional code in your Apache authentication
module, to add a "Set-cookie" to the response. This cookie is then what
the Apache authentication module checks for, in the subsequent requests.
If it is not found, the request is forwarded to your Tomcat servlet.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
