On 16/11/2009 22:07, André Warnier wrote:
Anthony Jay wrote:
My main issue now is about how the authentication works between Tomcat
and Apache.
That's the only one I can readily answer.
It is extremely simple with mod_jk.
If the user is authenticated at the Apache level, mod_jk will pass this
on to the Tomcat server via AJP.
The only thing to do, is set the 'tomcatAuthentication="false"'
attribute in Tomcat's AJP Connector, and Tomcat will just "believe" the
user-id sent by Apache and mod_jk.
I don't know if, or how, mod_proxy_ajp handles the same thing.
In terms of authentication, which should I use, mod_auth_mysql and
mod_auth_dbm (or mod_auth_form in future or something else?) and why?
There are many many possibilities for this under Apache httpd. Just pick
the one that you like best, on its own merits.
They all basically in the end result in the HTTP request being
"authenticated" at the Apache httpd level (iow to have a user-id), and
that's what you want.
What you then do with it under Tomcat is another story, but that is also
your choice.
In terms of single sign on how can I make the user experience seamless
between static content-managed pages and jsp/servlets? Will mod_jk
handle sso? This does not seem clear to me in all the pages I read. If I
configure form based auth in a login.jsp page will this be relayed to
apache after a redirect?
No, but why would it be ?
Ah, if you want to do the authentication in Tomcat rather than in
Apache, but still use it in Apache ?
There are ways, but you'll need to write your own Apache (httpd)
authentication module. You could then define a dummy servlet in Tomcat,
which just echoes the authenticated user-id (as gotten via
getRemoteUser() e.g.). Then in Apache httpd, you would make a
"side-request" (oherwise known as a sub-request) to this Tomcat webapp
to get the user-id, and use it to authenticate the current request in
Apache.
But that is a complicated scheme, probably only worth it if you find
some Tomcat authentication method that does not exist in Apache httpd,
which is unlikely.
What is best practise and what should I be doing? If there is some hard
to find documentation out there with pointers and tips I would
appreciate a few links.
To read in the Apache httpd docs :
http://httpd.apache.org/docs/2.2/howto/auth.html
Also, personally I would recommend having a look around here :
http://cpan.uwinnipeg.ca/search?query=apache%3A%3Aauth&mode=dist
This is the Perl library. Even if you do not intend to do anything with
Perl, the documentation of many of these modules is a goldmine of
information about how things work.
Expert advice is appreciated.
You just got it.
;-)
There used to be a mod_auth_cookie module that had form auth
capabilities, but it wasn't ever in the main distro, it was listed in
the related modules site.
I used a variant of it in a HTTPD 1.3 install many years ago, so I can't
vouch for its current status. GIYF.
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
