Hello all, This may be better suited to Apache users group but I will try here in case.
I am running tomcat 6.0.24 , jre 1.6.0_16, Apache/2.2.15 (Debian) , mod_auth_kerb/5.4 , mod_jk/1.2.28 mod_python/3.3.1 all installed via apt on Debian Lenny. I have successfully been able to get all of this working (authentication, forwarding etc). I have a java web app that has a servlet that serves as a proxy to get around cross site scripting. http://myapp/Proxy?url=www.somesite.com I let Apache and mod_auth_kerb handle all authentication and it does well. If I access my Proxy servlet like so: http://MY_DOMAIN.COM/my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html (Notice I am proxying to the same domain but different application) I get a 401 error. Here is what the access log (for apache) looks like for this request. 10.150.15.116 - - [04/Jun/2010:18:06:55 +0000] "GET /index.html HTTP/1.1" 401 829 "-" "Java/1.6.0_16" 10.150.15.212 - gfo...@my_domain.com [04/Jun/2010:18:06:54 +0000] "GET /my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html HTTP/1.1" 500 394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)" o Now if you notice the request from ip address 212 is actually the browser request to the proxy. The request from ip address 216 is the request from tomcat (notice the Java/1.6.0_16). So it appears that Apache sees this request from the jre and tries to authenticate against mod_auth_kerb and of course it fails. Is it possible to force tomcat to pass on the credentials it receives from the initial request(browser) along to tomcats own request back to apache? Hopefully this is somewhat clear? Flow: Browser makes request to ----> http://MY_DOMAIN.COM/my_proxy_app/Proxy ----> mod_auth_kerb authenticates and then mod_jk realizes it is a java app so it hands off the request to tomcat ----> Proxy servlet runs on tomcat and makes a URL request to http://MY_DOMAIN.COM/index.html ---> Apache attempts to authenticate this request but since it is coming from the jre it disallows this request. Thanks in advance! GF