[EMAIL PROTECTED] tomcat, apache with mod_jk and mod_auth_kerb
Hi,
I am using httpd v2.0.58 installed on a Solaris-10 system, also have
mod_auth_kerb with proper kerberos infrastructure.
I am hosting few new applications on tomcat and wanted to integrate with the
kerberos but via the httpd as the front end.
As in, the httpd will do the front-end kerberos authentication and it passes
on the authentication details like REMOTE_USER/kerb_cache to the tomcat
through mod_jk.
I have earlier tried using the mod_rewrite module with proxy .. but
that would ask me to enable the http connector port of the tomcat instance
and will prompt to keep the spoofing chances wide open.
Like instead of "my apache" instance doing the authentication and pass on
the remote_user variable, there can be speculations of any arbitrary user
hosting his own httpd instance and could get to send a spoofed up
REMOTE_USER variable to the tomcat instance and thus breaking the whole
secured system.
Hence, I just want to use the ajp connection of the tomcat and keep the http
connector of the tomcat instance closed.
Reminding of the ajp, I searched for a while and found mod_jk and
mod_proxy_ajp are the two best around for integrating the tomcat with apache
but
after learning that mod_proxy_ajp is only available for httpd v2.2 or after
and unfortunately my system installed version is httpd v2.0.58.
So, mod_proxy_ajp choice is perhaps ruled out for now and I am left with
using the configuration overhead involved mod_jk module.
I have no problems in using mod_jk but could not figure out the ways of
passing the remote_user variable effectively to the tomcat instance
would also desire to have a scalability that with a single httpd instance
supporting the multiple tomcat instances (may be on a single host/spanned
across multiple hosts).
I have tried using SetEnvIf, JkEnvVar, RequestHeader directives to only to
find of no use.
Could anyone please help me figure out the much needed lines that I need to
put into the httpd.conf to get the authentication information right passed
to the tomcat from the kerberized http access.
This is the glimpse of the httpd configuration (non-working) that I have for
my httpd instance and the tomcat right now.. any corrections/suggestions are
most welcome.
--
Listen 8080
LoadModule jk_module libexec/mod_jk.so
JkLogFile /home/me/httpd/logs/jk_log
JkLogLevel DEBUG
JkShmFile /home/me/httpd/logs/jkshmfile
JkWorkersFile /home/me/httpd/conf/worker-properties
ServerName httpdauth.mysub.mydomain.com
ServerAlias httpdauth.mysub httpdauth
AuthType Kerberos
AuthName "Testing"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms MYDOMAIN.COM UNIX.MYDOMAIN.COM
KrbServiceName HTTP/[EMAIL PROTECTED]
KrbSaveCredentials on
Krb5Keytab /home/me/httpd/conf/httpdauth.http.keytab
require valid-user
SetHandler jakarta-servlet
RequestHeader set X_REQHDR_REMOTE_USER %{remoteUser}e
SetEnv X_ENV_REMOTE_USER %{remoteUser}e
JkEnvVar X_JK_REMOTE_USER %{remoteUser}e
# earlier rewrite configuration
# RewriteEngine On
# RewriteRule ^/(.*)$
http://intranet/~me/printenv.cgi[L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
# RequestHeader set X_REMOTE_USER %{remoteUser}e
# RequestHeader add "X-H-USER" "%{remoteUser}e"
--
With worker properties being :
--
workers.tomcat_home=/home/me/httpd/tomcat/apache-tomcat-5.5.12
workers.java_home=/usr/local/java/jdk
ps=/
worker.list=default
worker.default.port=64089
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1
--
Are there any other ways? or I could be also missing any lines/directives in
the configuration?
Thanks, Nikhil
[EMAIL PROTECTED] Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung <[EMAIL PROTECTED]> wrote: > >> First of all 5.5.12 is very outdated and also very early in the 5.5 > release cycle. > > You need to add 'tomcatAuthentication="false"' in the Connector element for > your AJP connector. The connector you showed us above is > > - an https connector > - a comment and not active > > At least two good reasons, why this is not the right one. The AJP Connector > is the one, which uses port 8009 in the default configuration and which you > can identify by 'protocol="AJP/1.3"'. > > > Regards, > > Rainer > Oops.. here is the http connector line in my configuration: Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. Nikhil
[EMAIL PROTECTED] Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 4:22 PM, Nikhil <[EMAIL PROTECTED]> wrote: > > > On Mon, Jul 14, 2008 at 2:39 PM, Rainer Jung <[EMAIL PROTECTED]> > wrote: > >> >>> First of all 5.5.12 is very outdated and also very early in the 5.5 >> release cycle. >> >> You need to add 'tomcatAuthentication="false"' in the Connector element >> for your AJP connector. The connector you showed us above is >> >> - an https connector >> - a comment and not active >> >> At least two good reasons, why this is not the right one. The AJP >> Connector is the one, which uses port 8009 in the default configuration and >> which you can identify by 'protocol="AJP/1.3"'. >> >> >> Regards, >> >> Rainer >> > > Oops.. here is the http connector line in my configuration: > > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" redirectPort="8443" acceptCount="100" >connectionTimeout="2" disableUploadTimeout="true" /> > > > Thanks Rainer. I will try out the later releases.. may be tomcat6 itself. > > Nikhil > > > > but still.. I do not get what is wrong with 5.5.12 and what could I do atleast in the httpd configuration that would get the kerberized apache authentication working in the tomcat apps. -- Nikhil Google is Great !
[EMAIL PROTECTED] Re: tomcat, apache with mod_jk and mod_auth_kerb
On Mon, Jul 14, 2008 at 5:00 PM, Rainer Jung <[EMAIL PROTECTED]>
wrote:
>
> Again, the http connector is *not* what you need to edit, if you want to
> combine Tomcat with mod_jk or mod_proxy_ajp. It is the AJP connector. See my
> previous mail.
>
> You need to add tomcatAuthentication="false" to that connector.
>
>
> Regards,
>
> Rainer
>
I seem to get it, Rainer. But the thing is that with my installed
tomcat-5.5.12 version and I do not have any already tomcatAuthentication
directive (if I call it that way). Okay I get you want me to "add", so this
is what I edited the server.xml now
After editing the change in the ajp connector, and restarting the tomcat, I
still am not able to get the remote_user variable passed.
I am using the following jsp installed under
webapps/jsp-examples/readheaders.jsp to have the environment variables
listed but with out any success..
<%@ page language="java" %>
<%@ page import="java.util.Enumeration" %>
HTTP Request Headers
Name
Value
<% // Get all HTTP request headers names/values
Enumeration e1 = request.getHeaderNames();
while (e1.hasMoreElements()) {
boolean doLoop = true;
String name = ((String)e1.nextElement()).toUpperCase();
Enumeration e2 = request.getHeaders(name);
while (e2.hasMoreElements()){
String value = (String)e2.nextElement();
%>
<%= name %>
<%= value %>
<%
}
}
%>
--
Any suggestions? (Although I am still to try out the Tomcat6, but would
prefer for fixing the existing installation unless there are any real
problems in the tomcat version that I am using.
Thanks,
Nikhil
[EMAIL PROTECTED] Re: tomcat, apache with mod_jk and mod_auth_kerb
Rainer, I seem to have found a related link on this but this is really old pertaining to the older versions of Tomcat.. any suggestions please. http://marc.info/?t=10431829842&r=1&w=2
[EMAIL PROTECTED] Re: tomcat, apache with mod_jk and mod_auth_kerb
I tried out Tomcat6 too and added 'tomcatAuthentication="false"' to the ajp connector but that still not work. :-( On Mon, Jul 14, 2008 at 7:15 PM, Nikhil <[EMAIL PROTECTED]> wrote: > Rainer, > I seem to have found a related link on this but this is really old > pertaining to the older versions of Tomcat.. any suggestions please. > http://marc.info/?t=10431829842&r=1&w=2 > -- Nikhil Google is Great !
Re: [EMAIL PROTECTED] set http header with mod_rewrite
On Wed, Jul 16, 2008 at 6:33 PM, Raphael Bauduin <[EMAIL PROTECTED]> wrote:
> On Wed, Jul 16, 2008 at 2:54 PM, Severin Gehwolf
> <[EMAIL PROTECTED]> wrote:
> > Hi!
> >
> >> Here are more details:
> >>
> >> I have an apache server (front.example.com) configured as a reverse
> >> proxy, and requests are actually handled by apache servers not
> >> directly reachable from the outside. Those apache servers
> >> (back1listening on 10.0.0.1 and back2 on 10.0.0.2) are configured for
> >> doing virtual hosting.
> >>
> >> back1 serves pages for the websites www.example.com and www.test.com
> >>
> >> So www.example.com resolves to the IP of front.example.com, which will
> >> proxy the request to back1. But the Host header should be set as
> >> back1 also serves www.test.com.
> >>
> >> My current solution is to use mod_proxy with ProxyPass,
> >> ProxyPass / http://www.example.com/
> >> ProxyPassReverse / http://www.example.com/
> >> and an entry in /etc/hosts:
> >> 10.0.0.1www.example.com
> >>
> >> I hoped to be able to write something similar to
> >> RewriteRule (.*) http://10.0.0.1$1 [P, HEADER:Host=www.example.com]
> >>
> >> but no documentation seems to imply there's a way to do this.
> >>
> >> I'll be happy to take all advice you might have!
> >
> > Maybe, you should look at ProxyPreserveHost
> >
> > http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost
> >
>
> Yes, thanks!
>
> Still curious to know if there's a way to set a header with
> RewriteRule though ;-)
>
> Raph
>
> Raph
>
eg:
RewriteRule ^/(.*)$
http://www/~me/printenv.cgi[L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
RequestHeader set X_REMOTE_USER %{remoteUser}e
RequestHeader add "X-H-USER" "%{remoteUser}e"
Re: [EMAIL PROTECTED] set http header with mod_rewrite
On Wed, Jul 16, 2008 at 9:00 PM, Raphael Bauduin <[EMAIL PROTECTED]> wrote: if it is CGI -- are you able to read X_HOST variable then?
