On 19.09.2018 13:57, André Warnier (tomcat) wrote:
On 18.09.2018 23:24, Thomas Delaney wrote:
Hello All,
I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3 server
to get Kerberos SSO working with a web client application. I have also in
addition configured Apache HTTPD 2.4.29 on the same machine.When I reach
that website I am failing to get SSO working. The web server is not passing
off the delegation credentials to Apache Tomcat server. I have the web
server load balance proxying it's request to multiple Apache Tomcat
instances. I have tried applying mody_proxy_http environment variables, but
the site continues to fail SSO. Is there a guide or configuration that
HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off
delegation credentials to Apache Tomcat?
If you would like someone here to be able to help you, you would need to be
much more
precise than that. You write "I have done this" and "I have done that", but
without
giving any clue as to /how/ you did this or that.
You are not even saying /where/ you have configured the Kerberos SSO. Under the
Apache
httpd front-end ? or under Tomcat ?
To point you nevertheless in a possible direction, read this :
https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_httpd
(and, in your mind, substitute "Windows authentication" by "Kerberos
authentication")
Addendum :
Searching Google for "tomcat REMOTE_USER" shows quite a few relevant links.
Unfortunately, none of them seems to point directly to the particular combination you are
looking for, but by combining them you will get a pretty good idea of how this could work.
One solution which would certainly work out of the box is this :
browser <= HTTP(S) => Apache httpd <= AJP => Tomcat AJP Connector
+ mod_proxy (with
"tomcatAuthentication="false")
+ mod_proxy_ajp
(or mod_jk)
+ mod_(whatever-authentication)
In a nutshell : that is because when Apache httpd authenticates a user (via whichever
authentication method is configured there), then subsequently proxies this request to
Tomcat via AJP, then in the AJP request to Tomcat, the authenticated user-id is passed
along. The Tomcat AJP Connector then picks this up, and sets the Tomcat authenticated user
to that same value.
Note that this (along with any other solution which passes the httpd-authenticated user
along with the request to the back-end tomcat server) is only as secure as the connection
itself between the front-end Apache httpd and the back-end Tomcat.
Unfortunately, the Tomcat AJP Connector seems to be the only one to offer such an option
"out of the box", and the HTTP Connectors don't seem to offer that.
There is a long discussion about this here :
http://tomcat.10.x6.nabble.com/Tomcat-REMOTE-USER-getRemoteUser-td5037513.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
