André Warnier wrote:
[...]
Ok, let me explain why I asked these simplistic questions, not that you
would think me gaga.
I use a non-conventional database application, which wants a user-id as
the content of a HTTP request header. Say
DBUID: johnsmith
To provide an SSO solution for that application, I previously wrote a
servlet filter, which gets the authenticated user-id from tomcat, and
transforms it into such a HTTP header, creates a wrapper for the
request, to which it adds this header, then passes the wrapped request
to the servlet that talks to the database.
When the source of the user-id is a Windows domain, I add another
servlet filter from the Samba people (see http://jCIFS.samba.org), which
performs the HTTP/NTML authentication and sets the Tomcat user-id to the
user's Domain user-id.
Then my filter picks it up from Tomcat etc..
It all works very nice, and the jCIFS filter is easy to configure and
just works.
But now I have another issue : in front of that Tomcat, is an Apache,
with plenty of things done by Apache in mod_perl modules, and only a few
passed on to Tomcat.
And I would need the user's Windows authentication to be done at the
Apache level, so that it can be used more generally than for the links
processed by Tomcat only.
There are several Apache modules that allow doing an NTLM authentication
at the Apache level. But either they do not work in some circumstances,
or else they are complicated and really heavy to set up (for example,
requiring Samba and winbind, which I don't otherwise need nor want).
So my idea was to implement, at the Apache level, a simple mod_perl
authentication module which just passes a request to the back-end
Tomcat, to get the user-id as negociated by jCIFS, retrieves the answer,
and uses this user-id to authenticate at the Apache level.
The Apache user-id can then be passed on to Tomcat via mod_jk, for the
requests that need Tomcat.
I could do this either by creating a tiny specific webapp wrapped into
the JCIFS filter (the reason for my original posting), or else I could
arrange for the filter which I already wrote above to respond to those
special requests itself, and bypass the database servlet in that case.
(the reason for my secondary posting).
I mean, I have the Apache and mod_jk and Tomcat and jCIFS anyway, so I
might as well use them, and not complexify the setup by introducing more
software and modules, right ?
Now, from anyone who had the patience to follow up to here, any comments ?
Thanks
(and thanks for the previous answers also)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
