> Date: Sun, 28 Jun 2009 16:12:50 +0200
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: mod_auth_kerb / mod_spnego on Windows
>
> Maciej Matecki wrote:
>> On Sat, Jun 27, 2009 at 10:04 AM, André Warnier<a...@ice-sa.com> wrote:
>>> Maciej Matecki wrote:
>>> ...
>>>> Do You have any compiled module for Apache which provide Kerberos
>>>> authorization under Windows and Apache 2.x?
>>> Hi.
>>> Just a question : is there any mechanism that allows you to do that from
>>> Tomcat ?
>>> Because if there is, then I can provide you with a "trick" to use this for
>>> Apache also. I such a trick myself, unfortunately not with Kerberos but
>>> with NTLM.
>>
>> Hi,
>> Yes. I just need to find in headers the name of user authorized with
>> Kerberos (I use the preauth filter in Spring Security). So if you've
>> got any good method to achieve that I'll be very thankful.
>> Regards,
>>
> Allright, here is the trick. Depending on your circumstances, this may
> or may not be difficult.
> I developed this method for a practical reason, probably the same as you
> have found out : there are some forms of authentication that are easier
> to do under Apache on some platforms, others that are easier to do under
> Tomcat on some platforms. This allows me to choose.
>
> But a warning, first of all : in my case, what I am about to describe
> works. But, technically, it is equivalent to being a
> "man-in-the-middle" between the browser and the real authentication in
> Tomcat. I have no idea if that will work with Kerberos..
>
> The general idea is :
>
> 1) create a small servlet to insert in your Tomcat application.
> Since this servlet is "in" your webapp, it is submitted to the same
> Tomcat authentication rules as the rest of your webapp.
> In other words, I am supposing that it will only get executed, if the
> request has already been authenticated by Tomcat, using whatever method
> is configured in Tomcat for ditto.
> This servlet does one thing : it picks up the authenticated Tomcat
> user-id for this request (String userId = request.getRemoteUser();), and
> creates a simple text/plain response containing that user-id.
> It can also add a special HTTP header to this response, to make the work
> of the other part (below) easier.
>
> 2) In Apache now, you have to create your own authentication module.
> When this module checks the browser request, and finds that it is not
> authenticated, it creates its own internal HTTP request to the back-end
> Tomcat and to your servlet. In this request, it copies all the HTTP
> headers as received in the original request from the browser, (but it
> changes the URL, to address your servlet).
>
> When it gets the response back from Tomcat, 2 cases are possible :
>
> a) it is the user-id response (from your servlet). In that case, you
> now have your user-id, you set it for Apache, and you continue in Apache
> with the original request, now authenticated.
>
> b) it is not the user-id response, but something else. In that case, you
> return the entire Tomcat response back to the browser.
>
> Case a) is easy to detect, because it contains the special header which
> your Tomcat servlet added.
>
> Case b) is for the case where Tomcat "catches" the call to your servlet
> as not yet authenticated. Tomcat will then send back some 401 response,
> asking the browser to authenticate.
> You forward this response to the browser, transparently. The browser
> then sends back some new request, presumably this time with the correct
> authentication headers. Your authentication module under Apache catches
> that call again, sees that it is not authenticated yet, and forwards it
> again to your Tomcat servlet, with all the original headers.
> This time, Tomcat accepts the authentication, and lets the call go
> through to your servlet. The servlet returns the user-id, the
> authentication module in Apache gets it, authenticates the Apache
> session, et voilà.
>
> Now the question is how to create this Apache authentication module.
> I use mod_perl, which for me is the easiest.
> Your mileage may vary.
> But you could look for the source code of any Apache authentication
> module in the language of your choice, and modify it to do what I
> outline above.
>
> Another subtlety consists of, at the Apache level, determining the
> difference between a request that is authenticated, and one that is not.
> Usually, once you have "provoked" the browser into authenticating once,
> it will then in subsequent request to the same server/area, re-send the
> same authentication headers without being prompted.
> Your Apache-level authentication module could check requests for these
> headers, and pick out the user-id itself. That avoids going back to
> Tomcat each time.
> If that is not the case (the browser does not resend the headers), then
> you may have to put some additional code in your Apache authentication
> module, to add a "Set-cookie" to the response. This cookie is then what
> the Apache authentication module checks for, in the subsequent requests.
> If it is not found, the request is forwarded to your Tomcat servlet.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
