On 11.10.2009 18:08, André Warnier wrote:
> Rainer Jung wrote:
>> On 11.10.2009 14:35, André Warnier wrote:
>>> Mark Thomas wrote:
>>>> André Warnier wrote:
>>>>> Sam Crawford wrote:
>>>>>> Apologies for misinterpreting your post.
>>>>>>
>>>>>> Unfortunately we can't ditch SunONE - it's a requirement from our
>>>>>> security guys. We're operating in a two-tier DMZ environment and
>>>>>> SunONE will be in the top tier, with an SSO agent running inside it.
>>>>>> JBoss will be in the 2nd tier.
>>>>>>
>>>>> Just by curiosity (and I do not know SunONE) : you mention SSO. I know
>>>>> that with Apache and mod_jk, the authenticated Apache user can be
>>>>> passed
>>>>> on to Tomcat, and use by Tomcat. But I don't so far know any other
>>>>> connector able to do this. How does it work with SunONE ?
>>>> All the variants of mod_jk (httpd, IIS, Netscape) support this, as does
>>>> mod_proxy_ajp. It is a feature supported by the AJP protocol. AFAIR
>>>> The Netscape
>>>> variant works with SunOne.
>>>>
>>> Thanks for that clarification.
>>> Since I work mostly with Apache, my knowledge of IIS-related stuff is
>>> scarce, and I have another follow-up question :
>>> If the webserver is IIS, connected to Tomcat (as you imply above) via
>>> the appropriate version of mod_jk, does that mean that when a HTTP
>>> user's browser (IE) connects to IIS, and IIS authenticates the user (via
>>> some NTLM scheme), this IE/IIS user-id is automatically being passed to
>>> Tomcat via AJP, and (depending on the Tomcat configuration) Tomcat can
>>> make use of it ?
>>> Or does the above require additional setup steps at the IE/IIS/mod_jk
>>> level ?
>>
>> As far as I know that works out of the box. In order to let tomcat trust
>> the information, you'd need to set tpomcatAuthentication though.
>>
>> One unfortunate thing: we use the standard request data REMORE_USER to
>> forward, and for IIS this is:
>>
>> "The name of the user as it is derived from the authorization header
>> sent by the client, before the user name is mapped to a Windows account.
>> If you have an authentication filter installed on your Web server that
>> maps incoming users to accounts, use LOGON_USER to view the mapped user
>> name."
>>
>> AFAIR this means yo get a lot of different mixtures of upper an dlower
>> case etc. Not a normalized version of the user id.
>>
>> When acivating debug log level in mod_jk, there is a line
>>
>> Service protocol=%s method=%s host=%s addr=%s name=%s port=%d auth=%s
>> user=%s uri=%s
>>
>> which contains the authentication protocol ("auth=") and the user name
>> ("user=") being forwarded.
>>
> Thanks, Rainer.
> Do you also happen to remember if the user-id so forwarded is just the
> user-id, or (if NTLM) does it include the NTLM domain ? (like
> domain\user). Or is the answer to that also of the "it depends" type ?
Sorry, Andre. Don't have it in my head and I'm also a little short of
testing time right now. Others to chime in?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
