Re: Cleartrust RSA integration

Mon, 21 Jun 2010 01:23:25 -0700 

Hi Andre

Thanks for the reply.
I had a long discussion with our architecture group today. Basically they want Cleartrust authentication at the web gateway (in place now) and again at the web server. The gateway (an Apache instance) and the Tomcat server would not be on the same physical box - they would be in separate security zones.
An option is to use yet another Apache instance fronting Tomcat. I'm not sure what sort of performance hit this would be (i.e. Apache -> Apache -> Tomcat) - do you have any insight? 

Regards

Ron
----- Original Message ----- From: "André Warnier" <a...@ice-sa.com> 
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Sunday, June 20, 2010 9:37 PM
Subject: Re: Cleartrust RSA integration



Ron McNulty wrote:

Hi All
We are thinking of bringing some of our apps off proprietary J2EE servers to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux on a VM (not sure of versions). One of the requirements is to authenticate using RSA Cleartrust.
From my reading, Tomcat does not support this. The recommended solution is
to front Tomcat with Apache, and let Apache do the Cleartrust integration.
The links I have found are a bit ancient - are my assumptions still correct? Also, our system architects seem to think this setup is insufficiently secure - comments? 


Assuming the Apache Cleartrust authentication is secure..
If Apache authenticates a request, and if the Apache/Tomcat connector is mod_jk, then the authenticated user-id is propagated from Apache to Tomcat (*). (Additionals info could be propagated via additional HTTP headers, or "request attributes"). If the link between Apache and Tomcat is secure (like for example both run on the same machine and the connection is purely internal), then there is no reason why this would be less secure.
(*) whether Tomcat actually uses it, is determined by the "tomcatAuthentication" attribute of the AJP <Connector>. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to