archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: Using external authentication with Archiva/Redback
Date Wed, 13 Apr 2011 08:15:11 GMT
Unfortunately, only the /repository/ section uses basic auth headers - so it might work for
those, but not the webapp that relies on cookies being set. Even so, you'd have to hook it
up to LDAP for the user details. At present, we don't store any roles in LDAP - they are always
in the Archiva user database.

On 13/04/2011, at 4:13 AM, Dustin Parker wrote:

> Hello all,
> 
> Our httpd hosts a large variety of web applications using various technologies, including
a mod_jk proxy to Tomcat, where archiva is hosted. It also protects everything with SSL and
mod_sspi, meaning that users get an authentication prompt and use their domain credentials
to log in. Some applications, like svn, can then use these credentials without having their
own authentication layer. I can't figure out how to get Archiva to do something similar, however.
mod_jk appears to be sending my username to Tomcat:
> 
> 02c0 63 3D 00 A0 08 00 01 30 00 03 00 14 46 4F 52 57 - c=.....0....FORW
> 02d0 41 52 44 53 4C 4F 50 45 5C 64 70 61 72 6B 65 72 - ARDSLOPE\dparker
> 02e0 00 04 00 04 4E 54 4C 4D 00 FF 00 00 00 00 00 00 - ....NTLM........
> 
> (See "Attributes" here: http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html)
> 
> (I can't find any docs that guarantee that getRemoteUser() responds with this username.
Is there any way for me to tell if it's propagating correctly?)
> 
> Anyway, if it is propagating correctly, how can I convince Archiva and/or Redback to
just accept these credentials? Tomcat is only listening on local interfaces and is hidden
from the outside world, so I accept the security risks of doing so.
> 
> Bonus question: can user mapping against LDAP still succeed in this case? (It'd be nice
to grab roles for the current user from LDAP.)
> 
> Thanks one million,
> Dustin
> 

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/


Mime
View raw message