tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: mod_spnego SingleSignOn over mod_jk
Date Wed, 02 Jan 2008 06:39:49 GMT
Hi Cenk,

Cenk Oguz schrieb:
> I am looking into configuring SingleSignOn Kerberos authentication in
> a Tomcat application using SPNEGO authentication on a Apache2
> frontend server. The fontend apache2 currently forwards all requests
> to Tomcat through mod_jk.
> As I see there is an apache2 module for Kerberos authentication
> without user intervention, mod_spnego.
> However I am curious of knowing if it is possible using mod_spnego to
> forward the authenticated user/principal in a http header to Tomcat
> from Apache, in the mod_jk stream. The packaged Tomcat application
> requires an http header that containes the user.

For me the mod_spnego code looks like it only set the usual
authenticated user var, so the name of the user will be available for
the webapp only by using request.getRemoteUser() and not via an http header.

> Also, will autentication take place before mod_jk forwards the
> request? If mod_jk acts before autentication there is no point in
> proceding with this.

It looks like the two modules play nicely together. mod_spnego only uses
the auth slots and mod_jk totally ignores those. That should be fine.

You shoulkd check, if mod_spnego does work fine with <Location>
directives and not only with <Directory>. I would expect that, but the
docs are not clear about it.

> Has anyone had experience in this?

No experience from me, this is just from a quick look at the code.

> /Cenk



To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message