tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: mod_spnego SingleSignOn over mod_jk
Date Wed, 02 Jan 2008 15:14:28 GMT

good pointcan you display for us the Directory configuration in httpd.conf 
e.g. something like
#assume you do not have mod_auth_sspi
<Directory "/home/bob/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
# not valid with SSPI
Krb5KeyTabFile /home/alice/krb5kt
Krb5ServiceName HTTP
Martin______________________________________________Disclaimer and confidentiality noteEverything
in this e-mail and any attachments relates to the official business of Sender. This transmission
is of a confidential nature and Sender does not endorse distribution to any party other than
intended recipient. Sender does not necessarily endorse content contained within this transmission.>
Date: Wed, 2 Jan 2008 07:39:49 +0100> From:> To:>
Subject: Re: mod_spnego SingleSignOn over mod_jk> > Hi Cenk,> > Cenk Oguz schrieb:>
> I am looking into configuring SingleSignOn Kerberos authentication in> > a Tomcat
application using SPNEGO authentication on a Apache2> > frontend server. The fontend
apache2 currently forwards all requests> > to Tomcat through mod_jk.> > > >
As I see there is an apache2 module for Kerberos authentication> > without user intervention,
mod_spnego.> >> > However I am curious of knowing if it is possible using mod_spnego
to> > forward the authenticated user/principal in a http header to Tomcat> > from
Apache, in the mod_jk stream. The packaged Tomcat application> > requires an http header
that containes the user.> > For me the mod_spnego code looks like it only set the usual>
authenticated user var, so the name of the user will be available for> the webapp only
by using request.getRemoteUser() and not via an http header.> > > Also, will autentication
take place before mod_jk forwards the> > request? If mod_jk acts before autentication
there is no point in> > proceding with this.> > It looks like the two modules
play nicely together. mod_spnego only uses> the auth slots and mod_jk totally ignores those.
That should be fine.> > You shoulkd check, if mod_spnego does work fine with <Location>>
directives and not only with <Directory>. I would expect that, but the> docs are
not clear about it.> > > Has anyone had experience in this?> > No experience
from me, this is just from a quick look at the code.> > > /Cenk> > Regards,>
> Rainer> > > --------------------------------------------------------------------->
To start a new topic, e-mail:> To unsubscribe, e-mail:>
For additional commands, e-mail:> 
Share life as it happens with the new Windows Live.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message