tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Single sign on issue with Tomcat and Apache
Date Thu, 05 Jun 2008 00:54:14 GMT


Johnny Kewl wrote:
> 
> ----- Original Message ----- From: "André Warnier" <aw@ice-sa.com>
> To: <users@tomcat.apache.org>
> Cc: <sridharmnj@yahoo.co.in>
> Sent: Thursday, June 05, 2008 1:06 AM
> Subject: RE: Single sign on issue with Tomcat and Apache
> 
> 
>> Hi.
>>
>> I saw your ongoing discussion, and maybe I can contribute something, 
>> but I need some more info before.
>>
>> Here is what you explained before :
>>
>> a) You have one site "aaa.com" to which users access this way :
>>
>> user -------------------------------> tomcat aaa.com
>>
>> b) and another site "bbb.com" to which users access this way :
>>
>> 1) static content :
>> user ------------------------------> Apache bbb.com
>> 2) dynamic content :
>> user -----> Apache ---> mod_jk ---> tomcat bbb.com
>>
>> Is it really like described above ?
> 
> 
> 
> Yes the exact architecture would help ;)
> 
> I understand it like this
> 
> browser ------------------> Tomcat on aaa.com
> browser <----------------- Tomacat delivers web pages with links to 
> bbb.com/image.jpg
> browser -------------------> Apache on bbb.com with images and stuff 
> (that wont authenticate)
> 
> Reason is browser will not return auth and cookies that belong to domain 
> aaa.com to bbb.com
> 
> What (I think) may work is what you have indicated
> 
> user -----> Apache (bbb.com) ---> mod_jk ---> tomcat aaa.com
> 
> All links now to bbb.com and JK setup to talk to aaa.com
> 
> Images on Apache and servlet JKMounted on aaa.com
> 
> The browser will return Basic header and cookies... so I think Apache 
> auth modules and tomcat on SingleSignOn will work.
> 
> All assuming this can be setup and if the images are hosted remotely 
> that the Sp can set up JK etc.
> But is webapp cannot be changed and images are hardcoded in servlet... I 
> think he's snookered and probably has to lose authentication on Apache.
> Thats how I understand it...
> 
> Maybe?
> 
There are too many known unknowns at the moment to propose something 
precise.  If there is only a single Tomcat with a single localhost Host 
and two webapps, then it would simplify the domain stuff and the 
SingleSignOn at that end.

The general schema I am thinking about, if .. , is
- all requests go through Apache, and from there to Tomcat or not
- Tomcat allows only calls from Apache (IP filter)
- Apache does all the authentication
- mod_jk will pass the Apache user-id to Tomcat for requests that go there
- the Apache config for Tomcat-destined links is of the kind
   <Location (or LocationMatch) ..>
    SetHandler Jakarta-servlet
    Authentication stuff..
    Require ...
  </Location>

I'm not quite sure if for the "static" stuff you can combine JkUnMount's 
with a Location like above, but it's worth a try.
Interesting anyway, and it kinds of fits with something I should get 
busy with in a few weeks.

André

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message