tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil <>
Subject tomcat, apache with mod_jk and mod_auth_kerb
Date Sun, 13 Jul 2008 18:04:34 GMT

I am using httpd v2.0.58 installed on a Solaris-10 system, also have
mod_auth_kerb with proper kerberos infrastructure.
I am hosting few new applications on tomcat and wanted to integrate with the
kerberos but via the httpd as the front end.
As in, the httpd will do the front-end kerberos authentication and it passes
on the authentication details like REMOTE_USER/kerb_cache to the tomcat
through mod_jk.

I have earlier tried using the mod_rewrite module with proxy  .. but
that would ask me to enable the http connector port of the tomcat instance
and will prompt to keep the spoofing chances wide open.
Like instead of "my apache" instance doing the authentication and pass on
the remote_user variable, there can be speculations of any arbitrary user
hosting his own httpd instance and could get to send a spoofed up
REMOTE_USER variable to the tomcat instance and thus breaking the whole
secured system.
Hence, I just want to use the ajp connection of the tomcat and keep the http
connector of the tomcat instance closed.
Reminding of the ajp, I searched for a while and found mod_jk and
mod_proxy_ajp are the two best around for integrating the tomcat with apache
after learning that mod_proxy_ajp is only available for httpd v2.2 or after
and unfortunately my system installed version is httpd v2.0.58.
So, mod_proxy_ajp choice is perhaps ruled out for now and I am left with
using the configuration overhead involved mod_jk module.
I have no problems in using mod_jk but could not figure out the ways of
passing the remote_user variable effectively to the tomcat instance....
would also desire to have a scalability that with a single httpd instance
supporting the multiple tomcat instances (may be on a single host/spanned
across multiple hosts).

I have tried using SetEnvIf, JkEnvVar, RequestHeader directives to only to
find of no use.

Could anyone please help me figure out the much needed lines that I need to
put into the httpd.conf to get the authentication information right passed
to the tomcat from the kerberized http access.
This is the glimpse of the httpd configuration (non-working) that I have for
my httpd instance and the tomcat right now.. any corrections/suggestions are
most welcome.

Listen 8080

LoadModule jk_module  libexec/
JkLogFile /home/me/httpd/logs/jk_log
JkLogLevel DEBUG
JkShmFile /home/me/httpd/logs/jkshmfile
JkWorkersFile /home/me/httpd/conf/worker-properties

<VirtualHost *:8080>
ServerAlias httpdauth.mysub httpdauth

<Location /default>
    AuthType Kerberos
    AuthName "Testing"
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    KrbServiceName HTTP/
    KrbSaveCredentials on
    Krb5Keytab /home/me/httpd/conf/httpdauth.http.keytab
    require valid-user

  SetHandler jakarta-servlet
  RequestHeader set X_REQHDR_REMOTE_USER %{remoteUser}e
  SetEnv X_ENV_REMOTE_USER %{remoteUser}e
  JkEnvVar X_JK_REMOTE_USER %{remoteUser}e

 # earlier rewrite configuration
 #   RewriteEngine On
 #   RewriteRule ^/(.*)$
 #   RequestHeader set X_REMOTE_USER %{remoteUser}e
 #   RequestHeader add "X-H-USER" "%{remoteUser}e"


With worker properties being :



Are there any other ways? or I could be also missing any lines/directives in
the configuration?

Thanks, Nikhil

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message