tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: HelloWorld servlet, or just about
Date Fri, 19 Dec 2008 22:45:40 GMT
André Warnier wrote:
Ok, let me explain why I asked these simplistic questions, not that you 
would think me gaga.

I use a non-conventional database application, which wants a user-id as 
the content of a HTTP request header. Say
DBUID: johnsmith

To provide an SSO solution for that application, I previously wrote a 
servlet filter, which gets the authenticated user-id from tomcat, and 
transforms it into such a HTTP header, creates a wrapper for the 
request, to which it adds this header, then passes the wrapped request 
to the servlet that talks to the database.

When the source of the user-id is a Windows domain, I add another 
servlet filter from the Samba people (see, which 
performs the HTTP/NTML authentication and sets the Tomcat user-id to the 
user's Domain user-id.
Then my filter picks it up from Tomcat etc..

It all works very nice, and the jCIFS filter is easy to configure and 
just works.

But now I have another issue : in front of that Tomcat, is an Apache, 
with plenty of things done by Apache in mod_perl modules, and only a few 
passed on to Tomcat.
And I would need the user's Windows authentication to be done at the 
Apache level, so that it can be used more generally than for the links 
processed by Tomcat only.

There are several Apache modules that allow doing an NTLM authentication 
at the Apache level.  But either they do not work in some circumstances, 
or else they are complicated and really heavy to set up (for example, 
requiring Samba and winbind, which I don't otherwise need nor want).

So my idea was to implement, at the Apache level, a simple mod_perl 
authentication module which just passes a request to the back-end 
Tomcat, to get the user-id as negociated by jCIFS, retrieves the answer, 
and uses this user-id to authenticate at the Apache level.
The Apache user-id can then be passed on to Tomcat via mod_jk, for the 
requests that need Tomcat.

I could do this either by creating a tiny specific webapp wrapped into 
the JCIFS filter (the reason for my original posting), or else I could 
arrange for the filter which I already wrote above to respond to those 
special requests itself, and bypass the database servlet in that case.
(the reason for my secondary posting).

I mean, I have the Apache and mod_jk and Tomcat and jCIFS anyway, so I 
might as well use them, and not complexify the setup by introducing more 
software and modules, right ?

Now, from anyone who had the patience to follow up to here, any comments ?

(and thanks for the previous answers also)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message