tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Kerberos header passing issue
Date Fri, 04 Jun 2010 18:07:05 GMT
Krishnan, Babu wrote:
> Hello
> 
> We are having Desktop SSO for an application hosted on tomcat. The Desktop SSO
> uses kerberos authentication. We are using spnego.sourceforge.net solution for
> enabling SSO on tomcat end. Now, desktop SSO works charm.
> 
> Now we would like to front tomcat with APache and use mod_jk for connecting. We
> have Apache 2.2.15, mod_jk 1.2.30 on Tomcat 6.0.24. As such apache & mod_jk is
> working fine with tomcat when SSO is turned off on tomcat i.e apache and mod_jk
> have been configured properly.
> 
> When i turn on SSO on tomcat, i get error when going through Apache but when i
> hit tomcat directly i don't get any error.
> 
> Here is the error i'm getting
> GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum
> failed)
>     sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
>     sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>     sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>     sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
>     sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
>     sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>     sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> 
> 
> Does it mean that i need to tweak some configuration on apache and mod_jk to
> work with tomcat when sso is enabled?
> 
I will hazard a guess..

I do not think that there is anything that you can do, as such, at the 
Apache or mod_jk configuration level.
I believe that what is hitting you is this (again, just a guess) :
Kerberos is a very secure protocol.  As such, it probably has measures 
against "man-in-the-middle" attacks.  That means that it makes sure that 
the client (the workstation) is talking directly to the server (Tomcat), 
and that there is nobody in the middle that could be listening to the 
conversation, record it, and maybe use this recording later for a 
"playback" attack.

When you have Apache (+ mod_jk) between the workstation and Tomcat, in 
effect you do have a man-in-the-middle : Apache.
That may be the reason why Kerberos (at the Tomcat side) is rejecting 
the authentication : it sees that who is talking to him is Apache, and 
that it is not the workstation who started the Kerberos negociation 
(they have a different IP for example).

One way to solve the problem would be to do the Kerberos authentication 
at the Apache level, and pass the resulting user-id to Tomcat via 
mod_jk.  If Apache authenticates the user, and the 
"tomcatAuthentication" attribute is set to "false" in the Tomcat AJP 
Connector, then this will happen automatically.
Then you would not need the Kerberos module in Tomcat anymore, since the 
user-id, as authenticated by Apache, would be secure anyway.

If all which I am writing above is correct (a big if), then you should 
start looking for a Kerberos authentication module for Apache.

Another suggestion is to try to get in touch with the 
spnego.sourceforge.net people.  They might have encountered the same 
situation already, and may have a solution inbterms of settings at the 
level of that module.

And please, report to the list anything else you find.  This kind of 
topic seems to be in fashion nowadays.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message