tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g f <gfo...@gmail.com>
Subject getting mod_auth_kerb to trust a request from tomcat
Date Fri, 04 Jun 2010 18:16:23 GMT
Hello all,
This may be better suited to Apache users group but I will try here in case.

I am running tomcat 6.0.24 ,  jre 1.6.0_16, Apache/2.2.15 (Debian) ,
mod_auth_kerb/5.4  , mod_jk/1.2.28 mod_python/3.3.1 all installed via apt on
Debian Lenny.

I have successfully been able to get all of this working (authentication,
forwarding etc).

I have a java web app that has a servlet that serves as a proxy to get
around cross site scripting.
http://myapp/Proxy?url=www.somesite.com

I let Apache and mod_auth_kerb handle all authentication and it does well.

If I access my Proxy servlet like so:

http://MY_DOMAIN.COM/my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html

(Notice I am proxying to the same domain but different application)

I get a 401 error.

Here is what the access log (for apache) looks like for this request.
10.150.15.116 - - [04/Jun/2010:18:06:55 +0000] "GET /index.html HTTP/1.1"
401 829 "-" "Java/1.6.0_16"
10.150.15.212 - gforte@MY_DOMAIN.COM [04/Jun/2010:18:06:54 +0000] "GET
/my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html HTTP/1.1" 500 394
"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3)
Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)"
o

Now if you notice the request from ip address 212 is actually the browser
request to the proxy.
The request from ip address 216 is the request from tomcat (notice the
Java/1.6.0_16).

So it appears that Apache sees this request from the jre and tries to
authenticate against mod_auth_kerb and of course it fails.

Is it possible to force tomcat to pass on the credentials it receives from
the initial request(browser) along to tomcats own request back to apache?

Hopefully this is somewhat clear?

Flow:
Browser makes request to ----> http://MY_DOMAIN.COM/my_proxy_app/Proxy
----> mod_auth_kerb authenticates and then mod_jk realizes it is a java app
so it hands off the request to tomcat
----> Proxy servlet runs on tomcat and makes a URL request to
http://MY_DOMAIN.COM/index.html  ---> Apache attempts to authenticate this
request but since it is coming from the jre it disallows this request.

Thanks in advance!
GF

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message